DragonFly BSD
DragonFly kernel List (threaded) for 2003-12
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: propolice for GCC?

From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Dec 2003 15:00:16 -0800 (PST)

:>      Ok.  I've looked at the code output and it does impose some
:>      fairly serious overheads, so I am going to default the compiler
:>      to off instead of on.  We can then add -fstack-protector to
:>      sys.mk, /etc/make.conf, or wherever else we need to add it.
:should we build sendmail, bind and everything else which servers to the
:outside build with -fstack-protector by default.
:i guess, this way we would catch most bugs, yet do not slow down /bin/sh
:that much (hehe, at least we dont have dynamic /bin/sh >;]

    Yes, once more testing is complete we can default certain parts of
    the build (or maybe the whole thing) to -fstack-protector.  Very
    definitely all external services and suid/sgid programs should be
    compiled with it.

    Note that the feature is not all-encompassing.  It can find on-stack
    buffer overflows but it will not, for example, find malloc()'d buffer

					Matthew Dillon 

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]