[gentoo-hardened] -fforce-addr in CFLAGS.

[gentoo-hardened] -fforce-addr in CFLAGS.

[Simon Strandman]

I just checked make.defaults for the x86 hardened profile and it has 
CFLAGS="-O2 -mcpu=i386 -pipe -fforce-addr".

Why the -fforce-addr? Does it have any impact on security?

I use hardened on my home server but I don't have -fforce-addr in its 
CFLAGS. Should I add it?

-- 
Simon Strandman <simon.strandman@telia.com>

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] -fforce-addr in CFLAGS.

[Patrick Rutkowski]

On Sunday 19 June 2005 02:53 pm, Simon Strandman wrote:
> I just checked make.defaults for the x86 hardened profile and it has
> CFLAGS="-O2 -mcpu=i386 -pipe -fforce-addr".
>
> Why the -fforce-addr? Does it have any impact on security?
>
> I use hardened on my home server but I don't have -fforce-addr in its
> CFLAGS. Should I add it?
>
> --
> Simon Strandman <simon.strandman@telia.com>
The ggc man page stages 

-fforce-addr
 Force memory address constants to be copied into registers before doing 
arithmetic on them. This may produce better code just as -fforce-mem may.

Off the bat, I don't see any glaringly obvious security risks, its probably a 
safe flag; then again, I'm not expert.
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] -fforce-addr in CFLAGS.

[James Larkby-Lahet]

On Jun 19, 2005, at 5:28 PM, Patrick Rutkowski wrote:

> On Sunday 19 June 2005 02:53 pm, Simon Strandman wrote:
>> I just checked make.defaults for the x86 hardened profile and it has
>> CFLAGS="-O2 -mcpu=i386 -pipe -fforce-addr".
>>
>> Why the -fforce-addr? Does it have any impact on security?
>>
>> I use hardened on my home server but I don't have -fforce-addr in its
>> CFLAGS. Should I add it?
>>
>> --
>> Simon Strandman <simon.strandman@telia.com>
> The ggc man page stages
>
> -fforce-addr
>  Force memory address constants to be copied into registers before 
> doing
> arithmetic on them. This may produce better code just as -fforce-mem 
> may.

Anyone know, better with respect to what? (ie faster instructions, 
nicer to the cache, "more" correct...)

james

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] -fforce-addr in CFLAGS.

[Kumba]

James Larkby-Lahet wrote:
> 
> Anyone know, better with respect to what? (ie faster instructions, nicer 
> to the cache, "more" correct...)

It's a safe flag.  I've used it for the last two or so years on x86, sparc, and 
mips.  I believe it complements -fforced-mem (which is implied by -O2, while 
-fforce-addr isn't).  At one point, -fforce-addr solved a bug in ssp until the 
ssp maintainer implemented his own fix.


--Kumba

-- 
Gentoo/MIPS Team Lead
Gentoo Foundation Board of Trustees

"Such is oft the course of deeds that move the wheels of the world: small hands 
do them because they must, while the eyes of the great are elsewhere."  --Elrond
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] -fforce-addr in CFLAGS.

[Ned Ludd]

On Sun, 2005-06-19 at 20:53 +0200, Simon Strandman wrote:
> I just checked make.defaults for the x86 hardened profile and it has 
> CFLAGS="-O2 -mcpu=i386 -pipe -fforce-addr".
> 
> Why the -fforce-addr? Does it have any impact on security?
> 
> I use hardened on my home server but I don't have -fforce-addr in its 
> CFLAGS. Should I add it?


This may seem bad but I forget exactly. I think it was the result of an 
academic security discussion that pappy the PaX author and myself 
participated in a very long time ago. If my memory serves me right
(often fails me) we use to keep gcc from being smart and incorrectly
over/under optimizing some areas of code. I think main reason it's
listed in the CFLAGS was to help aid in the prevention of a precise type
of ret2libc attack with the other mechanisms in place by forcing the
attack to happen in a single atomic operation. 


It's an optional flag however. I use it also.


-- 
Ned Ludd <solar@gentoo.org>

-- 
gentoo-hardened@gentoo.org mailing list