2017-01-05

Slitaz64 -- Stack Protector buffer overflow detection


Stack Protector buffer overflow detection

Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not supported by compiler
Makefile:1066: recipe for target 'prepare-compiler-check' failed

root@slitaz:/usr/src/linux-4.9# grep STACKPROTECTOR .config
CONFIG_HAVE_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR=y
# CONFIG_CC_STACKPROTECTOR_NONE is not set
# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
CONFIG_CC_STACKPROTECTOR_STRONG=y


Stack Protector buffer overflow detection

This option turns on the "stack-protector" GCC feature. This
feature puts, at the beginning of functions, a canary value on
the stack just before the return address, and validates
the value just before actually returning. Stack based buffer
overflows (that need to overwrite this return address) now also
overwrite the canary, which gets detected and the attack is then
neutralized via a kernel panic.

Prompt: Stack Protector buffer overflow detection
Location:
-> General setup
Defined at arch/Kconfig:417
Depends on: HAVE_CC_STACKPROTECTOR [=y]
Selected by: HAVE_CC_STACKPROTECTOR [=y] && m

Strong (CC_STACKPROTECTOR_STRONG)

CONFIG_CC_STACKPROTECTOR_STRONG:

Functions will have the stack-protector canary logic added in any
of the following conditions:

- local variable's address used as part of the right hand side of an
assignment or function argument
- local variable is an array (or union containing an array),
regardless of array type or length
- uses register local variables

This feature requires gcc version 4.9 or above, or a distribution
gcc with the feature backported ("-fstack-protector-strong").


On an x86 "defconfig" build, this feature adds canary checks to
about 20% of all kernel functions, which increases the kernel code
size by about 2%.

Symbol: CC_STACKPROTECTOR_STRONG [=n]
Type : boolean
Prompt: Strong
Location:
-> General setup
-> Stack Protector buffer overflow detection ( [=y])
Defined at arch/Kconfig:449
Depends on:
Selects: CC_STACKPROTECTOR [=y]

Regular (CC_STACKPROTECTOR_REGULAR)

CONFIG_CC_STACKPROTECTOR_REGULAR:


Functions will have the stack-protector canary logic added if they
have an 8-byte or larger character array on the stack.

This feature requires gcc version 4.2 or above, or a distribution
gcc with the feature backported ("-fstack-protector").


On an x86 "defconfig" build, this feature adds canary checks to
about 3% of all kernel functions, which increases kernel code size
by about 0.3%.

Symbol: CC_STACKPROTECTOR_REGULAR [=n]
Type : boolean
Prompt: Regular
Location:
-> General setup
-> Stack Protector buffer overflow detection ( [=y])
Defined at arch/Kconfig:435
Depends on:
Selects: CC_STACKPROTECTOR [=y]