[patch 2/5] -fstack-protector feature: Add the Kconfig option

From: Arjan van de Ven
Date: Wed Aug 16 2006 - 13:09:07 EST

Next message: Arjan van de Ven: "[patch 1/5] -fstack-protector feature: annotate the PDA offsets"
Previous message: Arjan van de Ven: "[patch 0/5] -fstack-protector feature for the kernel (try 2)"
In reply to: Arjan van de Ven: "[patch 4/5] -fstack-protector feature: Add the __stack_chk_fail()function"
Next in thread: Adrian Bunk: "Re: [patch 2/5] -fstack-protector feature: Add the Kconfig option"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Subject: [patch 2/5] Add the Kconfig option for the stackprotector feature
From: Arjan van de Ven <arjan@xxxxxxxxxxxxxxx>

This patch adds the config options for -fstack-protector.

Signed-off-by: Arjan van de Ven <arjan@xxxxxxxxxxxxxxx>
Signed-off-by: Ingo Molnar <mingo@xxxxxxx>
CC: Andi Kleen <ak@xxxxxxx>

---
arch/x86_64/Kconfig | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)

Index: linux-2.6.18-rc4-stackprot/arch/x86_64/Kconfig
===================================================================
--- linux-2.6.18-rc4-stackprot.orig/arch/x86_64/Kconfig
+++ linux-2.6.18-rc4-stackprot/arch/x86_64/Kconfig
@@ -522,6 +522,30 @@ config SECCOMP

If unsure, say Y. Only embedded should say N here.

+config CC_STACKPROTECTOR
+ bool "Enable -fstack-protector buffer overflow detection (EXPRIMENTAL)"
+ depends on EXPERIMENTAL
+ help
+ This option turns on the -fstack-protector GCC feature. This
+ feature puts, at the beginning of critical functions, a canary
+ value on the stack just before the return address, and validates
+ the value just before actually returning. Stack based buffer
+ overflows (that need to overwrite this return address) now also
+ overwrite the canary, which gets detected and the attack is then
+ neutralized via a kernel panic.
+
+ This feature requires gcc version 4.2 or above, or a distribution
+ gcc with the feature backported. Older versions are automatically
+ detected and for those versions, this configuration option is ignored.
+
+config CC_STACKPROTECTOR_ALL
+ bool "Use stack-protector for all functions"
+ depends on CC_STACKPROTECTOR
+ help
+ Normally, GCC only inserts the canary value protection for
+ functions that use large-ish on-stack buffers. By enabling
+ this option, GCC will be asked to do this for ALL functions.
+
source kernel/Kconfig.hz

config REORDER

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Arjan van de Ven: "[patch 1/5] -fstack-protector feature: annotate the PDA offsets"
Previous message: Arjan van de Ven: "[patch 0/5] -fstack-protector feature for the kernel (try 2)"
In reply to: Arjan van de Ven: "[patch 4/5] -fstack-protector feature: Add the __stack_chk_fail()function"
Next in thread: Adrian Bunk: "Re: [patch 2/5] -fstack-protector feature: Add the Kconfig option"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]