1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
menu "Hardening options"
config BUG_ON_DATA_CORRUPTION
bool "Trigger a BUG when data corruption is detected"
select DEBUG_LIST
help
Select this option if barebox should BUG when it encounters
data corruption in its memory structures when they get checked
for validity.
If unsure, say N.
config STACK_GUARD_PAGE
bool "Place guard page to catch stack overflows"
depends on ARM && MMU
help
When enabled, barebox places a faulting guard page to catch total
stack usage exceeding CONFIG_STACK_SIZE. On overflows, that hit
the reserved 4KiB, barebox will panic and report a stack overflow.
The report may not always succeed if the stack overflow impacts
operation of the exception handler.
config STACKPROTECTOR
bool
choice
prompt "Stack Protector buffer overflow detection"
config STACKPROTECTOR_NONE
bool "None"
config STACKPROTECTOR_STRONG
bool "Strong"
depends on $(cc-option,-fstack-protector-strong)
select STACKPROTECTOR
help
This option turns on the "stack-protector" GCC feature. This
feature puts, at the beginning of functions, a canary value on
the stack just before the return address, and validates
the value just before actually returning. Stack based buffer
overflows (that need to overwrite this return address) now also
overwrite the canary, which gets detected and the attack is then
neutralized via a barebox panic.
Functions will have the stack-protector canary logic added in any
of the following conditions:
- local variable's address used as part of the right hand side of an
assignment or function argument
- local variable is an array (or union containing an array),
regardless of array type or length
- uses register local variables
The canary will be a fixed value at first, but will be replaced by
one generated from a hardware random number generator if available
later on.
config STACKPROTECTOR_ALL
bool "All"
depends on $(cc-option,-fstack-protector-all)
depends on COMPILE_TEST
select STACKPROTECTOR
help
This pushes and verifies stack protector canaries on all functions,
even those that don't need it. As this implies injection of a
global variable dependency on every function, this option is useful
for crashing functions called prior to prerelocation, which lack a
__prereloc attribute. This is likely the only upside compared to
the strong variant, so it's not selectable by default.
endchoice
choice
prompt "Stack Protector buffer overflow detection for PBL" if PBL_IMAGE
config PBL_STACKPROTECTOR_NONE
bool "None"
config PBL_STACKPROTECTOR_STRONG
bool "Strong"
depends on $(cc-option,-fstack-protector-strong)
depends on PBL_IMAGE
select STACKPROTECTOR
help
For PBL, This option turns on the "stack-protector" GCC feature. This
feature puts, at the beginning of functions, a canary value on
the stack just before the return address, and validates
the value just before actually returning. Stack based buffer
overflows (that need to overwrite this return address) now also
overwrite the canary, which gets detected and the attack is then
neutralized via a barebox panic.
Functions will have the stack-protector canary logic added in any
of the following conditions:
- local variable's address used as part of the right hand side of an
assignment or function argument
- local variable is an array (or union containing an array),
regardless of array type or length
- uses register local variables
The canary is always a fixed value.
config PBL_STACKPROTECTOR_ALL
bool "PBL"
depends on $(cc-option,-fstack-protector-strong)
depends on PBL_IMAGE && COMPILE_TEST
select STACKPROTECTOR
help
This pushes and verifies stack protector canaries on all functions,
even those that don't need it. As this implies injection of a
global variable dependency on every function, this option is useful
for crashing functions called prior to prerelocation, which lack a
__prereloc attribute. This is likely the only upside compared to
the strong variant.
endchoice
endmenu
|