ARM: initial stack protector (-fstack-protector) support

This is the very basic stuff without the changing canary upon task switch yet. Just the Kconfig option and a constant canary value initialized at boot time. Signed-off-by: Nicolas Pitre <nicolas.pitre@linaro.org>
author: Nicolas Pitre <nico@fluxnic.net> 2010-05-24 23:55:42 -0400
committer: Nicolas Pitre <nico@fluxnic.net> 2010-06-14 21:31:00 -0400
commit: c743f38013aeff58ef6252601e397b5ba281c633 (patch)
tree: b364e1690aff8a0dd97a83d4cb17bcadcdb5bd19 /arch/arm/Kconfig
parent: cc92c28b2db5b406657ecc05235d4ca4e222ae34 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 1f254bd6c937..f160b93691cd 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -1374,6 +1374,18 @@ config UACCESS_WITH_MEMCPY
          However, if the CPU data cache is using a write-allocate mode,
          this option is unlikely to provide any performance gain.
+config CC_STACKPROTECTOR
+        bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
+        help
+          This option turns on the -fstack-protector GCC feature. This
+          feature puts, at the beginning of functions, a canary value on
+          the stack just before the return address, and validates
+          the value just before actually returning.  Stack based buffer
+          overflows (that need to overwrite this return address) now also
+          overwrite the canary, which gets detected and the attack is then
+          neutralized via a kernel panic.
+          This feature requires gcc version 4.2 or above.
 endmenu
 menu "Boot options"
author	Nicolas Pitre <nico@fluxnic.net>	2010-05-24 23:55:42 -0400
committer	Nicolas Pitre <nico@fluxnic.net>	2010-06-14 21:31:00 -0400
commit	c743f38013aeff58ef6252601e397b5ba281c633 (patch)
tree	b364e1690aff8a0dd97a83d4cb17bcadcdb5bd19 /arch/arm/Kconfig
parent	cc92c28b2db5b406657ecc05235d4ca4e222ae34 (diff)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 1f254bd6c937..f160b93691cd 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig
@@ -1374,6 +1374,18 @@ config UACCESS_WITH_MEMCPY
1374	However, if the CPU data cache is using a write-allocate mode,	1374	However, if the CPU data cache is using a write-allocate mode,
1375	this option is unlikely to provide any performance gain.	1375	this option is unlikely to provide any performance gain.
1376		1376
		1377	config CC_STACKPROTECTOR
		1378	bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
		1379	help
		1380	This option turns on the -fstack-protector GCC feature. This
		1381	feature puts, at the beginning of functions, a canary value on
		1382	the stack just before the return address, and validates
		1383	the value just before actually returning. Stack based buffer
		1384	overflows (that need to overwrite this return address) now also
		1385	overwrite the canary, which gets detected and the attack is then
		1386	neutralized via a kernel panic.
		1387	This feature requires gcc version 4.2 or above.
		1388
1377	endmenu	1389	endmenu
1378		1390
1379	menu "Boot options"	1391	menu "Boot options"