Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#39984 - [linux] consider enabling CONFIG_CC_STACKPROTECTOR_STRONG
Attached to Project:
Arch Linux
Opened by Daniel Micay (thestinger) - Monday, 21 April 2014, 05:37 GMT
Last edited by Thomas Bächler (brain0) - Tuesday, 22 April 2014, 07:38 GMT
Opened by Daniel Micay (thestinger) - Monday, 21 April 2014, 05:37 GMT
Last edited by Thomas Bächler (brain0) - Tuesday, 22 April 2014, 07:38 GMT
|
DetailsWe currently enable CONFIG_CC_STACKPROTECTOR_REGULAR. The "strong" stack protection was introduced by Google for use in Chrome/ChromeOS as a way of catching many more vulnerabilities without the full overhead of `-fstack-protector-all`. This will increase the kernel size a bit, along with a very minor performance impact.
It's unlikely that it will ever result in a significant difference on any benchmarks or in the real world, but there's a very good chance of it preventing a CVE issue now and then. http://lwn.net/Articles/584225/ > The kernel with -fstack-protector turned on is 0.33% larger and covers 2.81% of the functions in the kernel. For -fstack-protector-strong, those numbers are an increase of 2.4% in code size over an unprotected kernel, but 20.5% of the functions are covered. |
This task depends upon
Closed by Thomas Bächler (brain0)
Tuesday, 22 April 2014, 07:38 GMT
Reason for closing: None
Additional comments about closing: We don't even have a compiler that supports this flag yet.
Tuesday, 22 April 2014, 07:38 GMT
Reason for closing: None
Additional comments about closing: We don't even have a compiler that supports this flag yet.
Comment by Allan McRae (Allan) -
Monday, 21 April 2014, 07:04 GMT
This is scheduled when gcc-4.9 is released and in the repos.
Comment by Daniel Micay (thestinger) -
Monday, 21 April 2014, 07:08 GMT
Ah, I didn't realize this was also going to be enabled in the kernel. Oh well.