Loading arch/x86/Kconfig +9 −13 Original line number Diff line number Diff line Loading @@ -1140,13 +1140,17 @@ config SECCOMP If unsure, say Y. Only embedded should say N here. config CC_STACKPROTECTOR_ALL bool config CC_STACKPROTECTOR bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)" depends on X86_64 select CC_STACKPROTECTOR_ALL help This option turns on the -fstack-protector GCC feature. This feature puts, at the beginning of critical functions, a canary value on the stack just before the return address, and validates feature puts, at the beginning of functions, a canary value on the stack just before the return address, and validates the value just before actually returning. Stack based buffer overflows (that need to overwrite this return address) now also overwrite the canary, which gets detected and the attack is then Loading @@ -1154,16 +1158,8 @@ config CC_STACKPROTECTOR This feature requires gcc version 4.2 or above, or a distribution gcc with the feature backported. Older versions are automatically detected and for those versions, this configuration option is ignored. config CC_STACKPROTECTOR_ALL bool "Use stack-protector for all functions" depends on CC_STACKPROTECTOR default y help Normally, GCC only inserts the canary value protection for functions that use large-ish on-stack buffers. By enabling this option, GCC will be asked to do this for ALL functions. detected and for those versions, this configuration option is ignored. (and a warning is printed during bootup) source kernel/Kconfig.hz Loading Loading
arch/x86/Kconfig +9 −13 Original line number Diff line number Diff line Loading @@ -1140,13 +1140,17 @@ config SECCOMP If unsure, say Y. Only embedded should say N here. config CC_STACKPROTECTOR_ALL bool config CC_STACKPROTECTOR bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)" depends on X86_64 select CC_STACKPROTECTOR_ALL help This option turns on the -fstack-protector GCC feature. This feature puts, at the beginning of critical functions, a canary value on the stack just before the return address, and validates feature puts, at the beginning of functions, a canary value on the stack just before the return address, and validates the value just before actually returning. Stack based buffer overflows (that need to overwrite this return address) now also overwrite the canary, which gets detected and the attack is then Loading @@ -1154,16 +1158,8 @@ config CC_STACKPROTECTOR This feature requires gcc version 4.2 or above, or a distribution gcc with the feature backported. Older versions are automatically detected and for those versions, this configuration option is ignored. config CC_STACKPROTECTOR_ALL bool "Use stack-protector for all functions" depends on CC_STACKPROTECTOR default y help Normally, GCC only inserts the canary value protection for functions that use large-ish on-stack buffers. By enabling this option, GCC will be asked to do this for ALL functions. detected and for those versions, this configuration option is ignored. (and a warning is printed during bootup) source kernel/Kconfig.hz Loading