GCC Stack Protector options
The following options come from GCC4.9.3 Manual
Disable Stack Protector Check
Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits.
Like -fstack-protector except that all functions are protected.
Like -fstack-protector but includes additional functions to be protected — those that have local array definitions, or have references to local frame addresses.
Comment 1: The 8 bytes can be configured by “–param=ssp-buffer-size=N” N=8 by default in GCC upstream. Various distributions ended up lowering their default –param=ssp-buffer-size option down to 4, since there were still cases of functions that should have been protected but the conservative gcc upstream default of 8 wasn’t covering them.
Comment 2: Overflow doesn’t always happen in buffer, for example, member in struct can be a target of overflow. This kind of overflow can’t be protected by
- performance: -fstack-protector > -fstack-protector-strong > -fstack-protector-all
- coverage: -fstack-protector < -fstack-protector-strong < -fstack-protector-all
Comment 4: From References 2, we learn from the condition in which we add stack protector check:
- local variable’s address used as part of the right hand side of an assignment or function argument
- local variable is an array (or union containing an array), regardless of array type or length
- uses register local variables
(Why contains the third condition? From Kees’s Comment: It was to catch unusual ways to get a reference to the frame address, with things like “register unsigned rsp __asm__(“rsp”);”, etc”)