Re: CFLAGS='-fstack-protector -D_FORTIFY_SOURCE=2'

[christos%astron.com@localhost (Christos Zoulas)]

In article <20090122120346.29f41c97@tb10>,
George Abdelmalik  <gabdelmalik%avdat.com.au@localhost> wrote:
>On Wed, 21 Jan 2009 18:56:40 -0500
>Thor Lancelot Simon <tls%rek.tjls.com@localhost> wrote:
>
>> On Wed, Jan 21, 2009 at 05:32:33PM -0500, Ed Ravin wrote:
>> >
>> > At the advice of one of the denizens of this list, I've started
>> > doing all my local builds with -fstack-protector (Stackguard)
>> > and -D_FORTIFY_SOURCE=2 (runtime bounds checking).
>> > 
>> > Are there any plans to use these flags in the default builds of
>> > NetBSD or in pkgsrc?
>> 
>> Much of NetBSD is already built that way (you can build all of it that
>> way by setting USE_FORT and USE_SSP and running a build).  I don't
>> know about pkgsrc.
>> 
>
>That's some useful information I didn't know.
>I see that USE_SSP is documented in share/mk/bsd.README, but I can't
>find the same for USE_FORT.
>Is it then not necessary to specify both?
>What's the implication of omitting USE_FORT?

USE_FORT turns on substitute wrappers for commonly used functions that
do not do bounds checking regurarly, but they could in some cases by
using the gcc __builtin_object_size() function to determine the buffer
size where it is known and detect buffer overflows. These substitute
functions are in /usr/include/ssp.

christos