tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'meminit-v5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull compiler-based variable initialization updates from Kees Cook:
"This is effectively part of my gcc-plugins tree, but as this adds some
Clang support, it felt weird to still call it "gcc-plugins". :)
This consolidates Kconfig for the existing stack variable
initialization (via structleak and stackleak gcc plugins) and adds
Alexander Potapenko's support for Clang's new similar functionality.
Summary:
- Consolidate memory initialization Kconfigs (Kees)
- Implement support for Clang's stack variable auto-init (Alexander)"
* tag 'meminit-v5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
security: Implement Clang's stack initialization
security: Move stackleak config to Kconfig.hardening
security: Create "kernel hardening" config area
+177
-120
+5
Makefile
+5
Makefile
···
748
748
endif
749
749
endif
750
750
751
+
# Initialize all stack variables with a pattern, if desired.
752
+
ifdef CONFIG_INIT_STACK_ALL
753
+
KBUILD_CFLAGS += -ftrivial-auto-var-init=pattern
754
+
endif
755
+
751
756
DEBUG_CFLAGS := $(call cc-option, -fno-var-tracking-assignments)
752
757
753
758
ifdef CONFIG_DEBUG_INFO
+6
-120
scripts/gcc-plugins/Kconfig
+6
-120
scripts/gcc-plugins/Kconfig
···
13
13
An arch should select this symbol if it supports building with
14
14
GCC plugins.
15
15
16
-
menuconfig GCC_PLUGINS
17
-
bool "GCC plugins"
16
+
config GCC_PLUGINS
17
+
bool
18
18
depends on HAVE_GCC_PLUGINS
19
19
depends on PLUGIN_HOSTCC != ""
20
+
default y
20
21
help
21
22
GCC plugins are loadable modules that provide extra features to the
22
23
compiler. They are useful for runtime instrumentation and static analysis.
23
24
24
25
See Documentation/gcc-plugins.txt for details.
25
26
26
-
if GCC_PLUGINS
27
+
menu "GCC plugins"
28
+
depends on GCC_PLUGINS
27
29
28
30
config GCC_PLUGIN_CYC_COMPLEXITY
29
31
bool "Compute the cyclomatic complexity of a function" if EXPERT
···
68
66
* https://grsecurity.net/
69
67
* https://pax.grsecurity.net/
70
68
71
-
config GCC_PLUGIN_STRUCTLEAK
72
-
bool "Zero initialize stack variables"
73
-
help
74
-
While the kernel is built with warnings enabled for any missed
75
-
stack variable initializations, this warning is silenced for
76
-
anything passed by reference to another function, under the
77
-
occasionally misguided assumption that the function will do
78
-
the initialization. As this regularly leads to exploitable
79
-
flaws, this plugin is available to identify and zero-initialize
80
-
such variables, depending on the chosen level of coverage.
81
-
82
-
This plugin was originally ported from grsecurity/PaX. More
83
-
information at:
84
-
* https://grsecurity.net/
85
-
* https://pax.grsecurity.net/
86
-
87
-
choice
88
-
prompt "Coverage"
89
-
depends on GCC_PLUGIN_STRUCTLEAK
90
-
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
91
-
help
92
-
This chooses the level of coverage over classes of potentially
93
-
uninitialized variables. The selected class will be
94
-
zero-initialized before use.
95
-
96
-
config GCC_PLUGIN_STRUCTLEAK_USER
97
-
bool "structs marked for userspace"
98
-
help
99
-
Zero-initialize any structures on the stack containing
100
-
a __user attribute. This can prevent some classes of
101
-
uninitialized stack variable exploits and information
102
-
exposures, like CVE-2013-2141:
103
-
https://git.kernel.org/linus/b9e146d8eb3b9eca
104
-
105
-
config GCC_PLUGIN_STRUCTLEAK_BYREF
106
-
bool "structs passed by reference"
107
-
help
108
-
Zero-initialize any structures on the stack that may
109
-
be passed by reference and had not already been
110
-
explicitly initialized. This can prevent most classes
111
-
of uninitialized stack variable exploits and information
112
-
exposures, like CVE-2017-1000410:
113
-
https://git.kernel.org/linus/06e7e776ca4d3654
114
-
115
-
config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
116
-
bool "anything passed by reference"
117
-
help
118
-
Zero-initialize any stack variables that may be passed
119
-
by reference and had not already been explicitly
120
-
initialized. This is intended to eliminate all classes
121
-
of uninitialized stack variable exploits and information
122
-
exposures.
