Date: Mon, 21 Nov 2011 00:55:36 +0000 From: Alexander Best <arundel@freebsd.org> To: Dimitry Andric <dim@FreeBSD.org> Cc: freebsd-toolchain@freebsd.org Subject: Re: -fstack-protector vs. -fstack-protector-all Message-ID: <20111121005536.GA89360@freebsd.org> In-Reply-To: <4EC7973E.9010108@FreeBSD.org> References: <20111118143735.GA46352@freebsd.org> <4EC7973E.9010108@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat Nov 19 11, Dimitry Andric wrote:
> On 2011-11-18 15:37, Alexander Best wrote:
> > what are the reasons for using -fstack-protector instead of
> > -fstack-protector-all in sys/conf/kern.mk?
>
> My guess would be one or more of the following:
>
> - The price in performance is too high
> - The gain in security is too low
> - Some routines in the kernel are run before the whole stack protection
> infrastructure is in place, ergo they can't have stack protection
> - There might be other problems with -fstack-protector-all,
> lib/libc/Makefile says:
>
> # XXX For now, we don't allow libc to be compiled with
> # -fstack-protector-all because it breaks rtld. We may want to make a librtld
> # in the future to circumvent this.
> SSP_CFLAGS:= ${SSP_CFLAGS:S/^-fstack-protector-all$/-fstack-protector/}
defining -fstack-protector-all in sys/conf/kern.mk will only apply it to the
kernel and its components and not to world, i believe.
i've been running a kernel compiled with -fstack-protector-all and haven't
experienced any issues with it, so far.
cheers.
alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111121005536.GA89360>