summaryrefslogtreecommitdiffstats
path: root/arch/Kconfig
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2017-01-13 20:14:39 +0100
committerKees Cook <keescook@chromium.org>2017-01-18 21:02:35 +0100
commitc61f13eaa1ee17728c41370100d2d45c254ce76f (patch)
tree63ae636a8d3bfc405b8a0a108ab17c24c5790fd8 /arch/Kconfig
parentgcc-plugins: add PASS_INFO and build_const_char_string() (diff)
downloadlinux-c61f13eaa1ee17728c41370100d2d45c254ce76f.tar.xz
linux-c61f13eaa1ee17728c41370100d2d45c254ce76f.zip
gcc-plugins: Add structleak for more stack initialization
This plugin detects any structures that contain __user attributes and makes sure it is being fully initialized so that a specific class of information exposure is eliminated. (This plugin was originally designed to block the exposure of siginfo in CVE-2013-2141.) Ported from grsecurity/PaX. This version adds a verbose option to the plugin and the Kconfig. Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'arch/Kconfig')
-rw-r--r--arch/Kconfig22
1 files changed, 22 insertions, 0 deletions
diff --git a/arch/Kconfig b/arch/Kconfig
index 99839c23d453..646ba0f42c5f 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -410,6 +410,28 @@ config GCC_PLUGIN_LATENT_ENTROPY
* https://grsecurity.net/
* https://pax.grsecurity.net/
+config GCC_PLUGIN_STRUCTLEAK
+ bool "Force initialization of variables containing userspace addresses"
+ depends on GCC_PLUGINS
+ help
+ This plugin zero-initializes any structures that containing a
+ __user attribute. This can prevent some classes of information
+ exposures.
+
+ This plugin was ported from grsecurity/PaX. More information at:
+ * https://grsecurity.net/
+ * https://pax.grsecurity.net/
+
+config GCC_PLUGIN_STRUCTLEAK_VERBOSE
+ bool "Report forcefully initialized variables"
+ depends on GCC_PLUGIN_STRUCTLEAK
+ depends on !COMPILE_TEST
+ help
+ This option will cause a warning to be printed each time the
+ structleak plugin finds a variable it thinks needs to be
+ initialized. Since not all existing initializers are detected
+ by the plugin, this can produce false positive warnings.
+
config HAVE_CC_STACKPROTECTOR
bool
help