Enable gcc's -fstack-protector-all by default?
Darren Tucker
dtucker at zip.com.au
Tue Nov 27 04:30:04 EST 2007
Hi all.
For a while, gcc has supported a stack protection mechanism
(-fstack-protector and friends, available in gcc 4.1.2 and up).
Can anyone think of a good reason not to enable it if the compiler
supports it? A quick test here shows minimal difference in runtime over
a full regress pass (~10sec over 8.5 minutes, and since the machine is
not entirely idle that could be experimental error).
Index: configure.ac
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/configure.ac,v
retrieving revision 1.386
diff -u -p -r1.386 configure.ac
--- configure.ac 26 Sep 2007 21:03:20 -0000 1.386
+++ configure.ac 26 Nov 2007 09:30:15 -0000
@@ -105,6 +105,15 @@ if test "$GCC" = "yes" || test "$GCC" =
*) ;;
esac
+ AC_MSG_CHECKING(if $GCC understands -fstack-protector-all)
+ saved_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -fstack-protector-all"
+ AC_TRY_COMPILE([], [ int main(void){return 0;} ],
+ [ AC_MSG_RESULT(yes) ],
+ [ AC_MSG_RESULT(no)
+ CFLAGS="$saved_CFLAGS" ]
+ )
+
if test -z "$have_llong_max"; then
# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
unset ac_cv_have_decl_LLONG_MAX
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list