|
|
@@ -533,6 +533,30 @@ config SECCOMP
|
|
|
|
|
|
If unsure, say Y. Only embedded should say N here.
|
|
|
|
|
|
+config CC_STACKPROTECTOR
|
|
|
+ bool "Enable -fstack-protector buffer overflow detection (EXPRIMENTAL)"
|
|
|
+ depends on EXPERIMENTAL
|
|
|
+ help
|
|
|
+ This option turns on the -fstack-protector GCC feature. This
|
|
|
+ feature puts, at the beginning of critical functions, a canary
|
|
|
+ value on the stack just before the return address, and validates
|
|
|
+ the value just before actually returning. Stack based buffer
|
|
|
+ overflows (that need to overwrite this return address) now also
|
|
|
+ overwrite the canary, which gets detected and the attack is then
|
|
|
+ neutralized via a kernel panic.
|
|
|
+
|
|
|
+ This feature requires gcc version 4.2 or above, or a distribution
|
|
|
+ gcc with the feature backported. Older versions are automatically
|
|
|
+ detected and for those versions, this configuration option is ignored.
|
|
|
+
|
|
|
+config CC_STACKPROTECTOR_ALL
|
|
|
+ bool "Use stack-protector for all functions"
|
|
|
+ depends on CC_STACKPROTECTOR
|
|
|
+ help
|
|
|
+ Normally, GCC only inserts the canary value protection for
|
|
|
+ functions that use large-ish on-stack buffers. By enabling
|
|
|
+ this option, GCC will be asked to do this for ALL functions.
|
|
|
+
|
|
|
source kernel/Kconfig.hz
|
|
|
|
|
|
config REORDER
|
Arjan van de Ven