GCC 4.8.3+ Does anybody aware of Stack Smashing Protection ?

David Holmes david.holmes at oracle.com
Tue Jun 9 04:21:45 UTC 2015


Hi Dmitry,

On 6/06/2015 5:31 AM, Dmitry Samersoff wrote:
> Hi Everybody,
>
> I'm not sure it affects hotspot but should we care about it?
>
> FYI:
>
> Beginning with GCC 4.8.3, Stack Smashing Protection (SSP) will be
> enabled by default.  The 4.8 series will enable -fstack-protector
> while 4.9 and later enable -fstack-protector-strong.

We initially added -fstack-protector-all (and related settings under):

https://bugs.openjdk.java.net/browse/JDK-8032045

We removed the  -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 definitions under 
8047952 as they broke fastdebug builds.

If we were to make the official compiler one that enables this by 
default then we would have to re-examine its affects on all platforms 
and the costs involved - and then allow or disable as appropriate.

Cheers,
David

> SSP is a security feature that attempts to mitigate stack-based buffer
> overflows by placing a canary value on the stack after the function
> return pointer and checking for that value before the function returns.
> If a buffer overflow occurs and the canary value is overwritten, the
> program aborts.
>
> There is a small performance cost to these features.  They can be
> disabled with -fno-stack-protector.
>
> For more information these options, refer to the GCC Manual, or the
> following articles.
>
> http://en.wikipedia.org/wiki/Buffer_overflow_protection
> http://en.wikipedia.org/wiki/Stack_buffer_overflow
> https://securityblog.redhat.com/tag/stack-protector
> http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong
>
> -Dmitry
>


More information about the hotspot-dev mailing list