about -Wstack-protector

Andrew Bartlett abartlet at samba.org
Wed Nov 14 04:08:38 MST 2012


On Wed, 2012-11-14 at 00:30 -0800, Matthieu Patou wrote:
> On 11/13/2012 04:32 AM, Björn JACKE wrote:
> > Hi Matthieu,
> >
> > On 2012-11-11 at 13:46 -0800 Matthieu Patou sent off:
> >> in change e6643fbf you added a search for -Wstack-protector.
> >> I'm not sure that lib/replace/wscript is the place for this kind of
> >> tests,
> > that's the place where similar things have been setup in waf before. Wanna
> > propose a better place?
> >
> Well I think that at the root in wscript but that just my humble point 
> of view.

We have tried to make librepace be mostly about portability stuff.  The
other place that is pulled into all projects is the buildtools/wafsamba
code.  

I agree that distinctions here have not been well expressed.

> >> also it would have been nice not to mess tabs and space, we
> >> tend to use only space for indentation in python script.
> > sorry, I'll fix this or we should clear that when we move it to a different
> > place in the waf build then.
> >
> >   
> >> What's more important is that if you want the warning to be effective you
> >> need to enable -fstack-protector, for instance on my linux 12.04 ubuntu it's
> >> not but on my mac mini it's on.
> > ahh, that's why there came no warnings. I was actually surprised that samba
> > should be stack-protector warning clean :-)
> yeah ... but trust me on mac mini it's highly verbose
> >
> >
> >> And last but not least having warnings about the stack protector not being
> >> setup is good but in the same time it generates a lot of new warnings, maybe
> >> we should fix the existing ones before ?
> > do you have some fixes from your OS X build already?
> no but I can get you an account if you want to log and try fixing it, I 
> guess that you could be able to reproduce on any linux platform if you 
> add the -fstack-protector
> 
> But really I'm not too keen on adding more warnings, also I'm not so 
> sure on how to fix it, it seems that the fix is not obvious my 
> understanding is that you get a warning when there isn't a 4/8 (more ?) 
> bytes array in the stack variables but I'm not even sure that I got it 
> right and if so why does it needs to have an array at least that big.
> 
> Note that I don't think that using -fstack-protector is a bad idea and 
> maybe we should enable it but adding the warnings for when gcc can't add 
> the stack protection is maybe useless for the moment.

I agree.  This doesn't belong in the code until both -fstack-protector
is already on, and if there is any meaningful thing a developer can do
to fix it.  Otherwise we just create noise.

Until then, as a probe of how much this might fire, consider
CFLAGS=-Wstack-protector

Indeed, it seems a very odd warning at all - it is more like a
diagnostic, so you can tell if you might really want to set
-fstack-protector-all, not a warning about something you can fix by
changing code.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list