I thought this would make it to the hg bugfix log. -fno-stack-protector -fstack-protector-all
seems like a nice flag combo.

It resolves the issue in Ubuntu, and it doesn't do any harm in other distros either, as far as I can tell.

Mike 

On Sun, Aug 21, 2011 at 9:52 PM, Michael Sioutis <papito.dit@gmail.com> wrote:
I found a good solution: compiler option -fno-stack-protector

Example:
$ cat test.c
#include <stdio.h>

int main(void)
{
char x[3];
return 0;
}

$ gcc -o test test.c -fno-stack-protector -fstack-protector-all -Wstack-protector

$ hardening-check test
test:
 Position Independent Executable: no, normal executable!
 Stack protected: yes <-- SUCCESS!!!
 Fortify Source functions: no, not found!
 Read-only relocations: yes
 Immediate binding: no, not found!

Whereas..

$ gcc -o test test.c -fstack-protector-all -Wstack-protector
test.c: In function ‘main’:
test.c:3: warning: not protecting function: no buffer at least 8 bytes long

$ hardening-check test
test:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found! <-- You get a warning and NO success!!!
 Fortify Source functions: no, not found!
 Read-only relocations: yes
 Immediate binding: no, not found!

Think it's a gcc bug, -fstack-protector-all should oversubscribe default enabled -fstack-protector.

Mike

On Sun, Aug 21, 2011 at 8:07 PM, Fabian Groffen <Fabian.Groffen@cwi.nl> wrote:
On 21-08-2011 19:58:45 +0300, Michael Sioutis wrote:
> I passed --param ssp-buffer-size=2 as a compiler option and make went fine
> :)
> Configuring with --disable-strict also works, since a lot of flags are
> disabled.
>
> I only have a warning about some opt_centiped file that could not be opened,
> and sth about datacell module that could not
> loaded, but other than that installation seems functional for simple
> operations.

use the latest release branch (candidate): Aug2011, that's a lot safer

disable experimental features that you won't need anyway (don't
--enable-datacell)

> I'm attaching the merovingian.log just in case.
>
> I think for gcc >= 4.5 -fstack-protector-all, should be replaced by
> -fstack-protector, but I could be mistaken.

We need to use -fstack-protector-all because some distributions (e.g.
Ubuntu) have decided to enable -fstack-protector by default, and in that
mode gcc will issue a warning when it won't protect a function because
it is under the threshold of 8 bytes (which Ubuntu seems to have
quietly altered as well), which with -Werror becomes a warning.  Hence
we need to force gcc protecting all functions, regardless whether or not
they use the stack more than 8 bytes.

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
MonetDB-users mailing list
MonetDB-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/monetdb-users