Javier J. Martínez Cabezón wrote: > Why did you add ssp in CFLAGS?, why not using specs directly?. I only > added -D_FORTIFY_SOURCE=2 in CFLAGS. glibc doesn't compile with > -fstack-protector-all in the CFLAGS, so you should switch to the > -fstack-protector to compile which is less secure than using specs > which compile with -fstack-protector-all which could be done. > >
The short answer is that its the easiest compromise if you want some ssp
in gcc-4. Here's some points that I've found testing:
1) Of the 630+ packages that make up either amd64 or i686 desktop
systems, all compile fine with -fstack-protector-all with the exception
of glibc-2.8 which still compiles with just -fstack-protector.
2) This problem is not solved just using specs. You can't simply add
some variation of
*cc1_ssp:
%{!nostdlib:%{!nodefaultlibs:-fstack-protector-all;:-fstack-protector}}
It leads to problems. I'm looking at Zorry's work which is promising.
3) Given points 1 and 2, a sloppy way of getting -fstack-protector-all
is to start with a system compiled with -fstack-protector, then update
to -fstack-protector-all, recompile with "emerge --keep-going -e world",
and let glibc's recompilation fail. I've done this and it "works" but
I'm not sure of the stability.
4) You bring up a good point about -D_FORTIFY_SOURCE=2 which in
retrospect I should include. Ubuntu has been using "-fstack-protector
-O2 -D_FORTIFY_SOURCE=2" since 8.10. It adds run-time checks on buffers
at runtime in glibc which can't hurt.
5) The difference between -fstack-protector and -fstack-protector-all is
that the former only applies ssp to functions with char buffers which
are more vulnerable. When I tested using paxtest suite with either
switch, I got the same results. In fact, I get the same results
compiling with hardened gcc-3.4.6. You can see what I got at [1].
Paxtest doesn't cover everything, but it covers important checks and if
any fail there is definitely reason for concern.
[1] http://opensource.dyc.edu/pub/misc/
signature.asc
Description: OpenPGP digital signature
