36 lines
1.3 KiB
Text
36 lines
1.3 KiB
Text
Title: GCC 4.8.3 defaults to -fstack-protector
|
|
Author: Ryan Hill <rhill@gentoo.org>
|
|
Content-Type: text/plain
|
|
Posted: 2014-06-15
|
|
Revision: 2
|
|
News-Item-Format: 1.0
|
|
Display-If-Installed: >=sys-devel/gcc-4.8.3
|
|
Display-If-Keyword: amd64
|
|
Display-If-Keyword: arm
|
|
Display-If-Keyword: mips
|
|
Display-If-Keyword: ppc
|
|
Display-If-Keyword: ppc64
|
|
Display-If-Keyword: x86
|
|
Display-If-Keyword: amd64-fbsd
|
|
Display-If-Keyword: x86-fbsd
|
|
|
|
Beginning with GCC 4.8.3, Stack Smashing Protection (SSP) will be
|
|
enabled by default. The 4.8 series will enable -fstack-protector
|
|
while 4.9 and later enable -fstack-protector-strong.
|
|
|
|
SSP is a security feature that attempts to mitigate stack-based buffer
|
|
overflows by placing a canary value on the stack after the function
|
|
return pointer and checking for that value before the function returns.
|
|
If a buffer overflow occurs and the canary value is overwritten, the
|
|
program aborts.
|
|
|
|
There is a small performance cost to these features. They can be
|
|
disabled with -fno-stack-protector.
|
|
|
|
For more information these options, refer to the GCC Manual, or the
|
|
following articles.
|
|
|
|
http://en.wikipedia.org/wiki/Buffer_overflow_protection
|
|
http://en.wikipedia.org/wiki/Stack_buffer_overflow
|
|
https://securityblog.redhat.com/tag/stack-protector
|
|
http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong
|