CONFIG_STACKPROTECTOR: Stack Protector buffer overflow detection

General informations

The Linux kernel configuration item CONFIG_STACKPROTECTOR:

• prompt: Stack Protector buffer overflow detection
• type: bool
• depends on: ( CONFIG_HAVE_STACKPROTECTOR ) && ($( CONFIG_cc-option,-fstack-protector ))
• defined in arch/Kconfig
• found in Linux kernels: 4.18–4.20, 5.0–5.19, 6.0–6.8, 6.9-rc+HEAD

Help text

This option turns on the "stack-protector" GCC feature. This feature puts, at the beginning of functions, a canary value on the stack just before the return address, and validates the value just before actually returning. Stack based buffer overflows (that need to overwrite this return address) now also overwrite the canary, which gets detected and the attack is then neutralized via a kernel panic.

Functions will have the stack-protector canary logic added if they have an 8-byte or larger character array on the stack.

This feature requires gcc version 4.2 or above, or a distribution gcc with the feature backported ("-fstack-protector").

On an x86 "defconfig" build, this feature adds canary checks to about 3% of all kernel functions, which increases kernel code size by about 0.3%.

Hardware

LKDDb

Raw data from LKDDb:

• (none)

Sources

This page is automaticly generated with free (libre, open) software lkddb(see lkddb-sources).

The data is retrived from:

• Linux kernel
• Linux Kernel Driver DataBase (LKDDb)

Automatic links from Google (and ads)

Custom Search

Popular queries: