git.kernel.dk Git - linux-block.git/commit

author	Thomas Weißschuh <linux@weissschuh.net>
	Sat, 25 Mar 2023 15:45:12 +0000 (16:45 +0100)
committer	Paul E. McKenney <paulmck@kernel.org>
	Mon, 27 Mar 2023 23:26:10 +0000 (16:26 -0700)
commit	7188d4637e95b9becde246fa08bb419a3b080f9b
tree	39420362b9bd91acb3bdc7d3dd5b90d2b1572a60	tree \| snapshot
parent	c4560bd8066311c7cee5d7396e7fbd7cb3b7eabc	commit \| diff

tools/nolibc: add support for stack protector

This is useful when using nolibc for security-critical tools.
Using nolibc has the advantage that the code is easily auditable and
sandboxable with seccomp as no unexpected syscalls are used.
Using compiler-assistent stack protection provides another security
mechanism.

For this to work the compiler and libc have to collaborate.

This patch adds the following parts to nolibc that are required by the
compiler:

* __stack_chk_guard: random sentinel value
* __stack_chk_fail: handler for detected stack smashes

In addition an initialization function is added that randomizes the
sentinel value.

Only support for global guards is implemented.
Register guards are useful in multi-threaded context which nolibc does
not provide support for.

Link: https://lwn.net/Articles/584225/
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>

tools/include/nolibc/Makefile		diff \| blob \| blame \| history
tools/include/nolibc/nolibc.h		diff \| blob \| blame \| history
tools/include/nolibc/stackprotector.h	[new file with mode: 0644]	blob