Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Kubecek <mkubecek@suse.cz>2019-09-03 12:47:56 +0200
committerMichal Kubecek <mkubecek@suse.cz>2019-09-03 12:47:56 +0200
commit4c43fabbd67ea0eed0469a7202c52c40cdb38870 (patch)
tree621c7f2bb0c1d0b47ef9d856bf9566ca09bd5bf6
parent9bff5f9d34b4d63d01d446633705ef3e34e62556 (diff)
config: enable STACKPROTECTOR_STRONG (jsc#SLE-9120 bsc#1130365)
Enable CONFIG_STACKPROTECTOR_STRONG on all architectures except s390x (where the feature is not available). This extends the number of functions which are protected by "stack canary" check to catch functions writing past their stack frame. This change was requested by SUSE security to make our kernels more resistant to some types of stack overflow attacks. Tests performed by kernel performance teams confirmed that performance impact is acceptable.
-rw-r--r--config/arm64/default2
-rw-r--r--config/armv7hl/default2
-rw-r--r--config/armv7hl/lpae2
-rw-r--r--config/i386/pae2
-rw-r--r--config/ppc64/default2
-rw-r--r--config/ppc64le/default2
-rw-r--r--config/x86_64/default2
7 files changed, 7 insertions, 7 deletions
diff --git a/config/arm64/default b/config/arm64/default
index b1ba62a387..3146ae1368 100644
--- a/config/arm64/default
+++ b/config/arm64/default
@@ -761,7 +761,7 @@ CONFIG_HAVE_ARCH_STACKLEAK=y
CONFIG_HAVE_STACKPROTECTOR=y
CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
CONFIG_STACKPROTECTOR=y
-# CONFIG_STACKPROTECTOR_STRONG is not set
+CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_HAVE_CONTEXT_TRACKING=y
CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
diff --git a/config/armv7hl/default b/config/armv7hl/default
index ba330ff694..f52e207b71 100644
--- a/config/armv7hl/default
+++ b/config/armv7hl/default
@@ -964,7 +964,7 @@ CONFIG_ARCH_WANT_IPC_PARSE_VERSION=y
CONFIG_HAVE_STACKPROTECTOR=y
CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
CONFIG_STACKPROTECTOR=y
-# CONFIG_STACKPROTECTOR_STRONG is not set
+CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_HAVE_CONTEXT_TRACKING=y
CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
diff --git a/config/armv7hl/lpae b/config/armv7hl/lpae
index 374c0aa5d4..2fe4bd962b 100644
--- a/config/armv7hl/lpae
+++ b/config/armv7hl/lpae
@@ -922,7 +922,7 @@ CONFIG_ARCH_WANT_IPC_PARSE_VERSION=y
CONFIG_HAVE_STACKPROTECTOR=y
CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
CONFIG_STACKPROTECTOR=y
-# CONFIG_STACKPROTECTOR_STRONG is not set
+CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_HAVE_CONTEXT_TRACKING=y
CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
diff --git a/config/i386/pae b/config/i386/pae
index 5c7e68ac24..5ea5230f74 100644
--- a/config/i386/pae
+++ b/config/i386/pae
@@ -811,7 +811,7 @@ CONFIG_HAVE_ARCH_STACKLEAK=y
CONFIG_HAVE_STACKPROTECTOR=y
CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
CONFIG_STACKPROTECTOR=y
-# CONFIG_STACKPROTECTOR_STRONG is not set
+CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
CONFIG_HAVE_MOVE_PMD=y
diff --git a/config/ppc64/default b/config/ppc64/default
index 1b004da8e8..71149ccef0 100644
--- a/config/ppc64/default
+++ b/config/ppc64/default
@@ -643,7 +643,7 @@ CONFIG_SECCOMP_FILTER=y
CONFIG_HAVE_STACKPROTECTOR=y
CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
CONFIG_STACKPROTECTOR=y
-# CONFIG_STACKPROTECTOR_STRONG is not set
+CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_HAVE_CONTEXT_TRACKING=y
CONFIG_HAVE_VIRT_CPU_ACCOUNTING=y
CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
diff --git a/config/ppc64le/default b/config/ppc64le/default
index 41929c56f0..f2cf450b8f 100644
--- a/config/ppc64le/default
+++ b/config/ppc64le/default
@@ -582,7 +582,7 @@ CONFIG_SECCOMP_FILTER=y
CONFIG_HAVE_STACKPROTECTOR=y
CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
CONFIG_STACKPROTECTOR=y
-# CONFIG_STACKPROTECTOR_STRONG is not set
+CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_HAVE_CONTEXT_TRACKING=y
CONFIG_HAVE_VIRT_CPU_ACCOUNTING=y
CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
diff --git a/config/x86_64/default b/config/x86_64/default
index ae9cabf8ea..ac9cc86502 100644
--- a/config/x86_64/default
+++ b/config/x86_64/default
@@ -797,7 +797,7 @@ CONFIG_HAVE_ARCH_STACKLEAK=y
CONFIG_HAVE_STACKPROTECTOR=y
CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
CONFIG_STACKPROTECTOR=y
-# CONFIG_STACKPROTECTOR_STRONG is not set
+CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
CONFIG_HAVE_CONTEXT_TRACKING=y
CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y