[ubuntu-hardened] [16.04 LTS] Why Linux kernel is compiled using "-fstack-protector-all" option, instead of previously used "strong" variant?

daniel curtis sidetripping at gmail.com
Sun Sep 17 10:32:13 UTC 2017


Hello

For some time, I'm noticing, that the kernel in 16.04 LTS Release is
compiled with a runtime stack overflow checking, using
"-fstack-protector-all" option instead of, used earlier,
"-fstack-protector-strong". What is the reason for such a change? Something
happened?

As we know, "-fstack-protector-all" option will protect all functions,
right? But "-fstack-protection-strong" has been developed to broaden the
scope of the stack protection. (As an additional plus, "any function using
local register variables will be protected" also.) Maybe the reason is: the
ultra-paranoid "all" considered as a better solution?

I'm asking about this, because a couple of weeks ago, new Linux kernels
were build with "-fstack-protector-strong" option. Now, there is
"-fstack-protector-all" in use. It seems, that adding
"-fstack-protector-all" to all compile commands, can brings big performance
penalty. And most important thing: "-fstack-protector-strong", that hits
the balance between "-fstack-protector" and "-fstack-protector-all", right?

So, are there any plans to compile/build Linux kernel for 16.04 LTS Release
using "-fstack-protector-strong" just as before? Here are two latest build
logs for v4.4.0-95 and v4.4.0-96 (I've checked these changes for i386 and
amd64 architectures.)

✓
https://launchpadlibrarian.net/336198288/buildlog_ubuntu-xenial-i386.linux_4.4.0-95.118_BUILDING.txt.gzhttps://launchpadlibrarian.net/336759520/buildlog_ubuntu-xenial-amd64.linux_4.4.0-96.119_BUILDING.txt.gz

In both cases, "-fstack-protector-all" were used. What is the reason for
such a change? "-fstack-protector-strong" seems to be a better solution
form a security point of view, right? So, why such a sudden change? Are
there any plans to return to the "strong" variant?

Sorry, if I made a mistake with my question. But, I was really surprised
that the "all" option is in use. (Earlier, Linux kernels for the 16.04 LTS
was compiled with "strong" variant.)

Thank , best regards.
​.​
​.​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170917/2666835f/attachment.html>


More information about the ubuntu-hardened mailing list