From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2CA47139694 for ; Thu, 22 Jun 2017 10:30:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 69B4C254016; Thu, 22 Jun 2017 10:30:07 +0000 (UTC) Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2419523402D for ; Thu, 22 Jun 2017 10:30:06 +0000 (UTC) Received: from pc1 ([2001:2012:127:3e00:b3bf:56a1:a140:6086]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-GCM-SHA384) by zucker.schokokeks.org with ESMTPSA; Thu, 22 Jun 2017 12:30:06 +0200 id 000000000000005E.00000000594B9C2E.00006C5C Date: Thu, 22 Jun 2017 12:30:02 +0200 From: Hanno =?UTF-8?B?QsO2Y2s=?= To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Gentoo Hardened and Stack Clash Message-ID: <20170622123002.7cb34ab1@pc1> In-Reply-To: <1fd570dd-1d71-2e3b-2998-cb79a09351a9@gentoo.org> References: <1fd570dd-1d71-2e3b-2998-cb79a09351a9@gentoo.org> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-27740-1498127406-0001-2" X-Archives-Salt: 0081c153-9a50-42b6-aebd-9ba5975c1cf2 X-Archives-Hash: 46fe5ad168ad160244d03f60f10574d8 This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_zucker.schokokeks.org-27740-1498127406-0001-2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, I'm not claiming that I understand all the issues, but I wonder how that all affects "normal" Gentoo. Let me summarize my understanding: * We currently enable -fstack-check=3Dspecific on hardened, but not on normal Gentoo. * -fstack-check provides protection against stack clashes, but it is not ideal / can sometimes be circumvented. However it is expected / hoped that future versions of gcc will improve on that and provide a better implementation. * According to gcc's man page I understand that -fstack-check=3Dspecific is equivalent to -fstack-check and there is also -fstack-check=3Dgeneric, which is considered deprecated. There's already work underway to push -pie via a new profile to default gentoo. I wonder: Should -fstack-check be pushed as well? Open questions I have: * Are there measurements of the performance overhead of -fstack-check? * Are there other downsides of -fstack-check? Is it expected that enabling it breaks things? --=20 Hanno B=C3=B6ck https://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 --=_zucker.schokokeks.org-27740-1498127406-0001-2 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/nN1f6YOTiG5N1efpYgAcru1HkIFAllLnCoACgkQpYgAcru1 HkL48w/8DaR7yUQcVGHl36QSVBzwvgvBrQojzo1YYm6n/KjC3VjAFCBjqxLZkAe4 5jqxPijgQMrCGgAOjL8ItputkD+NTEc0FYFkicRadVjHhzC+oN75XBCMuOLIML8V nM42lELKYK7RMrioqbQejZi2dfy6ZG4kSd4DozMsvNfNa9hd9EvoFWFUdDKM+2ZJ igtxQ18ZplhHo55hd8htuuUso1cuhtmll8SsahivwQMqKdfZpunz37KcPNFOESrl W0fMUABBmpLAJtoHFdJEMhivyFvUXZFh8VTAnMASe5LrF1dTatSHLZEQHQhfdzjN P/NISjzzP+p+lZyEIITlE/dNMBml/pYfpDgZU4ibfMpUrrPq1dRJ6s5h6tOx/54C MpVagU+HmDbPZHltmzDamjfc092hjYNs8RNsNZOGHn1OJzd8ygZteJd2w2bRkPh9 DidxKi6Q0lEReDQLNpC9ZGzVWfd4N/mcTEfeLLPzFgO8RHFMvWBDk3/gNqpP43w2 kdWQUAervaUQbTdBCoXmnmeqjCWAfhYXV2Xq/vDEtMN8hw4/AseisUQDCBV8fbnB nWKLLl5Y9gsNzxZczNuouoljeGUtqVhcArI6UnReb3GN5vu+nQZh+hsQ0n/ARYfj IxNtC7R2TW1ycESvcBC9rXkvsgFXr+xFISF1y9Uhgq/RDNRUFQY= =B0Xo -----END PGP SIGNATURE----- --=_zucker.schokokeks.org-27740-1498127406-0001-2--