1 |
On Sun, 2005-06-19 at 20:53 +0200, Simon Strandman wrote: |
2 |
> I just checked make.defaults for the x86 hardened profile and it has |
3 |
> CFLAGS="-O2 -mcpu=i386 -pipe -fforce-addr". |
4 |
> |
5 |
> Why the -fforce-addr? Does it have any impact on security? |
6 |
> |
7 |
> I use hardened on my home server but I don't have -fforce-addr in its |
8 |
> CFLAGS. Should I add it? |
9 |
|
10 |
|
11 |
This may seem bad but I forget exactly. I think it was the result of an |
12 |
academic security discussion that pappy the PaX author and myself |
13 |
participated in a very long time ago. If my memory serves me right |
14 |
(often fails me) we use to keep gcc from being smart and incorrectly |
15 |
over/under optimizing some areas of code. I think main reason it's |
16 |
listed in the CFLAGS was to help aid in the prevention of a precise type |
17 |
of ret2libc attack with the other mechanisms in place by forcing the |
18 |
attack to happen in a single atomic operation. |
19 |
|
20 |
|
21 |
It's an optional flag however. I use it also. |
22 |
|
23 |
|
24 |
-- |
25 |
Ned Ludd <solar@g.o> |
26 |
|
27 |
-- |
28 |
gentoo-hardened@g.o mailing list |