From 8ebc4d6aab2e306b8266b9a5916f42751b4d5a46 Mon Sep 17 00:00:00 2001 From: Elliott Hughes Date: Mon, 14 Dec 2015 11:15:15 -0800 Subject: [PATCH] Enable -fstack-protector-strong for x86. This results in nearly all functions with the possibility of stack corruption getting stack canaries, because it applies to any function taking a reference to the frame or with a local array rather than just the functions with arrays larger than 8 bytes. It was developed for use in Chrome (and Chrome OS) and has also been adopted by various other distributions (Arch, Fedora, Ubuntu, etc). The code size increase ranges from ~1.5% to ~2.5%, compared to ~0.3% to ~0.7% with the more conservative switch. The increase in the performance loss is usually minimal. The overall size increase once everything other than C and C++ code is taken into account is minimal, and it greatly improves the mitigation of stack buffer overflow vulnerabilities. https://lwn.net/Articles/584225/ Change-Id: I55a9fdbf5777ccdeed9f2e9a23c73bb94ad7b646 --- core/combo/TARGET_linux-x86.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/combo/TARGET_linux-x86.mk b/core/combo/TARGET_linux-x86.mk index 7d2b6de1b..558ec3b6b 100644 --- a/core/combo/TARGET_linux-x86.mk +++ b/core/combo/TARGET_linux-x86.mk @@ -94,7 +94,7 @@ $(combo_2nd_arch_prefix)TARGET_GLOBAL_CFLAGS += \ -fstrict-aliasing \ -funswitch-loops \ -funwind-tables \ - -fstack-protector \ + -fstack-protector-strong \ -m32 \ -no-canonical-prefixes \ -fno-canonical-system-headers \