[llvm-dev] Why are the sanitizer compiled with -fno-stack-protector ?

Tom Stellard via llvm-dev llvm-dev at lists.llvm.org
Mon Nov 22 12:56:29 PST 2021 

On 11/22/21 10:08, Kostya Serebryany wrote:
> Hi Tom,
> 
> Before we try to answer "are there any other reasons to not do X",
> (and I don't know the answer off the top of my head)
> I'd like to hear your "reasons to do X".
> 

I don't have a specific reason to compile the sanitizers with -fstack-protector,
I'm just wondering if it was safe to do so (e.g. the sanitizers can still work properly
with -fsatck-protector enabled).  We run a security scan on our builds and it flagged
the sanitizer libraries and also any application built with -fsanitize=safe-stack
as missing -fstack-protector, so I would like to either enable -fstack-protector or
be able to document why it is disabled.

-Tom



> Bundling -fno-stack-protector with e.g. ASAN serves no purpose that I can see.
> -fno-stack-protector is a production feature.
> It is a (weak but useful) security mitigation, it doesn't help to find bugs.
> ASAN (and other sanitizers) are testing tools, not commonly used in production.
> They find stack buffer overflows much better than fno-stack-protector does.
> 
> The exception is perhaps UBSAN with minimal run-time or in trap mode.
> This one *is* commonly used in production and it would be reasonable to allow it together with -fno-stack-protector.
> 



> --kcc
> 
> 
> 
> On Fri, Nov 19, 2021 at 4:21 PM Tom Stellard via llvm-dev <llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>> wrote:
> 
>     Hi,
> 
>     According to https://github.com/llvm/llvm-project/commit/5829a98c48cf9009e4887e89e3075b3058909e8e <https://github.com/llvm/llvm-project/commit/5829a98c48cf9009e4887e89e3075b3058909e8e>
>     the sanitizers are compiled with -fno-stack-protector to avoid introducing a libc dependency.
>     Is this still necessary?  Are there any other reasons why sanitizers cannot be compiled with
>     stack protector enabled?
> 
>     -Tom
> 
>     _______________________________________________
>     LLVM Developers mailing list
>     llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>
>     https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev <https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev>
>

More information about the llvm-dev mailing list