GCC 4.8.3+ Does anybody aware of Stack Smashing Protection ? (original) (raw)

David Holmes david.holmes at oracle.com
Tue Jun 9 04:21:45 UTC 2015

Hi Dmitry,

On 6/06/2015 5:31 AM, Dmitry Samersoff wrote:

Hi Everybody,

I'm not sure it affects hotspot but should we care about it? FYI: Beginning with GCC 4.8.3, Stack Smashing Protection (SSP) will be enabled by default. The 4.8 series will enable -fstack-protector while 4.9 and later enable -fstack-protector-strong.

We initially added -fstack-protector-all (and related settings under):

https://bugs.openjdk.java.net/browse/JDK-8032045

We removed the -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 definitions under 8047952 as they broke fastdebug builds.

If we were to make the official compiler one that enables this by default then we would have to re-examine its affects on all platforms and the costs involved - and then allow or disable as appropriate.

Cheers, David

SSP is a security feature that attempts to mitigate stack-based buffer overflows by placing a canary value on the stack after the function return pointer and checking for that value before the function returns. If a buffer overflow occurs and the canary value is overwritten, the program aborts.

There is a small performance cost to these features. They can be disabled with -fno-stack-protector. For more information these options, refer to the GCC Manual, or the following articles. http://en.wikipedia.org/wiki/Bufferoverflowprotection http://en.wikipedia.org/wiki/Stackbufferoverflow https://securityblog.redhat.com/tag/stack-protector http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong -Dmitry

More information about the hotspot-dev mailing list