diff options
| author | Kees Cook <keescook@chromium.org> | 2013-12-19 14:35:58 -0500 |
|---|---|---|
| committer | Ingo Molnar <mingo@kernel.org> | 2013-12-20 03:38:40 -0500 |
| commit | 19952a92037e752f9d3bbbad552d596f9a56e146 (patch) | |
| tree | 8a1930b4775cb17865c03faf55eafdd7b97be8ba /arch/Kconfig | |
| parent | b0031f227e47919797dc0e1c1990f3ef151ff0cc (diff) | |
stackprotector: Unify the HAVE_CC_STACKPROTECTOR logic between architectures
Instead of duplicating the CC_STACKPROTECTOR Kconfig and
Makefile logic in each architecture, switch to using
HAVE_CC_STACKPROTECTOR and keep everything in one place. This
retains the x86-specific bug verification scripts.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-mips@linux-mips.org
Cc: linux-arch@vger.kernel.org
Link: http://lkml.kernel.org/r/1387481759-14535-2-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Diffstat (limited to 'arch/Kconfig')
| -rw-r--r-- | arch/Kconfig | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/arch/Kconfig b/arch/Kconfig index f1cf895c040f..24e026d83072 100644 --- a/arch/Kconfig +++ b/arch/Kconfig | |||
| @@ -336,6 +336,28 @@ config SECCOMP_FILTER | |||
| 336 | 336 | ||
| 337 | See Documentation/prctl/seccomp_filter.txt for details. | 337 | See Documentation/prctl/seccomp_filter.txt for details. |
| 338 | 338 | ||
| 339 | config HAVE_CC_STACKPROTECTOR | ||
| 340 | bool | ||
| 341 | help | ||
| 342 | An arch should select this symbol if: | ||
| 343 | - its compiler supports the -fstack-protector option | ||
| 344 | - it has implemented a stack canary (e.g. __stack_chk_guard) | ||
| 345 | |||
| 346 | config CC_STACKPROTECTOR | ||
| 347 | bool "Enable -fstack-protector buffer overflow detection" | ||
| 348 | depends on HAVE_CC_STACKPROTECTOR | ||
| 349 | help | ||
| 350 | This option turns on the -fstack-protector GCC feature. This | ||
| 351 | feature puts, at the beginning of functions, a canary value on | ||
| 352 | the stack just before the return address, and validates | ||
| 353 | the value just before actually returning. Stack based buffer | ||
| 354 | overflows (that need to overwrite this return address) now also | ||
| 355 | overwrite the canary, which gets detected and the attack is then | ||
| 356 | neutralized via a kernel panic. | ||
| 357 | |||
| 358 | This feature requires gcc version 4.2 or above, or a distribution | ||
| 359 | gcc with the feature backported. | ||
| 360 | |||
| 339 | config HAVE_CONTEXT_TRACKING | 361 | config HAVE_CONTEXT_TRACKING |
| 340 | bool | 362 | bool |
| 341 | help | 363 | help |