-fstack-protector vs. -fstack-protector-all
Alexander Best
arundel at freebsd.org
Mon Nov 21 00:55:36 UTC 2011
On Sat Nov 19 11, Dimitry Andric wrote:
> On 2011-11-18 15:37, Alexander Best wrote:
> > what are the reasons for using -fstack-protector instead of
> > -fstack-protector-all in sys/conf/kern.mk?
>
> My guess would be one or more of the following:
>
> - The price in performance is too high
> - The gain in security is too low
> - Some routines in the kernel are run before the whole stack protection
> infrastructure is in place, ergo they can't have stack protection
> - There might be other problems with -fstack-protector-all,
> lib/libc/Makefile says:
>
> # XXX For now, we don't allow libc to be compiled with
> # -fstack-protector-all because it breaks rtld. We may want to make a librtld
> # in the future to circumvent this.
> SSP_CFLAGS:= ${SSP_CFLAGS:S/^-fstack-protector-all$/-fstack-protector/}
defining -fstack-protector-all in sys/conf/kern.mk will only apply it to the
kernel and its components and not to world, i believe.
i've been running a kernel compiled with -fstack-protector-all and haven't
experienced any issues with it, so far.
cheers.
alex
More information about the freebsd-toolchain
mailing list