[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Stack Smash Protection disabled (was HEADS-UP: Stack Smash Protection enabled by default for amd64 and i386)
- To: Thor Lancelot Simon <tls%panix.com@localhost>
- Subject: Re: Stack Smash Protection disabled (was HEADS-UP: Stack Smash Protection enabled by default for amd64 and i386)
- From: Eric Haszlakiewicz <erh%nimenees.com@localhost>
- Date: Fri, 13 Nov 2009 10:46:17 -0600
On Fri, Nov 13, 2009 at 11:38:25AM -0500, Thor Lancelot Simon wrote:
> On Fri, Nov 13, 2009 at 03:40:19PM +0000, David Holland wrote:
> > On Fri, Nov 13, 2009 at 08:20:57AM -0500, Steven Bellovin wrote:
> > > > Note that quite a few packages break with SSP.
> > >
> > > Hmm -- why? Buffer overflows that haven't been exploited yet?
> > It's allergic to alloca(), and anything equivalent to alloca() like
> > variable-sized arrays on the stack.
> This is why I recommended -fstack-protector -Wno-stack-protector as the
> options to be added to pkgsrc builds.
> Unfortunately GCC can't do "warn me about X but don't make it fatal even
> if -Werror is set".
er.. don't you mean the other way around? I assume you'd want a package
build to break if it used a construct incompatible with -fstack-protector,
right? i.e. "gcc -Werror-no-stack-protector" (btw, gcc seems to have some
prior art in this area with "-Werror-implicit-function-declaration")
Main Index |
Thread Index |