enable kernel stack protection
Bug #369152 reported by
Andy Whitcroft
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Andy Whitcroft |
Bug Description
As requested by the security team could we enable CC_STACKPROTECTOR in the kernel.
Related branches
Changed in linux (Ubuntu): | |
assignee: | nobody → Andy Whitcroft (apw) |
status: | New → In Progress |
importance: | Undecided → Medium |
To post a comment you must log in.
It seems that this support is currently not enablable. It is currently marked as broken:
config CC_STACKPROTECTOR
bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
depends on X86_64 && EXPERIMENTAL
depends on X86_64 && EXPERIMENTAL && BROKEN
This was done under the following commit, so it doesn't appear we will be able to enable it currently.
commit 2c020a99e058cdf c3a073cbfbfcc6f f55d3bfc43
Author: Linus Torvalds <email address hidden>
Date: Fri Feb 22 08:21:38 2008 -0800
Mark CC_STACKPROTECTOR as being BROKEN
It's always been broken, but recent fixes actually made it do something,
and now the brokenness shows up as the resulting kernel simply not
working at all.
So it used to be that you could enable this config option, and it just
didn't do anything. Now we'd better stop people from enabling it by
mistake, since it _does_ do something, but does it so badly as to be
unusable.
Code to actually make it work is pending, but incomplete and won't be
merged into 2.6.25 in any case.