[patch 2/5] -fstack-protector feature: Add the Kconfig option

From: Arjan van de Ven
Date: Wed Aug 16 2006 - 13:09:07 EST

Subject: [patch 2/5] Add the Kconfig option for the stackprotector feature
From: Arjan van de Ven <arjan@xxxxxxxxxxxxxxx>

This patch adds the config options for -fstack-protector.

Signed-off-by: Arjan van de Ven <arjan@xxxxxxxxxxxxxxx>
Signed-off-by: Ingo Molnar <mingo@xxxxxxx>
CC: Andi Kleen <ak@xxxxxxx>

arch/x86_64/Kconfig | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)

Index: linux-2.6.18-rc4-stackprot/arch/x86_64/Kconfig
--- linux-2.6.18-rc4-stackprot.orig/arch/x86_64/Kconfig
+++ linux-2.6.18-rc4-stackprot/arch/x86_64/Kconfig
@@ -522,6 +522,30 @@ config SECCOMP

If unsure, say Y. Only embedded should say N here.

+ bool "Enable -fstack-protector buffer overflow detection (EXPRIMENTAL)"
+ depends on EXPERIMENTAL
+ help
+ This option turns on the -fstack-protector GCC feature. This
+ feature puts, at the beginning of critical functions, a canary
+ value on the stack just before the return address, and validates
+ the value just before actually returning. Stack based buffer
+ overflows (that need to overwrite this return address) now also
+ overwrite the canary, which gets detected and the attack is then
+ neutralized via a kernel panic.
+ This feature requires gcc version 4.2 or above, or a distribution
+ gcc with the feature backported. Older versions are automatically
+ detected and for those versions, this configuration option is ignored.
+ bool "Use stack-protector for all functions"
+ help
+ Normally, GCC only inserts the canary value protection for
+ functions that use large-ish on-stack buffers. By enabling
+ this option, GCC will be asked to do this for ALL functions.
source kernel/Kconfig.hz

config REORDER

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/