Enable gcc's -fstack-protector-all by default?
Rick Jones
rick.jones2 at hp.com
Tue Nov 27 05:14:04 EST 2007
Darren Tucker wrote:
> Hi all.
>
> For a while, gcc has supported a stack protection mechanism
> (-fstack-protector and friends, available in gcc 4.1.2 and up).
>
> Can anyone think of a good reason not to enable it if the compiler
> supports it? A quick test here shows minimal difference in runtime over
> a full regress pass (~10sec over 8.5 minutes, and since the machine is
> not entirely idle that could be experimental error).
Is this stack protection architecture neutral?
rick jones
>
> Index: configure.ac
> ===================================================================
> RCS file: /usr/local/src/security/openssh/cvs/openssh/configure.ac,v
> retrieving revision 1.386
> diff -u -p -r1.386 configure.ac
> --- configure.ac 26 Sep 2007 21:03:20 -0000 1.386
> +++ configure.ac 26 Nov 2007 09:30:15 -0000
> @@ -105,6 +105,15 @@ if test "$GCC" = "yes" || test "$GCC" =
> *) ;;
> esac
>
> + AC_MSG_CHECKING(if $GCC understands -fstack-protector-all)
> + saved_CFLAGS="$CFLAGS"
> + CFLAGS="$CFLAGS -fstack-protector-all"
> + AC_TRY_COMPILE([], [ int main(void){return 0;} ],
> + [ AC_MSG_RESULT(yes) ],
> + [ AC_MSG_RESULT(no)
> + CFLAGS="$saved_CFLAGS" ]
> + )
> +
> if test -z "$have_llong_max"; then
> # retry LLONG_MAX with -std=gnu99, needed on some Linuxes
> unset ac_cv_have_decl_LLONG_MAX
>
More information about the openssh-unix-dev
mailing list