diff options
| author | Yaakov Selkowitz <yselkowi@redhat.com> | 2017-11-28 18:11:59 -0600 |
|---|---|---|
| committer | Yaakov Selkowitz <yselkowi@redhat.com> | 2017-11-29 11:25:45 -0600 |
| commit | 192de5a349f61a70e9d2f74c2be0674114391f56 (patch) | |
| tree | b0371a83eb9f982c1103217f3310ef56b3b747f4 | |
| parent | 6b02865d80f6a38caff78e9bff5c866ac0d6dff6 (diff) | |
| download | cygnal-192de5a349f61a70e9d2f74c2be0674114391f56.tar.gz cygnal-192de5a349f61a70e9d2f74c2be0674114391f56.tar.bz2 cygnal-192de5a349f61a70e9d2f74c2be0674114391f56.zip | |
ssp: add documentation
Signed-off-by: Yaakov Selkowitz <yselkowi@redhat.com>
| -rw-r--r-- | newlib/libc/libc.in.xml | 1 | ||||
| -rw-r--r-- | newlib/libc/libc.texinfo | 1 | ||||
| -rw-r--r-- | newlib/libc/ssp/ssp.tex | 44 |
3 files changed, 46 insertions, 0 deletions
diff --git a/newlib/libc/libc.in.xml b/newlib/libc/libc.in.xml index 972696189..bf5f8a05f 100644 --- a/newlib/libc/libc.in.xml +++ b/newlib/libc/libc.in.xml @@ -35,6 +35,7 @@ <xi:include href="iconv.xml"> <xi:fallback/> </xi:include> + <!-- ssp.tex contains fixed content --> <!-- processing should insert index here --> <index/> diff --git a/newlib/libc/libc.texinfo b/newlib/libc/libc.texinfo index 995e95e5c..f8c820baf 100644 --- a/newlib/libc/libc.texinfo +++ b/newlib/libc/libc.texinfo @@ -171,6 +171,7 @@ into another language, under the above conditions for modified versions. @ifset ICONV * Iconv:: @end ifset +* Overflow Protection:: * Document Index:: @end menu diff --git a/newlib/libc/ssp/ssp.tex b/newlib/libc/ssp/ssp.tex new file mode 100644 index 000000000..f8440bdf9 --- /dev/null +++ b/newlib/libc/ssp/ssp.tex @@ -0,0 +1,44 @@ +@node Overflow Protection +@chapter Overflow Protection + +@menu +* Stack Smashing Protection:: Checks enabled with -fstack-protector* +* Object Size Checking:: Checks enabled with _FORTIFY_SOURCE +@end menu + +@node Stack Smashing Protection +@section Stack Smashing Protection +Stack Smashing Protection is a compiler feature which emits extra code +to check for stack smashing attacks. It depends on a canary, which is +initialized with the process, and functions for process termination when +an overflow is detected. These are private entry points intended solely +for use by the compiler, and are used when any of the @code{-fstack-protector}, +@code{-fstack-protector-all}, @code{-fstack-protector-explicit}, or +@code{-fstack-protector-strong} compiler flags are enabled. + +@node Object Size Checking +@section Object Size Checking +Object Size Checking is a feature which wraps certain functions with checks +to prevent buffer overflows. These are enabled when compiling with +optimization (@code{-O1} and higher) and @code{_FORTIFY_SOURCE} defined +to 1, or for stricter checks, to 2. + +@cindex list of overflow protected functions +The following functions use object size checking to detect buffer overflows +when enabled: + +@example +@exdent @emph{String functions:} +bcopy memmove strcpy +bzero mempcpy strcat +explicit_bzero memset strncat +memcpy stpcpy strncpy + +@exdent @emph{Stdio functions:} +fgets fread_unlocked sprintf +fgets_unlocked gets vsnprintf +fread snprintf vsprintf + +@exdent @emph{System functions:} +getcwd read readlink +@end example |