commit 3e75c03cb21bef99464b5d1d52a3e3003af685d6
author Flavio Ceolin <flavio.ceolin@gmail.com> Fri Dec 13 08:58:17 2024 -0800
committer Benjamin Cabé <kartben@gmail.com> Fri Dec 20 12:37:20 2024 +0100
tree 8a89b59139ca51fafbee7f8cad7843f8a9430dd1
parent 0236f7c9aa6ccf4389c700b9d134801701fe3a2d

security: Add default stack protection level

STACK_CANARIES was enabling canaries in all functions using the compiler
flag -fstack-protector-all. This became confuse with the addition of the
options STRONG and EXPLICIT.

This commit adds the missing option (default level) and disambiguous the
options mapping them close to the compiler flags.

Now we have the following options:

STACK_CANARIES            -> fstack-protector
STACK_CANARIES_STRONG     -> fstack-protector-strong
STACK_CANARIES_ALL        -> fstack-protector-all
STACK_CANARIES_EXPLICIT   -> fstack-protector-explicit

Note that from now on STACK_CANARIES_ALL is the symbol that adds canaries
for all functions.

Signed-off-by: Flavio Ceolin <flavio.ceolin@gmail.com>

kernel/compiler_stack_protect.c

diff --git a/kernel/compiler_stack_protect.c b/kernel/compiler_stack_protect.c
index d48190c..30da82d 100644
--- a/kernel/compiler_stack_protect.c
+++ b/kernel/compiler_stack_protect.c
@@ -11,7 +11,7 @@
  * This module provides functions to support compiler stack protection
  * using canaries.  This feature is enabled with configuration
  * CONFIG_STACK_CANARIES=y or CONFIG_STACK_CANARIES_STRONG=y or
- * CONFIG_STACK_CANARIES_EXPLICIT=y.
+ * CONFIG_STACK_CANARIES_ALL=y or CONFIG_STACK_CANARIES_EXPLICIT=y.
  *
  * When this feature is enabled, the compiler generated code refers to
  * function __stack_chk_fail and global variable __stack_chk_guard.