| 1 |
On Sun, 2005-06-19 at 20:53 +0200, Simon Strandman wrote: |
| 2 |
> I just checked make.defaults for the x86 hardened profile and it has |
| 3 |
> CFLAGS="-O2 -mcpu=i386 -pipe -fforce-addr". |
| 4 |
> |
| 5 |
> Why the -fforce-addr? Does it have any impact on security? |
| 6 |
> |
| 7 |
> I use hardened on my home server but I don't have -fforce-addr in its |
| 8 |
> CFLAGS. Should I add it? |
| 9 |
|
| 10 |
|
| 11 |
This may seem bad but I forget exactly. I think it was the result of an |
| 12 |
academic security discussion that pappy the PaX author and myself |
| 13 |
participated in a very long time ago. If my memory serves me right |
| 14 |
(often fails me) we use to keep gcc from being smart and incorrectly |
| 15 |
over/under optimizing some areas of code. I think main reason it's |
| 16 |
listed in the CFLAGS was to help aid in the prevention of a precise type |
| 17 |
of ret2libc attack with the other mechanisms in place by forcing the |
| 18 |
attack to happen in a single atomic operation. |
| 19 |
|
| 20 |
|
| 21 |
It's an optional flag however. I use it also. |
| 22 |
|
| 23 |
|
| 24 |
-- |
| 25 |
Ned Ludd <solar@g.o> |
| 26 |
|
| 27 |
-- |
| 28 |
gentoo-hardened@g.o mailing list |
Archives