Gentoo Archives: gentoo-user

From: Adam Carter <adamcarter3@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] -fstack-clash-protection vs -fstack-check
Date: Thu, 10 Jan 2019 23:59:32
1 The systemd priv-esc (CVE-2018-16864) got me reading gcc's man page on
2 -fstack-clash-protection, since
3 claims that
4 systems with it enabled are not vulnerable. I already have -fstack-check,
5 however, if I try to run both, gcc 8.2 complains;
7 cc1: warning: ‘-fstack-check=’ and ‘-fstack-clash_protection’ are mutually
8 exclusive. Disabling ‘-fstack-check=’
10 (there's a typo in gcc's message, the underscore should be a dash)
12 Is -fstack-clash-protection safer than -fstack-check? From the man page it
13 sounds like that's the case, but i'm not sure i understand what i'm
14 reading. My lay person understanding is;
15 stack-check verifies that memory is not accessed past what should be the
16 end of the stack (based on the memory range allocated for the stack?).
17 stack-clash-protection accesses each location iteratively so that it can be
18 checked for the guard page (end of stack marker) before going further.