diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-01-20 22:26:31 +0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-01-20 22:26:31 +0400 |
| commit | ad3ab302fd8239a1ddee01e606683c3197ca6908 (patch) | |
| tree | d4984d29bcc90252118bdf3a0c32d5c1e027fc08 /arch/x86/Kconfig | |
| parent | a693c46e14c9fdadbcd68ddfa94a4f72495531a9 (diff) | |
| parent | 8779657d29c0ebcc0c94ede4df2f497baf1b563f (diff) | |
| download | linux-ad3ab302fd8239a1ddee01e606683c3197ca6908.tar.xz | |
Merge branch 'core-stackprotector-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull strong stackprotector support from Ingo Molnar:
"This tree adds a CONFIG_CC_STACKPROTECTOR_STRONG=y, a new, stronger
stack canary checking method supported by the newest GCC versions (4.9
and later).
Here's the 'intensity comparison' between the various protection
modes:
- defconfig
11430641 kernel text size
36110 function bodies
- defconfig + CONFIG_CC_STACKPROTECTOR_REGULAR
11468490 kernel text size (+0.33%)
1015 of 36110 functions are stack-protected (2.81%)
- defconfig + CONFIG_CC_STACKPROTECTOR_STRONG via this patch
11692790 kernel text size (+2.24%)
7401 of 36110 functions are stack-protected (20.5%)
the strong model comes with non-trivial costs, which is why we
preserved the 'regular' and 'none' models as well"
* 'core-stackprotector-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG
stackprotector: Unify the HAVE_CC_STACKPROTECTOR logic between architectures
Diffstat (limited to 'arch/x86/Kconfig')
| -rw-r--r-- | arch/x86/Kconfig | 17 |
1 files changed, 1 insertions, 16 deletions
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 0952ecd60eca..838e7c34dd60 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -125,6 +125,7 @@ config X86 select RTC_LIB select HAVE_DEBUG_STACKOVERFLOW select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64 + select HAVE_CC_STACKPROTECTOR config INSTRUCTION_DECODER def_bool y @@ -1617,22 +1618,6 @@ config SECCOMP If unsure, say Y. Only embedded should say N here. -config CC_STACKPROTECTOR - bool "Enable -fstack-protector buffer overflow detection" - ---help--- - This option turns on the -fstack-protector GCC feature. This - feature puts, at the beginning of functions, a canary value on - the stack just before the return address, and validates - the value just before actually returning. Stack based buffer - overflows (that need to overwrite this return address) now also - overwrite the canary, which gets detected and the attack is then - neutralized via a kernel panic. - - This feature requires gcc version 4.2 or above, or a distribution - gcc with the feature backported. Older versions are automatically - detected and for those versions, this configuration option is - ignored. (and a warning is printed during bootup) - source kernel/Kconfig.hz config KEXEC |