[cfe-dev] How clang compares with gcc on security hardening ?

Erik Pilkington via cfe-dev cfe-dev at lists.llvm.org
Tue Feb 19 16:02:49 PST 2019



> On Feb 19, 2019, at 3:34 PM, Reid Kleckner via cfe-dev <cfe-dev at lists.llvm.org> wrote:
> 
> On Tue, Feb 19, 2019 at 3:15 PM James Y Knight <jyknight at google.com <mailto:jyknight at google.com>> wrote:
> If someone wishes to contribute support to glibc to better support these fortifications with clang, it should be pretty easy. Simply look at how FORTIFY_SOURCE is implemented in the Bionic libc, and do something similar to that (with appropriate ifdeffery, because that version is not going to work in GCC).
> 
> It is unfortunate, however, that the two communities haven't settled on an agreeable set of extensions to implement this feature. I can understand why glibc wouldn't want a second parallel implementation with it's own set of bugs requiring its own tests. Getting this right really requires someone who cares about it enough to get involved in all of the relevant projects here: glibc, clang, gcc, and maybe even bionic. That sounds like a lot of work, so I understand why it hasn't been done.

I’ve been working on improving _FORTIFY_SOURCE support for apple’s c standard library. I added the attribute fortify_stdlib (https://clang.llvm.org/docs/AttributeReference.html#fortify-stdlib) so it should just be a matter of glibc slapping it on a few functions and clang will do the rest, which doesn’t seem like much of a burden. The narrative that clang is far behind GCC for _FORTIFY doesn’t really add up to me either, there are some clang extensions that GCC doesn’t support either, for instance: __builtin_dynamic_object_size and pass_object_size.

> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190219/e8410016/attachment.html>


More information about the cfe-dev mailing list