From the kernel documentation:
This option makes the kernel erase the kernel stack before returning from system calls. This has the effect of leaving the stack initialized to the poison value, which both reduces the lifetime of any sensitive stack contents and reduces potential for uninitialized stack variable exploits or information exposures (it does not cover functions reaching the same stack depth as prior functions during the same syscall). This blocks most uninitialized stack variable attacks, with the performance impact being driven by the depth of the stack usage, rather than the function calling complexity.
The performance impact on a single CPU system kernel compilation sees a 1% slowdown, other systems and workloads may vary and you are advised to test this feature on your expected workload before deploying it.
This plugin was ported from grsecurity/PaX.
Let's give it a try. A 1% increase in compile time does not bother us too much, and given that this is enabled in IPFire 3.x as well, we may as well take the opportunity to gain experience with this in the field.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.x86_64-ipfire | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index f1d6c2ede..3d9e01e38 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6915,7 +6915,10 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set -# CONFIG_GCC_PLUGIN_STACKLEAK is not set +CONFIG_GCC_PLUGIN_STACKLEAK=y +CONFIG_STACKLEAK_TRACK_MIN_SIZE=100 +# CONFIG_STACKLEAK_METRICS is not set +# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y