| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080222164617.50c8ec2e@laptopd505.fenrus.org> Date: Fri, 22 Feb 2008 16:46:17 -0800 From: Arjan van de Ven <arjan@...radead.org> To: Greg KH <gregkh@...e.de> Cc: linux-kernel@...r.kernel.org, stable@...nel.org, jejb@...nel.org, Justin Forbes <jmforbes@...uxtx.org>, Zwane Mwaikambo <zwane@....linux.org.uk>, Theodore Ts'o <tytso@....edu>, Randy Dunlap <rdunlap@...otime.net>, Dave Jones <davej@...hat.com>, Chuck Wolber <chuckw@...ntumlinux.com>, Chris Wedgwood <reviews@...cw.f00f.org>, Michael Krufky <mkrufky@...uxtv.org>, Chuck Ebbert <cebbert@...hat.com>, Domenico Andreoli <cavokz@...il.com>, torvalds@...ux-foundation.org, akpm@...ux-foundation.org, alan@...rguk.ukuu.org.uk, Sam Ravnborg <sam@...nborg.org> Subject: Re: [patch 34/38] kbuild: allow -fstack-protector to take effect On Fri, 22 Feb 2008 16:31:33 -0800 Greg KH <gregkh@...e.de> wrote: > 2.6.24-stable review patch. If anyone has any objections, please let > us know. not ready for -stable yet. if ever for backporting (doubtful) > > ------------------ > From: Sam Ravnborg <sam@...nborg.org> > > commit: e06b8b98da071f7dd78fb7822991694288047df0 > > Arjan van de Ven <arjan@...radead.org> wrote: > === > I just read the excellent LWN writeup of the vmsplice > security thing, and that got me wondering why this attack > wasn't stopped by the CONFIG_CC_STACKPROTECTOR option... > because it plain should have been... > > Some analysis later.. it turns out that the following line > in the top level Makefile, added by you in October 2007, > entirely disables CONFIG_CC_STACKPROTECTOR ;( > With this line removed the exploit will be nicely stopped. > > CFLAGS += $(call cc-option, -fno-stack-protector) > > Now I realize that certain distros have patched gcc to > compensate for their lack of distro wide CFLAGS, and it's > great to work around that... but would there be a way to NOT > disable this for CONFIG_CC_STACKPROTECTOR please? > It would have made this exploit not possible for those kernels > that enable this feature (and that includes distros like Fedora) > === > > Move the assignment to KBUILD_CFLAGS up before including > the arch specific Makefile so arch makefiles may override > the setting. > > Signed-off-by: Sam Ravnborg <sam@...nborg.org> > Cc: Arjan van de Ven <arjan@...radead.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de> > > --- > Makefile | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > --- a/Makefile > +++ b/Makefile > @@ -507,6 +507,10 @@ else > KBUILD_CFLAGS += -O2 > endif > > +# Force gcc to behave correct even for buggy distributions > +# Arch Makefiles may override this setting > +KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector) > + > include $(srctree)/arch/$(SRCARCH)/Makefile > > ifdef CONFIG_FRAME_POINTER > @@ -520,9 +524,6 @@ KBUILD_CFLAGS += -g > KBUILD_AFLAGS += -gdwarf-2 > endif > > -# Force gcc to behave correct even for buggy distributions > -KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector) > - > # arch Makefile may override CC so keep this after arch Makefile is > included NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) > -print-file-name=include) CHECKFLAGS += $(NOSTDINC_FLAGS) > -- If you want to reach me at my work email, use arjan@...ux.intel.com For development, discussion and tips for power savings, visit http://www.lesswatts.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists