https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
The advisory suggests:
1. Increase the size of the stack guard-page to at least 1MB
- I skip this point
2. Recompile all userland code with GCC's "-fstack-check" option
- I checked current and recent gcc versions.
6.3.0 seems to be fine:
gcc version 6.3.0 (Gentoo Hardened 6.3.0 p1.0)
gcc -dumpspecs | grep -B 1 stack-check
*cc1:
%{!mandroid|tno-android-cc:%(cc1_cpu) %{profile:-p};:%(cc1_cpu)
%{profile:-p} %{!mglibc:%{!muclibc:%{!mbionic: -mbionic}}}
%{!fno-pic:%{!fno-PIC:%{!fpic:%{!fPIC:
-fPIC}}}}}%{fstack-check|fstack-check=*:;: -fstack-check}
5.4.0 also looks fine:
gcc version 5.4.0 (Gentoo Hardened 5.4.0-r3 p1.3, pie-0.6.5)
gcc -dumpspecs | grep -B 1 stack-check
*esp_cc1_ssp:
%{!fno-stack-protector: %{!fno-stack-protector-all: %{!fno-stack-check: }}}
--
*esp_options_ssp:
%{nostdlib|ffreestanding|fno-stack-protector|fstack-protector|
fstack-protector-all|fstack-protector-strong:;:-fstack-protector-all}
%{fstack-check|fstack-check=*:;: -fstack-check}
I assume it is OK like this.
Please confirm this conclusion.
Thx: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
