tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CFLAGS='-fstack-protector -D_FORTIFY_SOURCE=2'

In article <20090122120346.29f41c97@tb10>,
George Abdelmalik  <> wrote:
>On Wed, 21 Jan 2009 18:56:40 -0500
>Thor Lancelot Simon <> wrote:
>> On Wed, Jan 21, 2009 at 05:32:33PM -0500, Ed Ravin wrote:
>> >
>> > At the advice of one of the denizens of this list, I've started
>> > doing all my local builds with -fstack-protector (Stackguard)
>> > and -D_FORTIFY_SOURCE=2 (runtime bounds checking).
>> > 
>> > Are there any plans to use these flags in the default builds of
>> > NetBSD or in pkgsrc?
>> Much of NetBSD is already built that way (you can build all of it that
>> way by setting USE_FORT and USE_SSP and running a build).  I don't
>> know about pkgsrc.
>That's some useful information I didn't know.
>I see that USE_SSP is documented in share/mk/bsd.README, but I can't
>find the same for USE_FORT.
>Is it then not necessary to specify both?
>What's the implication of omitting USE_FORT?

USE_FORT turns on substitute wrappers for commonly used functions that
do not do bounds checking regurarly, but they could in some cases by
using the gcc __builtin_object_size() function to determine the buffer
size where it is known and detect buffer overflows. These substitute
functions are in /usr/include/ssp.


Home | Main Index | Thread Index | Old Index