propolice for GCC?

Matthew Dillon dillon at apollo.backplane.com
Wed Dec 10 15:01:18 PST 2003


:>      Ok.  I've looked at the code output and it does impose some
:>      fairly serious overheads, so I am going to default the compiler
:>      to off instead of on.  We can then add -fstack-protector to
:>      sys.mk, /etc/make.conf, or wherever else we need to add it.
:
:should we build sendmail, bind and everything else which servers to the
:outside build with -fstack-protector by default.
:
:i guess, this way we would catch most bugs, yet do not slow down /bin/sh
:that much (hehe, at least we dont have dynamic /bin/sh >;]
:
:~ibotty

    Yes, once more testing is complete we can default certain parts of
    the build (or maybe the whole thing) to -fstack-protector.  Very
    definitely all external services and suid/sgid programs should be
    compiled with it.

    Note that the feature is not all-encompassing.  It can find on-stack
    buffer overflows but it will not, for example, find malloc()'d buffer
    overflows.

					-Matt
					Matthew Dillon 
					<dillon at xxxxxxxxxxxxx>





More information about the Kernel mailing list