summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCedric DOURLENT <cedric.dourlent@softathome.com>2024-01-12 09:23:46 +0100
committerHauke Mehrtens <hauke@hauke-m.de>2024-01-19 21:27:14 +0100
commit869f8b21e755e752e6e0bbec1750810751c54b72 (patch)
tree24a153f38ecbbbb206512c43821e4ae34edb6e51
parentcc022082e97de93ca40b212e0f163a0e04c77608 (diff)
downloadopenwrt-869f8b21e755e752e6e0bbec1750810751c54b72.tar.gz
openwrt-869f8b21e755e752e6e0bbec1750810751c54b72.tar.bz2
openwrt-869f8b21e755e752e6e0bbec1750810751c54b72.zip
build: add option for building with stack-protector-all
The GCC option -fstack-protector-all is a security feature used to protect against stack-smashing attacks. This option enhances the stack-smashing protection provided by -fstack-protector-strong. -fstack-protector-all option applies stack protection to all functions, regardless of their characteristics. While this offers the most comprehensive protection against stack-smashing attacks, it can significantly impact the performance of the program because every function call includes additional checks for stack integrity. This option can incur a performance penalty because of the extra checks added to every function call, but it significantly enhances security, making it harder for attackers to exploit buffer overflows to execute arbitrary code. It's particularly useful in scenarios where security is paramount and performance trade-offs are acceptable. Signed-off-by: Cedric DOURLENT <cedric.dourlent@softathome.com>
-rw-r--r--config/Config-build.in2
-rw-r--r--include/hardening.mk5
2 files changed, 7 insertions, 0 deletions
diff --git a/config/Config-build.in b/config/Config-build.in
index ebfce8add4..24c2bcf130 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -293,6 +293,8 @@ menu "Global build settings"
bool "Regular"
config PKG_CC_STACKPROTECTOR_STRONG
bool "Strong"
+ config PKG_CC_STACKPROTECTOR_ALL
+ bool "All"
endchoice
choice
diff --git a/include/hardening.mk b/include/hardening.mk
index 6acd862f5c..4a8874261b 100644
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -36,6 +36,11 @@ ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG
TARGET_CFLAGS += -fstack-protector-strong
endif
endif
+ifdef CONFIG_PKG_CC_STACKPROTECTOR_ALL
+ ifeq ($(strip $(PKG_SSP)),1)
+ TARGET_CFLAGS += -fstack-protector-all
+ endif
+endif
ifdef CONFIG_PKG_FORTIFY_SOURCE_1
ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
TARGET_CFLAGS += -D_FORTIFY_SOURCE=1