Product SiteDocumentation Site

13.2.2. Buffer Overflow detection and variable reordering

All of the software in Fedora Core and Extras software repository for this release is compiled using a security feature called a stack protector. This was using the compiler option -fstack-protector, which places a canary value on the stack of functions containing a local character array. Before returning from a protected function, the canary value is verified. If there was a buffer overflow, the canary will no longer match the expected value, aborting the program. The canary value is random each time the application is started, making remote exploitation very difficult. The stack protector feature does not protect against heap-based buffer overflows.
This is a security feature written by Red Hat developers (http://gcc.gnu.org/ml/gcc-patches/2005-05/msg01193.html), reimplementing the IBM ProPolice/SSP feature. For more information about ProPolice/SSP, refer to http://www.research.ibm.com/trl/projects/security/ssp/. This feature is available as part of the GCC 4.1 compiler used in Fedora Core 5.
The FORTIFY_SOURCE security feature for gcc and glibc introduced in Fedora Core 4 remains available. For more information about security features in Fedora, refer to http://fedoraproject.org/wiki/Security/Features.