|
clang was already patched to do -Wl,-z,relro by default. now it also passes
the equivalent of -Wl,-z,now.
clang's normal behavior on linux defaults to using stack smashing protection
whenever a function defines an 8 character or more local array. this is the
equivalent of passing in -fstack-protector with no additional options in gcc.
this release patches clang's default behavior to instead behave like
-fstack-protector-strong was passed in, enabling the canary in many more
conditions without the performance impact of adding it to ALL functions as is
the case with -fstack-protector-all. these conditions include:
local variable's address used as part of right hand side of assignment
local variable's address used as function argument
local variable is an array, regardless of array type or length
same as above, but local variable is a union containing an array
uses register local variables
SSP can still be disabled by passing in -fno-stack-protector.
You can still use -fstack-protector-all to add a canary to all functions.
|