El 21/06/17 a las 01:02, "Tóth Attila" escribió: > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt > The advisory suggests: > 1. Increase the size of the stack guard-page to at least 1MB > - I skip this point > 2. Recompile all userland code with GCC's "-fstack-check" option > - I checked current and recent gcc versions. > > 6.3.0 seems to be fine: > gcc version 6.3.0 (Gentoo Hardened 6.3.0 p1.0) > gcc -dumpspecs | grep -B 1 stack-check > *cc1: > %{!mandroid|tno-android-cc:%(cc1_cpu) %{profile:-p};:%(cc1_cpu) > %{profile:-p} %{!mglibc:%{!muclibc:%{!mbionic: -mbionic}}} > %{!fno-pic:%{!fno-PIC:%{!fpic:%{!fPIC: > -fPIC}}}}}%{fstack-check|fstack-check=*:;: -fstack-check} > > 5.4.0 also looks fine: > gcc version 5.4.0 (Gentoo Hardened 5.4.0-r3 p1.3, pie-0.6.5) > gcc -dumpspecs | grep -B 1 stack-check > *esp_cc1_ssp: > %{!fno-stack-protector: %{!fno-stack-protector-all: %{!fno-stack-check: }}} > -- > *esp_options_ssp: > %{nostdlib|ffreestanding|fno-stack-protector|fstack-protector| > fstack-protector-all|fstack-protector-strong:;:-fstack-protector-all} > %{fstack-check|fstack-check=*:;: -fstack-check} > > I assume it is OK like this. > Please confirm this conclusion. > Thx: Dw.
Stack-check is enabled since (at least) 4.8.4. But you'll need to have recompiled the whole system with stack-check enabled so it will work as it should as commented on https://gcc.gnu.org/ml/gcc-patches/2017-06/msg01343.html I'm working on preparing a statement we can publish on behalf of the project, but I'm unsure when it'll be ready.
signature.asc
Description: OpenPGP digital signature