diff options
author | Arjan van de Ven <arjan@linux.intel.com> | 2006-09-26 04:52:38 -0400 |
---|---|---|
committer | Andi Kleen <andi@basil.nowhere.org> | 2006-09-26 04:52:38 -0400 |
commit | b62a5c740df1e3d49a97349fce0c6a23f633d7fe (patch) | |
tree | d29b6a60f5d8d4d0d93c4eeece5526e8f9281f1c /arch | |
parent | 29a9af60e2120f874d0c600bf9e27617254a0488 (diff) |
[PATCH] Add the Kconfig option for the stackprotector feature
This patch adds the config options for -fstack-protector.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andi Kleen <ak@suse.de>
CC: Andi Kleen <ak@suse.de>
Diffstat (limited to 'arch')
-rw-r--r-- | arch/x86_64/Kconfig | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/arch/x86_64/Kconfig b/arch/x86_64/Kconfig index 927b392a4aa0..0c61d0019dd7 100644 --- a/arch/x86_64/Kconfig +++ b/arch/x86_64/Kconfig | |||
@@ -533,6 +533,30 @@ config SECCOMP | |||
533 | 533 | ||
534 | If unsure, say Y. Only embedded should say N here. | 534 | If unsure, say Y. Only embedded should say N here. |
535 | 535 | ||
536 | config CC_STACKPROTECTOR | ||
537 | bool "Enable -fstack-protector buffer overflow detection (EXPRIMENTAL)" | ||
538 | depends on EXPERIMENTAL | ||
539 | help | ||
540 | This option turns on the -fstack-protector GCC feature. This | ||
541 | feature puts, at the beginning of critical functions, a canary | ||
542 | value on the stack just before the return address, and validates | ||
543 | the value just before actually returning. Stack based buffer | ||
544 | overflows (that need to overwrite this return address) now also | ||
545 | overwrite the canary, which gets detected and the attack is then | ||
546 | neutralized via a kernel panic. | ||
547 | |||
548 | This feature requires gcc version 4.2 or above, or a distribution | ||
549 | gcc with the feature backported. Older versions are automatically | ||
550 | detected and for those versions, this configuration option is ignored. | ||
551 | |||
552 | config CC_STACKPROTECTOR_ALL | ||
553 | bool "Use stack-protector for all functions" | ||
554 | depends on CC_STACKPROTECTOR | ||
555 | help | ||
556 | Normally, GCC only inserts the canary value protection for | ||
557 | functions that use large-ish on-stack buffers. By enabling | ||
558 | this option, GCC will be asked to do this for ALL functions. | ||
559 | |||
536 | source kernel/Kconfig.hz | 560 | source kernel/Kconfig.hz |
537 | 561 | ||
538 | config REORDER | 562 | config REORDER |