From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.105.134.102] (helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.43)
	id 1DkFf1-00029S-Aa
	for garchives@archives.gentoo.org; Mon, 20 Jun 2005 06:21:31 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j5K6JJ7K024463;
	Mon, 20 Jun 2005 06:19:19 GMT
Received: from skinny.southernlinux.net (ns2.rednecks.net [64.192.52.5])
	by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j5K6JH0C026084
	for <gentoo-hardened@lists.gentoo.org>; Mon, 20 Jun 2005 06:19:18 GMT
Received: (qmail 12023 invoked by uid 210); 20 Jun 2005 02:19:16 -0400
Received: from 10.10.10.188 by skinny (envelope-from <solar@gentoo.org>, uid 201) with qmail-scanner-1.25st 
 (clamdscan: 0.82/945. f-prot: 4.4.2/3.14.11. spamassassin: 3.0.2. perlscan: 1.25st.  
 Clear:RC:1(10.10.10.188):. 
 Processed in 0.06402 secs); 20 Jun 2005 06:19:16 -0000
Received: from unknown (HELO ?10.10.10.188?) (10.10.10.188)
  by 0 with SMTP; 20 Jun 2005 02:19:16 -0400
Subject: Re: [gentoo-hardened] -fforce-addr in CFLAGS.
From: Ned Ludd <solar@gentoo.org>
To: gentoo-hardened@lists.gentoo.org
In-Reply-To: <42B5BF3D.7010708@telia.com>
References: <42B5BF3D.7010708@telia.com>
Content-Type: text/plain
Date: Sun, 19 Jun 2005 22:09:50 -0400
Message-Id: <1119233390.2896.25.camel@localhost>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
Mime-Version: 1.0
X-Mailer: Evolution 2.2.1.1 
Content-Transfer-Encoding: 7bit
X-Archives-Salt: bb7f95a0-9d07-40b4-93b7-c3815cdb84bd
X-Archives-Hash: 476e58cbbce6758872d0aba906d44c1e

On Sun, 2005-06-19 at 20:53 +0200, Simon Strandman wrote:
> I just checked make.defaults for the x86 hardened profile and it has 
> CFLAGS="-O2 -mcpu=i386 -pipe -fforce-addr".
> 
> Why the -fforce-addr? Does it have any impact on security?
> 
> I use hardened on my home server but I don't have -fforce-addr in its 
> CFLAGS. Should I add it?


This may seem bad but I forget exactly. I think it was the result of an 
academic security discussion that pappy the PaX author and myself 
participated in a very long time ago. If my memory serves me right
(often fails me) we use to keep gcc from being smart and incorrectly
over/under optimizing some areas of code. I think main reason it's
listed in the CFLAGS was to help aid in the prevention of a precise type
of ret2libc attack with the other mechanisms in place by forcing the
attack to happen in a single atomic operation. 


It's an optional flag however. I use it also.


-- 
Ned Ludd <solar@gentoo.org>

-- 
gentoo-hardened@gentoo.org mailing list