Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 4 Oct 2015 18:54:03 +0000 (UTC)
From:      "Pedro F. Giffuni" <pfg@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r288669 - head/share/mk
Message-ID:  <201510041854.t94Is3AF067961@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: pfg
Date: Sun Oct  4 18:54:02 2015
New Revision: 288669
URL: https://svnweb.freebsd.org/changeset/base/288669

Log:
  Bump the stack protector to level "strong".
  
  The general stack protector is known to be weak and has pretty small
  coverage. While setting stack-protector-all would give better protection
  it would come with a performance cost: for this reason Google's Chrome OS
  team developed a new stack-protector-strong variant.
  
  In addition to the protections offered by -fstack-protector, the new option
  will guard any function that declares any type or length of local array,
  even those in structs or unions. It will also protect functions that use a
  local variable's address in a function argument or on the right-hand side
  of an assignment.
  
  The option was introduced in GCC-4.9, but support for it has been
  back-ported to our base GCC (r286074) and is also available in clang.
  
  The change was tested with dbench and doesn't introduce performance
  regressions. An exp-run over the ports tree revealed no failures when
  using the stricter stack-protector-all. Thanks to all testers involved.
  
  Reference:
  https://outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
  
  Tested by:	pho, portmgr (antoine)
  Discussed with:	secteam (delphij)
  
  Differential Revision: https://reviews.freebsd.org/D3463
  PR:		203394 (exp-run)
  
  Relnotes:	yes
  MFC:		no (not supported in older clang)

Modified:
  head/share/mk/bsd.sys.mk

Modified: head/share/mk/bsd.sys.mk
==============================================================================
--- head/share/mk/bsd.sys.mk	Sun Oct  4 13:49:09 2015	(r288668)
+++ head/share/mk/bsd.sys.mk	Sun Oct  4 18:54:02 2015	(r288669)
@@ -149,7 +149,7 @@ CXXFLAGS.clang+=	 -Wno-c++11-extensions
 .if ${MK_SSP} != "no" && \
     ${MACHINE_CPUARCH} != "arm" && ${MACHINE_CPUARCH} != "mips"
 # Don't use -Wstack-protector as it breaks world with -Werror.
-SSP_CFLAGS?=	-fstack-protector
+SSP_CFLAGS?=	-fstack-protector-strong
 CFLAGS+=	${SSP_CFLAGS}
 .endif # SSP && !ARM && !MIPS
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201510041854.t94Is3AF067961>