Wow
Thanks a lot, Javier.
Xavier
On Tue, 27 Jun 2023 15:51:32 -0600
Javier <je-vv at e.email> ha escrit:
> On 6/27/23 15:06, Xavier B. wrote:
> > Hi,
> >
> > I know that arch compiles packages with -fstack-protector-strong option. Are artix packages do the same?
> >
> > Thanks in advance,
> >
> > Xavier
>
> Unless Arch changes the build flags on all or most packages, see it makepkg.conf [1]:
>
> > -fstack-clash-protection
>
> Which is the same Artix uses on /etc/makepkg.conf. I think both are in sync... The flags CR [2] was about "stack-clash-protection", not "stack-protector-strong". On gcc options [3]:
>
> > -fstack-protector
> >
> > Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than or equal to 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits. Only variables that are actually allocated on the stack are considered, optimized away variables or variables allocated in registers don’t count.
> > -fstack-protector-all
> >
> > Like -fstack-protector except that all functions are protected.
> > -fstack-protector-strong
> >
> > Like -fstack-protector but includes additional functions to be protected — those that have local array definitions, or have references to local frame addresses. Only variables that are actually allocated on the stack are considered, optimized away variables or variables allocated in registers don’t count.
> >
> > ...
> >
> > -fstack-clash-protection
> >
> > Generate code to prevent stack clash style attacks. When this option is enabled, the compiler will only allocate one page of stack space at a time and each page is accessed immediately after allocation. Thus, it prevents allocations from jumping over any stack guard page provided by the operating system.
> >
> > Most targets do not fully support stack clash protection. However, on those targets -fstack-clash-protection will protect dynamic stack allocations. -fstack-clash-protection may also provide limited protection for static stack allocations if the target supports -fstack-check=specific.
>
> So if I'm not mistaken, the options you were asking for is not used by default on every package built, unless the packages themselves include such flag...
>
> --
> Javier
>
>
> [1] https://gitlab.archlinux.org/archlinux/packaging/packages/pacman/-/blob/main/makepkg.conf
> [2] https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/3
> [3] https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html
More information about the artix-general
mailing list