Re: Switch on compiler hardening defaults
Hi,
On Mon, Oct 26, 2009 at 01:36:28PM +0100, Florian Weimer wrote:
> * Kees Cook:
> > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > uses[2].
>
> Seems a good idea to me. But I think we should defer the required
> full archive rebuild until we've got the hardening patch for operator
> new[] (which currently can return a heap block which is smaller than
> requested). I've got a preliminary version, but it's got a hole when
> operator new[] is invoked on a variable-length array. The easy fix
> would probably to outlaw heap allocation of VLAs (it's one of those C
> GCC extensions that leaked into C++, and it's arguably less needed for
> C++).
Right, I agree with this -- I figure this release can be seen as a
transition release, where not everything is compiled that way. I don't
want to introduce so much archive churn anyway.
-Kees
--
Kees Cook @debian.org
Reply to: