All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit e06b8b98 authored by Sam Ravnborg's avatar Sam Ravnborg

kbuild: allow -fstack-protector to take effect

Arjan van de Ven <> wrote:
I just read the excellent LWN writeup of the vmsplice
security thing, and that got me wondering why this attack
wasn't stopped by the CONFIG_CC_STACKPROTECTOR option...
because it plain should have been...

Some analysis later.. it turns out that the following line
in the top level Makefile, added by you in October 2007,
entirely disables CONFIG_CC_STACKPROTECTOR ;(
With this line removed the exploit will be nicely stopped.

CFLAGS          += $(call cc-option, -fno-stack-protector)

Now I realize that certain distros have patched gcc to
compensate for their lack of distro wide CFLAGS, and it's
great to work around that... but would there be a way to NOT
disable this for CONFIG_CC_STACKPROTECTOR please?
It would have made this exploit not possible for those kernels
that enable this feature (and that includes distros like Fedora)

Move the assignment to KBUILD_CFLAGS up before including
the arch specific Makefile so arch makefiles may override
the setting.
Signed-off-by: default avatarSam Ravnborg <>
Cc: Arjan van de Ven <>
parent 587c9061
......@@ -507,6 +507,10 @@ else
# Force gcc to behave correct even for buggy distributions
# Arch Makefiles may override this setting
KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
include $(srctree)/arch/$(SRCARCH)/Makefile
......@@ -525,9 +529,6 @@ ifdef CONFIG_DEBUG_SECTION_MISMATCH
KBUILD_CFLAGS += $(call cc-option, -fno-inline-functions-called-once)
# Force gcc to behave correct even for buggy distributions
KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
# arch Makefile may override CC so keep this after arch Makefile is included
NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) -print-file-name=include)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment