[Fedora-packaging] RFC mass bug reporting: checksec failures
Steve Grubb
sgrubb at redhat.com
Thu Sep 17 10:34:14 UTC 2015
On Thu, 17 Sep 2015 11:07:37 +0300
Alexander Todorov <atodorov at redhat.com> wrote:
> Can somebody comment on the -fstack-protector-all vs
> -fstack-protector-strong issue ? Do we want to change the default for
> %__global_cflags in /usr/lib/rpm/redhat/macros ?
-all is not needed, -strong is the right balance between security and
performance. For example
int add(int a, int b)
{
return a+b;
}
Does that need a stack canary? This is the nature of why some functions
don't get a canary. Whenever knowledge of a stack frame is passed as a
pointer to a function, then -strong will kick in and do a stack check
on return.
To know if the right thing is being done is hard to script. You really
need to see what flags are passed to each source file being compiled.
You just can't get at that from readelf.
-Steve
More information about the devel
mailing list