diff options
| -rw-r--r-- | Makefile | 37 | ||||
| -rw-r--r-- | arch/Kconfig | 8 | ||||
| -rw-r--r-- | kernel/configs/tiny.config | 4 |
3 files changed, 45 insertions, 4 deletions
| @@ -680,6 +680,10 @@ endif | |||
| 680 | # This selects the stack protector compiler flag. Testing it is delayed | 680 | # This selects the stack protector compiler flag. Testing it is delayed |
| 681 | # until after .config has been reprocessed, in the prepare-compiler-check | 681 | # until after .config has been reprocessed, in the prepare-compiler-check |
| 682 | # target. | 682 | # target. |
| 683 | ifdef CONFIG_CC_STACKPROTECTOR_AUTO | ||
| 684 | stackp-flag := $(call cc-option,-fstack-protector-strong,$(call cc-option,-fstack-protector)) | ||
| 685 | stackp-name := AUTO | ||
| 686 | else | ||
| 683 | ifdef CONFIG_CC_STACKPROTECTOR_REGULAR | 687 | ifdef CONFIG_CC_STACKPROTECTOR_REGULAR |
| 684 | stackp-flag := -fstack-protector | 688 | stackp-flag := -fstack-protector |
| 685 | stackp-name := REGULAR | 689 | stackp-name := REGULAR |
| @@ -688,12 +692,18 @@ ifdef CONFIG_CC_STACKPROTECTOR_STRONG | |||
| 688 | stackp-flag := -fstack-protector-strong | 692 | stackp-flag := -fstack-protector-strong |
| 689 | stackp-name := STRONG | 693 | stackp-name := STRONG |
| 690 | else | 694 | else |
| 695 | # If either there is no stack protector for this architecture or | ||
| 696 | # CONFIG_CC_STACKPROTECTOR_NONE is selected, we're done, and $(stackp-name) | ||
| 697 | # is empty, skipping all remaining stack protector tests. | ||
| 698 | # | ||
| 691 | # Force off for distro compilers that enable stack protector by default. | 699 | # Force off for distro compilers that enable stack protector by default. |
| 692 | stackp-flag := $(call cc-option, -fno-stack-protector) | 700 | KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector) |
| 701 | endif | ||
| 693 | endif | 702 | endif |
| 694 | endif | 703 | endif |
| 695 | # Find arch-specific stack protector compiler sanity-checking script. | 704 | # Find arch-specific stack protector compiler sanity-checking script. |
| 696 | ifdef stackp-name | 705 | ifdef stackp-name |
| 706 | ifneq ($(stackp-flag),) | ||
| 697 | stackp-path := $(srctree)/scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh | 707 | stackp-path := $(srctree)/scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh |
| 698 | stackp-check := $(wildcard $(stackp-path)) | 708 | stackp-check := $(wildcard $(stackp-path)) |
| 699 | # If the wildcard test matches a test script, run it to check functionality. | 709 | # If the wildcard test matches a test script, run it to check functionality. |
| @@ -705,9 +715,17 @@ ifdef stackp-name | |||
| 705 | ifndef stackp-broken | 715 | ifndef stackp-broken |
| 706 | # If the stack protector is functional, enable code that depends on it. | 716 | # If the stack protector is functional, enable code that depends on it. |
| 707 | KBUILD_CPPFLAGS += -DCONFIG_CC_STACKPROTECTOR | 717 | KBUILD_CPPFLAGS += -DCONFIG_CC_STACKPROTECTOR |
| 718 | # Either we've already detected the flag (for AUTO) or we'll fail the | ||
| 719 | # build in the prepare-compiler-check rule (for specific flag). | ||
| 720 | KBUILD_CFLAGS += $(stackp-flag) | ||
| 721 | else | ||
| 722 | # We have to make sure stack protector is unconditionally disabled if | ||
| 723 | # the compiler is broken (in case we're going to continue the build in | ||
| 724 | # AUTO mode). | ||
| 725 | KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector) | ||
| 708 | endif | 726 | endif |
| 709 | endif | 727 | endif |
| 710 | KBUILD_CFLAGS += $(stackp-flag) | 728 | endif |
| 711 | 729 | ||
| 712 | ifeq ($(cc-name),clang) | 730 | ifeq ($(cc-name),clang) |
| 713 | KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,) | 731 | KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,) |
| @@ -1102,15 +1120,28 @@ PHONY += prepare-compiler-check | |||
| 1102 | prepare-compiler-check: FORCE | 1120 | prepare-compiler-check: FORCE |
