From owner-freebsd-toolchain@FreeBSD.ORG  Sat Nov 19 11:47:05 2011
Return-Path: <owner-freebsd-toolchain@FreeBSD.ORG>
Delivered-To: freebsd-toolchain@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7C5E3106564A;
	Sat, 19 Nov 2011 11:47:05 +0000 (UTC) (envelope-from dim@FreeBSD.org)
Received: from tensor.andric.com (cl-327.ede-01.nl.sixxs.net
	[IPv6:2001:7b8:2ff:146::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 4019E8FC12;
	Sat, 19 Nov 2011 11:47:05 +0000 (UTC)
Received: from [IPv6:2001:7b8:3a7:0:30d7:12c8:99d6:295e] (unknown
	[IPv6:2001:7b8:3a7:0:30d7:12c8:99d6:295e])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by tensor.andric.com (Postfix) with ESMTPSA id 7332C5C37;
	Sat, 19 Nov 2011 12:47:04 +0100 (CET)
Message-ID: <4EC7973E.9010108@FreeBSD.org>
Date: Sat, 19 Nov 2011 12:47:10 +0100
From: Dimitry Andric <dim@FreeBSD.org>
Organization: The FreeBSD Project
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Alexander Best <arundel@freebsd.org>
References: <20111118143735.GA46352@freebsd.org>
In-Reply-To: <20111118143735.GA46352@freebsd.org>
X-Enigmail-Version: 1.3.3
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-toolchain@freebsd.org
Subject: Re: -fstack-protector vs. -fstack-protector-all
X-BeenThere: freebsd-toolchain@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Maintenance of FreeBSD's integrated toolchain
	<freebsd-toolchain.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-toolchain>, 
	<mailto:freebsd-toolchain-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-toolchain>
List-Post: <mailto:freebsd-toolchain@freebsd.org>
List-Help: <mailto:freebsd-toolchain-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-toolchain>, 
	<mailto:freebsd-toolchain-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Nov 2011 11:47:05 -0000

On 2011-11-18 15:37, Alexander Best wrote:
> what are the reasons for using -fstack-protector instead of
> -fstack-protector-all in sys/conf/kern.mk?

My guess would be one or more of the following:

- The price in performance is too high
- The gain in security is too low
- Some routines in the kernel are run before the whole stack protection
  infrastructure is in place, ergo they can't have stack protection
- There might be other problems with -fstack-protector-all,
  lib/libc/Makefile says:

  # XXX For now, we don't allow libc to be compiled with
  # -fstack-protector-all because it breaks rtld.  We may want to make a librtld
  # in the future to circumvent this.
  SSP_CFLAGS:=	${SSP_CFLAGS:S/^-fstack-protector-all$/-fstack-protector/}