mirror of
https://github.com/opnsense/src.git
synced 2026-03-12 05:32:15 -04:00
c621a626db
The general stack protector is known to be weak and has pretty small coverage. While setting stack-protector-all would give better protection it would come with a performance cost: for this reason Google's Chrome OS team developed a new stack-protector-strong variant. In addition to the protections offered by -fstack-protector, the new option will guard any function that declares any type or length of local array, even those in structs or unions. It will also protect functions that use a local variable's address in a function argument or on the right-hand side of an assignment. The option was introduced in GCC-4.9, but support for it has been back-ported to our base GCC (r286074) and is also available in clang. The change was tested with dbench and doesn't introduce performance regressions. An exp-run over the ports tree revealed no failures when using the stricter stack-protector-all. Thanks to all testers involved. Reference: https://outflux.net/blog/archives/2014/01/27/fstack-protector-strong/ Tested by: pho, portmgr (antoine) Discussed with: secteam (delphij) Differential Revision: https://reviews.freebsd.org/D3463 PR: 203394 (exp-run) Relnotes: yes MFC: no (not supported in older clang) |
||
|---|---|---|
| .. | ||
| colldef | ||
| dict | ||
| doc | ||
| dtrace | ||
| examples | ||
| i18n | ||
| keys | ||
| man | ||
| me | ||
| misc | ||
| mk | ||
| mklocale | ||
| monetdef | ||
| msgdef | ||
| numericdef | ||
| security | ||
| sendmail | ||
| skel | ||
| snmp | ||
| syscons | ||
| tabset | ||
| termcap | ||
| tests | ||
| timedef | ||
| vt | ||
| zoneinfo | ||
| Makefile | ||
| Makefile.inc | ||