| 1103 | # Make sure compiler supports requested stack protector flag. | 1121 | # Make sure compiler supports requested stack protector flag. |
| 1104 | ifdef stackp-name | 1122 | ifdef stackp-name |
| 1123 | # Warn about CONFIG_CC_STACKPROTECTOR_AUTO having found no option. | ||
| 1124 | ifeq ($(stackp-flag),) | ||
| 1125 | @echo CONFIG_CC_STACKPROTECTOR_$(stackp-name): \ | ||
| 1126 | Compiler does not support any known stack-protector >&2 | ||
| 1127 | else | ||
| 1128 | # Fail if specifically requested stack protector is missing. | ||
| 1105 | ifeq ($(call cc-option, $(stackp-flag)),) | 1129 | ifeq ($(call cc-option, $(stackp-flag)),) |
| 1106 | @echo Cannot use CONFIG_CC_STACKPROTECTOR_$(stackp-name): \ | 1130 | @echo Cannot use CONFIG_CC_STACKPROTECTOR_$(stackp-name): \ |
| 1107 | $(stackp-flag) not supported by compiler >&2 && exit 1 | 1131 | $(stackp-flag) not supported by compiler >&2 && exit 1 |
| 1108 | endif | 1132 | endif |
| 1133 | endif | ||
| 1109 | endif | 1134 | endif |
| 1110 | # Make sure compiler does not have buggy stack-protector support. | 1135 | # Make sure compiler does not have buggy stack-protector support. If a |
| 1136 | # specific stack-protector was requested, fail the build, otherwise warn. | ||
| 1111 | ifdef stackp-broken | 1137 | ifdef stackp-broken |
| 1138 | ifeq ($(stackp-name),AUTO) | ||
| 1139 | @echo CONFIG_CC_STACKPROTECTOR_$(stackp-name): \ | ||
| 1140 | $(stackp-flag) available but compiler is broken: disabling >&2 | ||
| 1141 | else | ||
| 1112 | @echo Cannot use CONFIG_CC_STACKPROTECTOR_$(stackp-name): \ | 1142 | @echo Cannot use CONFIG_CC_STACKPROTECTOR_$(stackp-name): \ |
| 1113 | $(stackp-flag) available but compiler is broken >&2 && exit 1 | 1143 | $(stackp-flag) available but compiler is broken >&2 && exit 1 |
| 1144 | endif | ||
| 1114 | endif | 1145 | endif |
| 1115 | @: | 1146 | @: |
| 1116 | 1147 | ||
diff --git a/arch/Kconfig b/arch/Kconfig index 9330a9d79dc3..76c0b54443b1 100644 --- a/arch/Kconfig +++ b/arch/Kconfig | |||
| @@ -541,7 +541,7 @@ config HAVE_CC_STACKPROTECTOR | |||
| 541 | choice | 541 | choice |
| 542 | prompt "Stack Protector buffer overflow detection" | 542 | prompt "Stack Protector buffer overflow detection" |
| 543 | depends on HAVE_CC_STACKPROTECTOR | 543 | depends on HAVE_CC_STACKPROTECTOR |
| 544 | default CC_STACKPROTECTOR_NONE | 544 | default CC_STACKPROTECTOR_AUTO |
| 545 | help | 545 | help |
| 546 | This option turns on the "stack-protector" GCC feature. This | 546 | This option turns on the "stack-protector" GCC feature. This |
| 547 | feature puts, at the beginning of functions, a canary value on | 547 | feature puts, at the beginning of functions, a canary value on |
| @@ -588,6 +588,12 @@ config CC_STACKPROTECTOR_STRONG | |||
| 588 | about 20% of all kernel functions, which increases the kernel code | 588 | about 20% of all kernel functions, which increases the kernel code |
| 589 | size by about 2%. | 589 | size by about 2%. |
| 590 | 590 | ||
| 591 | config CC_STACKPROTECTOR_AUTO | ||
| 592 | bool "Automatic" | ||
| 593 | help | ||
| 594 | If the compiler supports it, the best available stack-protector | ||
| 595 | option will be chosen. | ||
| 596 | |||
| 591 | endchoice | 597 | endchoice |
| 592 | 598 | ||
| 593 | config THIN_ARCHIVES | 599 | config THIN_ARCHIVES |
diff --git a/kernel/configs/tiny.config b/kernel/configs/tiny.config index 7fa0c4ae6394..9bfdffc100da 100644 --- a/kernel/configs/tiny.config +++ b/kernel/configs/tiny.config | |||
| @@ -10,3 +10,7 @@ CONFIG_OPTIMIZE_INLINING=y | |||
| 10 | # CONFIG_SLAB is not set | 10 | # CONFIG_SLAB is not set |
| 11 | # CONFIG_SLUB is not set | 11 | # CONFIG_SLUB is not set |
| 12 | CONFIG_SLOB=y | 12 | CONFIG_SLOB=y |
| 13 | CONFIG_CC_STACKPROTECTOR_NONE=y | ||
| 14 | # CONFIG_CC_STACKPROTECTOR_REGULAR is not set | ||
| 15 | # CONFIG_CC_STACKPROTECTOR_STRONG is not set | ||
| 16 | # CONFIG_CC_STACKPROTECTOR_AUTO is not set | ||