diff options
Diffstat (limited to 'scripts/gcc-plugins')
| -rw-r--r-- | scripts/gcc-plugins/Kconfig | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index cb0c889e13aa..977b84e69787 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig | |||
| @@ -139,4 +139,23 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | |||
| 139 | in structures. This reduces the performance hit of RANDSTRUCT | 139 | in structures. This reduces the performance hit of RANDSTRUCT |
| 140 | at the cost of weakened randomization. | 140 | at the cost of weakened randomization. |
| 141 | 141 | ||
| 142 | config GCC_PLUGIN_STACKLEAK | ||
| 143 | bool "Erase the kernel stack before returning from syscalls" | ||
| 144 | depends on GCC_PLUGINS | ||
| 145 | depends on HAVE_ARCH_STACKLEAK | ||
| 146 | help | ||
| 147 | This option makes the kernel erase the kernel stack before | ||
| 148 | returning from system calls. That reduces the information which | ||
| 149 | kernel stack leak bugs can reveal and blocks some uninitialized | ||
| 150 | stack variable attacks. | ||
| 151 | |||
| 152 | The tradeoff is the performance impact: on a single CPU system kernel | ||
| 153 | compilation sees a 1% slowdown, other systems and workloads may vary | ||
| 154 | and you are advised to test this feature on your expected workload | ||
| 155 | before deploying it. | ||
| 156 | |||
| 157 | This plugin was ported from grsecurity/PaX. More information at: | ||
| 158 | * https://grsecurity.net/ | ||
| 159 | * https://pax.grsecurity.net/ | ||
| 160 | |||
| 142 | endif | 161 | endif |