On Monday, September 07, 2015 6:15:06 PM walt wrote: > On Mon, 7 Sep 2015 14:27:38 -0400 > Michael Orlitzky <m...@gentoo.org> wrote: > > > On 09/07/2015 01:10 PM, waben...@gmail.com wrote: > > > Michael Orlitzky <m...@gentoo.org> wrote: > > > > > > I don't think so (but maybe I'm wrong). You have to compile your > > > entire system with a hardened toolchain to get full hardened > > > support (SSP and maybe some other things). I think, to go back to a > > > "normal state", you have to recompile everything again with a non > > > hardened toolchain. > > > > GCC 4.8 already defaults to -fstack-protector, but you do need to > > recompile to get -fstack-protector-all and you're right that you would > > need to recompile again to make it go away. The full SSP is considered > > safe though, and only slows things down a bit. > > Full SSP is something I want and I'll gladly suffer the speed penalty > to get it. Can I just add -fstack-protector-all to my CFLAGS in > make.conf? Or is it more complicated than that? > > Hmm. Quoting from the gcc man page: > > -fstack-protector-strong > Like -fstack-protector but includes additional functions to > be protected --- those that have local array definitions, or > have references to local frame addresses. > > NOTE: In Gentoo GCC 4.9.0 and later versions this option is > enabled by default for C, C++, ObjC, ObjC++, if neither > -fno-stack-protector, -nostdlib, -ffreestanding, > -fstack-protector, -fstack-protector-strong or > -fstack-protector-all are found. <===== are found *where*? > > English is my native tongue and I confess I can't make any sense of > that advice. > > The words 'enabled' and 'are found' don't tell me what I need to *do* > to wind up with full/strong SSP in my compiled code. Does gcc add the > appropriate SSP flags without my intervention when building my sources, > or do I need to invoke those flags myself, e.g. by adding them to CFLAGS > as I asked above? > > <sigh> Communicating is hard to do: > > https://en.wikipedia.org/wiki/Breaking_Up_Is_Hard_to_Do
It means if they're not found on the command line (or CFLAGS which ends up on the command line). So just add -fstack-protector-all to your CFLAGS to get full stack protection regardless of GCC version. -- Fernando Rodriguez
