Gentoo Archives: gentoo-user

From: Adam Carter <adamcarter3@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] -fstack-clash-protection vs -fstack-check
Date: Thu, 10 Jan 2019 23:59:32
Message-Id: CAC=wYCFxA8YbJBrqjog48hLBD_wLuZmfmLTBD+O3ZPYhU44Sgg@mail.gmail.com
The systemd priv-esc (CVE-2018-16864) got me reading gcc's man page on
-fstack-clash-protection, since
https://www.theregister.co.uk/2019/01/10/systemd_bugs_qualys/ claims that
systems with it enabled are not vulnerable. I already have -fstack-check,
however, if I try to run both, gcc 8.2 complains;

cc1: warning: ‘-fstack-check=’ and ‘-fstack-clash_protection’ are mutually
exclusive.  Disabling ‘-fstack-check=’

(there's a typo in gcc's message, the underscore should be a dash)

Is -fstack-clash-protection safer than -fstack-check? From the man page it
sounds like that's the case, but i'm not sure i understand what i'm
reading. My lay person understanding is;
stack-check verifies that memory is not accessed past what should be the
end of the stack (based on the memory range allocated for the stack?).
stack-clash-protection accesses each location iteratively so that it can be
checked for the guard page (end of stack marker) before going further.