• Thomas Weißschuh's avatar
    tools/nolibc: add support for stack protector · 7188d463
    Thomas Weißschuh authored
    This is useful when using nolibc for security-critical tools.
    Using nolibc has the advantage that the code is easily auditable and
    sandboxable with seccomp as no unexpected syscalls are used.
    Using compiler-assistent stack protection provides another security
    mechanism.
    
    For this to work the compiler and libc have to collaborate.
    
    This patch adds the following parts to nolibc that are required by the
    compiler:
    
    * __stack_chk_guard: random sentinel value
    * __stack_chk_fail: handler for detected stack smashes
    
    In addition an initialization function is added that randomizes the
    sentinel value.
    
    Only support for global guards is implemented.
    Register guards are useful in multi-threaded context which nolibc does
    not provide support for.
    
    Link: https://lwn.net/Articles/584225/Signed-off-by: default avatarThomas Weißschuh <linux@weissschuh.net>
    Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
    Signed-off-by: default avatarPaul E. McKenney <paulmck@kernel.org>
    7188d463
stackprotector.h 1.38 KB