On Fri, Mar 2, 2018 at 2:04 PM, Gianluca Borello <g.bore...@gmail.com> wrote: > On Fri, Mar 2, 2018 at 12:42 PM, Alexei Starovoitov > <alexei.starovoi...@gmail.com> wrote: >> >> good catch! >> I wonder why sched.h is using this flag insead of relying on #defines from >> autoconf.h >> It could have been using CONFIG_HAVE_CC_STACKPROTECTOR >> instead of CONFIG_CC_STACKPROTECTOR, no ? >> > > Thanks for your reply Alexei. I think switching to > HAVE_CC_STACKPROTECTOR could indeed solve this particular BPF issue in > a cleaner way (I tested it), at the cost of having that struct member > always present for the supported architectures even if the stack > protector is actually disabled (e.g. CONFIG_CC_STACKPROTECTOR_NONE=y). > > Not sure if this could be frowned upon by someone considering how > critical task_struct is, but on the other hand is really just 8 bytes.
That structure is huge, and I think it's proper to leave this as is. Adding KBUILD_CPPFLAGS (for now) seems like the right way to go; though in the future stack protector will be changed around again (to be purely Kconfig again). There are a number of issues with its logic in detecting and enabling, and another draft at solving it is under development. -Kees -- Kees Cook Pixel Security
