[Fedora-packaging] RFC mass bug reporting: checksec failures
Alexander Todorov
atodorov at redhat.com
Thu Sep 17 10:53:38 UTC 2015
На 17.09.2015 в 13:34, Steve Grubb написа:
> On Thu, 17 Sep 2015 11:07:37 +0300
> Alexander Todorov <atodorov at redhat.com> wrote:
>
>> Can somebody comment on the -fstack-protector-all vs
>> -fstack-protector-strong issue ? Do we want to change the default for
>> %__global_cflags in /usr/lib/rpm/redhat/macros ?
>
> -all is not needed, -strong is the right balance between security and
> performance. For example
>
> int add(int a, int b)
> {
> return a+b;
> }
>
> Does that need a stack canary? This is the nature of why some functions
> don't get a canary. Whenever knowledge of a stack frame is passed as a
> pointer to a function, then -strong will kick in and do a stack check
> on return.
>
Hi Steve,
thanks for the explanation.
So it looks like I should ignore stack canary warnings (assuming the package is
using the default flags). Should this be ignore for both libraries and
executable binaries or only libraries ? Or the answer is once again, you can't
tell that easily ?
> To know if the right thing is being done is hard to script. You really
> need to see what flags are passed to each source file being compiled.
> You just can't get at that from readelf.
>
Is it realistic to request a RFE with this information stored in the compiled
object and then be read by readelf ? If so I can file bugs in
bugzilla.redhat.com or upstream .
--
Alex
More information about the devel
mailing list