123
-
124
-
endchoice
125
-
126
-
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
127
-
bool "Report forcefully initialized variables"
128
-
depends on GCC_PLUGIN_STRUCTLEAK
129
-
depends on !COMPILE_TEST # too noisy
130
-
help
131
-
This option will cause a warning to be printed each time the
132
-
structleak plugin finds a variable it thinks needs to be
133
-
initialized. Since not all existing initializers are detected
134
-
by the plugin, this can produce false positive warnings.
135
-
136
69
config GCC_PLUGIN_RANDSTRUCT
137
70
bool "Randomize layout of sensitive kernel structures"
138
71
select MODVERSIONS if MODULES
···
108
171
in structures. This reduces the performance hit of RANDSTRUCT
109
172
at the cost of weakened randomization.
110
173
111
-
config GCC_PLUGIN_STACKLEAK
112
-
bool "Erase the kernel stack before returning from syscalls"
113
-
depends on GCC_PLUGINS
114
-
depends on HAVE_ARCH_STACKLEAK
115
-
help
116
-
This option makes the kernel erase the kernel stack before
117
-
returning from system calls. That reduces the information which
118
-
kernel stack leak bugs can reveal and blocks some uninitialized
119
-
stack variable attacks.
120
-
121
-
The tradeoff is the performance impact: on a single CPU system kernel
122
-
compilation sees a 1% slowdown, other systems and workloads may vary
123
-
and you are advised to test this feature on your expected workload
124
-
before deploying it.
125
-
126
-
This plugin was ported from grsecurity/PaX. More information at:
127
-
* https://grsecurity.net/
128
-
* https://pax.grsecurity.net/
129
-
130
-
config STACKLEAK_TRACK_MIN_SIZE
131
-
int "Minimum stack frame size of functions tracked by STACKLEAK"
132
-
default 100
133
-
range 0 4096
134
-
depends on GCC_PLUGIN_STACKLEAK
135
-
help
136
-
The STACKLEAK gcc plugin instruments the kernel code for tracking
137
-
the lowest border of the kernel stack (and for some other purposes).
138
-
It inserts the stackleak_track_stack() call for the functions with
139
-
a stack frame size greater than or equal to this parameter.
140
-
If unsure, leave the default value 100.
141
-
142
-
config STACKLEAK_METRICS
143
-
bool "Show STACKLEAK metrics in the /proc file system"
144
-
depends on GCC_PLUGIN_STACKLEAK
145
-
depends on PROC_FS
146
-
help
147
-
If this is set, STACKLEAK metrics for every task are available in
148
-
the /proc file system. In particular, /proc/<pid>/stack_depth
149
-
shows the maximum kernel stack consumption for the current and
150
-
previous syscalls. Although this information is not precise, it
151
-
can be useful for estimating the STACKLEAK performance impact for
152
-
your workloads.
153
-
154
-
config STACKLEAK_RUNTIME_DISABLE
155
-
bool "Allow runtime disabling of kernel stack erasing"
156
-
depends on GCC_PLUGIN_STACKLEAK
157
-
help
158
-
This option provides 'stack_erasing' sysctl, which can be used in
159
-
runtime to control kernel stack erasing for kernels built with
160
-
CONFIG_GCC_PLUGIN_STACKLEAK.
161
-
162
174
config GCC_PLUGIN_ARM_SSP_PER_TASK
163
175
bool
164
176
depends on GCC_PLUGINS && ARM
165
177
166
-
endif
178
+
endmenu
+2
security/Kconfig
+2
security/Kconfig
+164
security/Kconfig.hardening
+164
security/Kconfig.hardening
···
1
+
menu "Kernel hardening options"
2
+
3
+
config GCC_PLUGIN_STRUCTLEAK
4
+
bool
5
+
help
6
+
While the kernel is built with warnings enabled for any missed
7
+
stack variable initializations, this warning is silenced for
8
+
anything passed by reference to another function, under the
9
+
occasionally misguided assumption that the function will do
10
+
the initialization. As this regularly leads to exploitable
11
+
flaws, this plugin is available to identify and zero-initialize
12
+
such variables, depending on the chosen level of coverage.
