Commit b62a5c74 authored by Arjan van de Ven's avatar Arjan van de Ven Committed by Andi Kleen
Browse files

[PATCH] Add the Kconfig option for the stackprotector feature 



This patch adds the config options for -fstack-protector.

Signed-off-by: default avatarArjan van de Ven <arjan@linux.intel.com>
Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
Signed-off-by: default avatarAndi Kleen <ak@suse.de>
CC: Andi Kleen <ak@suse.de>
parent 29a9af60

arch/x86_64/Kconfig

+24 −0
Original line number Diff line number Diff line
@@ -533,6 +533,30 @@ config SECCOMP 


	  If unsure, say Y. Only embedded should say N here.



config CC_STACKPROTECTOR

	bool "Enable -fstack-protector buffer overflow detection (EXPRIMENTAL)"

	depends on EXPERIMENTAL

	help

         This option turns on the -fstack-protector GCC feature. This

	  feature puts, at the beginning of critical functions, a canary

	  value on the stack just before the return address, and validates

	  the value just before actually returning.  Stack based buffer

	  overflows (that need to overwrite this return address) now also

	  overwrite the canary, which gets detected and the attack is then

	  neutralized via a kernel panic.



	  This feature requires gcc version 4.2 or above, or a distribution

	  gcc with the feature backported. Older versions are automatically

	  detected and for those versions, this configuration option is ignored.



config CC_STACKPROTECTOR_ALL

	bool "Use stack-protector for all functions"

	depends on CC_STACKPROTECTOR

	help

	  Normally, GCC only inserts the canary value protection for

	  functions that use large-ish on-stack buffers. By enabling

	  this option, GCC will be asked to do this for ALL functions.



source kernel/Kconfig.hz



config REORDER

CRA Git | Maintained and supported by SUSTech CRA and CCSE