[cfe-users] Does -fstack-protector[-all] actually do anything?
noloader at gmail.com
Tue Jun 3 05:10:51 PDT 2014
On Tue, Jun 3, 2014 at 6:54 AM, Dallman, John <john.dallman at siemens.com> wrote:
> On the Windows/MSVC builds of the product I work on, I've turned on the
> "GuardStack" compiler option (/GS) which puts in fences to detect buffer
> overruns in functions that the compiler thinks need it. Now I'm looking
> at other platforms.
> GCC has -fstack-protector and -fstack-protector-all. There's also the fairly
> new -fstack-protector-strong, but I need to support Linuxes that are too
> old to have that.
> Clang has Address Sanitizer, but that seems to cost too much performance
> for production code - with a bit of work, one can get the /GS losses down
> to 2% or less with MSVC.
> Clang also accepts GCC's -fstack-protector and -fstack-protector-all, but
> they don't seem to do anything: taking assembly listings for a simple test
> program compiled with and without -fstack-protector-all and diffing them
> reveals no differences at all. I'm using OS X 10.9.2 with a Clang from Xcode
> that reports itself as:
> Apple LLVM version 5.0 (clang-500.2.79) (based on LLVM 3.3svn)
> Are -fstack-protector and -fstack-protector-all just being accepted and
-fstack-protector protects vulnerable objects like c-strings.
-fstack-protector-all protects all frames with vulnerable objects,
like an int.
Do you have vulnerable objects in the stack frame?
Hiroaki Etoh's patch for SSP in GCC can be found at
Microsoft has another setting for high-risk source code files: #pragma
strict_gs_check(on). Use it for, for example, a parser that accepts
untrusted input from the internet. I don't believe Linux/GCC has a
More information about the cfe-users