x86: unify stackprotector features

streamline the stackprotector features under a single option and make the stronger feature the one accessible. Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
author: Ingo Molnar <mingo@elte.hu> 2008-02-14 04:36:03 -0500
committer: Thomas Gleixner <tglx@linutronix.de> 2008-05-26 10:15:32 -0400
commit: 113c5413cf9051cc50b88befdc42e3402bb92115 (patch)
tree: 79b93ba5c5309c619b7fbb0341f69cee9fcf8468
parent: 960a672bd9f1ec06e8f197cf81a50fd07ea02e7f (diff)
1 files changed, 9 insertions, 13 deletions
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 83d8392c1334..0cd1695c24fb 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1140,13 +1140,17 @@ config SECCOMP
          If unsure, say Y. Only embedded should say N here.
+config CC_STACKPROTECTOR_ALL
+        bool
 config CC_STACKPROTECTOR
        bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
        depends on X86_64
+        select CC_STACKPROTECTOR_ALL
        help
-         This option turns on the -fstack-protector GCC feature. This
+          This option turns on the -fstack-protector GCC feature. This
-          feature puts, at the beginning of critical functions, a canary
+          feature puts, at the beginning of functions, a canary value on
-          value on the stack just before the return address, and validates
+          the stack just before the return address, and validates
          the value just before actually returning.  Stack based buffer
          overflows (that need to overwrite this return address) now also
          overwrite the canary, which gets detected and the attack is then
@@ -1154,16 +1158,8 @@ config CC_STACKPROTECTOR
          This feature requires gcc version 4.2 or above, or a distribution
          gcc with the feature backported. Older versions are automatically
-          detected and for those versions, this configuration option is ignored.
+          detected and for those versions, this configuration option is
+          ignored. (and a warning is printed during bootup)
-config CC_STACKPROTECTOR_ALL
-        bool "Use stack-protector for all functions"
-        depends on CC_STACKPROTECTOR
-        default y
-        help
-          Normally, GCC only inserts the canary value protection for
-          functions that use large-ish on-stack buffers. By enabling
-          this option, GCC will be asked to do this for ALL functions.
 source kernel/Kconfig.hz
author	Ingo Molnar <mingo@elte.hu>	2008-02-14 04:36:03 -0500
committer	Thomas Gleixner <tglx@linutronix.de>	2008-05-26 10:15:32 -0400
commit	113c5413cf9051cc50b88befdc42e3402bb92115 (patch)
tree	79b93ba5c5309c619b7fbb0341f69cee9fcf8468
parent	960a672bd9f1ec06e8f197cf81a50fd07ea02e7f (diff)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 83d8392c1334..0cd1695c24fb 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig
@@ -1140,13 +1140,17 @@ config SECCOMP
1140		1140
1141	If unsure, say Y. Only embedded should say N here.	1141	If unsure, say Y. Only embedded should say N here.
1142		1142
		1143	config CC_STACKPROTECTOR_ALL
		1144	bool
		1145
1143	config CC_STACKPROTECTOR	1146	config CC_STACKPROTECTOR
1144	bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"	1147	bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
1145	depends on X86_64	1148	depends on X86_64
		1149	select CC_STACKPROTECTOR_ALL
1146	help	1150	help
1147	This option turns on the -fstack-protector GCC feature. This	1151	This option turns on the -fstack-protector GCC feature. This
1148	feature puts, at the beginning of critical functions, a canary	1152	feature puts, at the beginning of functions, a canary value on
1149	value on the stack just before the return address, and validates	1153	the stack just before the return address, and validates
1150	the value just before actually returning. Stack based buffer	1154	the value just before actually returning. Stack based buffer
1151	overflows (that need to overwrite this return address) now also	1155	overflows (that need to overwrite this return address) now also
1152	overwrite the canary, which gets detected and the attack is then	1156	overwrite the canary, which gets detected and the attack is then
@@ -1154,16 +1158,8 @@ config CC_STACKPROTECTOR
1154		1158
1155	This feature requires gcc version 4.2 or above, or a distribution	1159	This feature requires gcc version 4.2 or above, or a distribution
1156	gcc with the feature backported. Older versions are automatically	1160	gcc with the feature backported. Older versions are automatically
1157	detected and for those versions, this configuration option is ignored.	1161	detected and for those versions, this configuration option is
1158		1162	ignored. (and a warning is printed during bootup)
1159	config CC_STACKPROTECTOR_ALL
1160	bool "Use stack-protector for all functions"
1161	depends on CC_STACKPROTECTOR
1162	default y
1163	help
1164	Normally, GCC only inserts the canary value protection for
1165	functions that use large-ish on-stack buffers. By enabling
1166	this option, GCC will be asked to do this for ALL functions.
1167		1163
1168	source kernel/Kconfig.hz	1164	source kernel/Kconfig.hz
1169		1165