An question about default opened option "-fstack-protector-strong"

Shao, Ting ting.shao at intel.com
Wed Jun 20 03:42:46 UTC 2018 

Dear Dimitri,

Thanks a lot for the reminder of the toolchain related and package related rules, that would be much helpful for making our decisions.

Regards,
Shaoting

-----Original Message-----
From: dimitri.ledkov at surgut.co.uk [mailto:dimitri.ledkov at surgut.co.uk] On Behalf Of Dimitri John Ledkov
Sent: Monday, June 18, 2018 8:50 PM
To: Shao, Ting <ting.shao at intel.com>
Cc: ubuntu-devel-discuss at lists.ubuntu.com
Subject: Re: An question about default opened option "-fstack-protector-strong"

On 14 June 2018 at 08:03, Shao, Ting <ting.shao at intel.com> wrote:
> Hi,
>
> I was trying to enable the “stack smashing protection” for 
> node.js(issue 20928). And I switched it on using “-fstack-protector”
> And made a benchmark test, while the result is quite strange. Then I 
> found on my Ubuntu 16.04, the –fstack-protector-strong Was by default 
> enabled. I checked it using the command:
>
> Gcc –Q –v main.c
>
> And found the –fstack-protector-strong flag was listed inside the 
> “options passed” by default.
>
> So based on these, I have some questions:
>
> I installed gcc from apt-get by default, is Ubuntu providing a 
> customized version of GCC?
> If answer of 1 is yes, then you may have a repo that host the 
> customized GCC code, if I am right, could you please show me where I 
> can find the proof of that customization?
>
> That would be much appreciated. J Or if you can’t find the right code, 
> can you show me where I can find the repo, then I can traverse the 
> code and history to find the proof myself.
>

Some of our default toolchain flags are documented at:
https://wiki.ubuntu.com/ToolChain/CompilerFlags

Security-related distribution features (which include many toolchain
customizations) are documented at:
https://wiki.ubuntu.com/Security/Features

The userspace hardening section does mention "Note: Ubuntu's compiler hardening applies not only to its official builds but also anything built on Ubuntu using its compiler." This ensures that self-compiled / 3rd-party code has on-par security when redistributed, or when targetting Ubuntu platform. The Ubuntu toolchain is an integral part of the Ubuntu product line.

--
Regards,

Dimitri.

More information about the Ubuntu-devel-discuss mailing list