"Strong" stack protection for GCC [LWN.net]

"Strong" stack protection for GCC

Posted Mar 11, 2020 14:49 UTC (Wed) by randguy (guest, #137701)
Parent article: "Strong" stack protection for GCC

Hi,

I am using Yocto project for our BSP. I tried adding CONFIG_CC_STACKPROTECTOR_STRONG in the kernel configuration and later added -fstack-protector-strong in makefile of our application too. Still the cfa_problems_report generated from ISAFW (meta-security-isafw) claims that our application does not have stack protector. Please let me know if am missing anything.

More on meta-security-isafw:
https://www.nccgroup.trust/globalassets/our-research/us/w...

please refer
page number: 14,
section:3.2.2

to post comments

"Strong" stack protection for GCC

Posted Mar 17, 2020 22:21 UTC (Tue) by nix (subscriber, #2304) [Link]

-fstack-protector-strong does not stack-protect every function, only those with char arrays. If you want to stack-protect literally *everything*, use -fstack-protector-all. (This really does have a noticeable performance impact, though, and I'm not sure the kernel has been tested with it. It certainly requires more attention, because things like kernels often have functions in assembler which either assume that they themselves, or that functions they call, do not use the stack-protector -- and if those functions don't use char arrays, they will always be right: so they are suddenly broken by the use of -fstack-protector-all. It took me a while to fix all the glibc bugs in this area. God knows what kernel problems would show up.)