| 1 |
Hi, |
| 2 |
|
| 3 |
I'm not claiming that I understand all the issues, but I wonder how |
| 4 |
that all affects "normal" Gentoo. |
| 5 |
|
| 6 |
Let me summarize my understanding: |
| 7 |
* We currently enable -fstack-check=specific on hardened, but not on |
| 8 |
normal Gentoo. |
| 9 |
* -fstack-check provides protection against stack clashes, but it is |
| 10 |
not ideal / can sometimes be circumvented. However it is expected / |
| 11 |
hoped that future versions of gcc will improve on that and provide a |
| 12 |
better implementation. |
| 13 |
* According to gcc's man page I understand that -fstack-check=specific |
| 14 |
is equivalent to -fstack-check and there is also |
| 15 |
-fstack-check=generic, which is considered deprecated. |
| 16 |
|
| 17 |
There's already work underway to push -pie via a new profile to default |
| 18 |
gentoo. I wonder: Should -fstack-check be pushed as well? |
| 19 |
|
| 20 |
Open questions I have: |
| 21 |
* Are there measurements of the performance overhead of -fstack-check? |
| 22 |
* Are there other downsides of -fstack-check? Is it expected that |
| 23 |
enabling it breaks things? |
| 24 |
|
| 25 |
-- |
| 26 |
Hanno Böck |
| 27 |
https://hboeck.de/ |
| 28 |
|
| 29 |
mail/jabber: hanno@××××××.de |
| 30 |
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 |
Archives