13
+
14
+
This plugin was originally ported from grsecurity/PaX. More
15
+
information at:
16
+
* https://grsecurity.net/
17
+
* https://pax.grsecurity.net/
18
+
19
+
menu "Memory initialization"
20
+
21
+
config CC_HAS_AUTO_VAR_INIT
22
+
def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
23
+
24
+
choice
25
+
prompt "Initialize kernel stack variables at function entry"
26
+
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
27
+
default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT
28
+
default INIT_STACK_NONE
29
+
help
30
+
This option enables initialization of stack variables at
31
+
function entry time. This has the possibility to have the
32
+
greatest coverage (since all functions can have their
33
+
variables initialized), but the performance impact depends
34
+
on the function calling complexity of a given workload's
35
+
syscalls.
36
+
37
+
This chooses the level of coverage over classes of potentially
38
+
uninitialized variables. The selected class will be
39
+
initialized before use in a function.
40
+
41
+
config INIT_STACK_NONE
42
+
bool "no automatic initialization (weakest)"
43
+
help
44
+
Disable automatic stack variable initialization.
45
+
This leaves the kernel vulnerable to the standard
46
+
classes of uninitialized stack variable exploits
47
+
and information exposures.
48
+
49
+
config GCC_PLUGIN_STRUCTLEAK_USER
50
+
bool "zero-init structs marked for userspace (weak)"
51
+
depends on GCC_PLUGINS
52
+
select GCC_PLUGIN_STRUCTLEAK
53
+
help
54
+
Zero-initialize any structures on the stack containing
55
+
a __user attribute. This can prevent some classes of
56
+
uninitialized stack variable exploits and information
57
+
exposures, like CVE-2013-2141:
58
+
https://git.kernel.org/linus/b9e146d8eb3b9eca
59
+
60
+
config GCC_PLUGIN_STRUCTLEAK_BYREF
61
+
bool "zero-init structs passed by reference (strong)"
62
+
depends on GCC_PLUGINS
63
+
select GCC_PLUGIN_STRUCTLEAK
64
+
help
65
+
Zero-initialize any structures on the stack that may
66
+
be passed by reference and had not already been
67
+
explicitly initialized. This can prevent most classes
68
+
of uninitialized stack variable exploits and information
69
+
exposures, like CVE-2017-1000410:
70
+
https://git.kernel.org/linus/06e7e776ca4d3654
71
+
72
+
config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
73
+
bool "zero-init anything passed by reference (very strong)"
74
+
depends on GCC_PLUGINS
75
+
select GCC_PLUGIN_STRUCTLEAK
76
+
help
77
+
Zero-initialize any stack variables that may be passed
78
+
by reference and had not already been explicitly
79
+
initialized. This is intended to eliminate all classes
80
+
of uninitialized stack variable exploits and information
81
+
exposures.
82
+
83
+
config INIT_STACK_ALL
84
+
bool "0xAA-init everything on the stack (strongest)"
85
+
depends on CC_HAS_AUTO_VAR_INIT
86
+
help
87
+
Initializes everything on the stack with a 0xAA
88
+
pattern. This is intended to eliminate all classes
89
+
of uninitialized stack variable exploits and information
90
+
exposures, even variables that were warned to have been
91
+
left uninitialized.
92
+
93
+
endchoice
94
+
95
+
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
96
+
bool "Report forcefully initialized variables"
97
+
depends on GCC_PLUGIN_STRUCTLEAK
98
+
depends on !COMPILE_TEST # too noisy
99
+
help
100
+
This option will cause a warning to be printed each time the
101
+
structleak plugin finds a variable it thinks needs to be
102
+
initialized. Since not all existing initializers are detected
103
+
by the plugin, this can produce false positive warnings.
104
+
105
+
config GCC_PLUGIN_STACKLEAK
106
+
bool "Poison kernel stack before returning from syscalls"
107
+
depends on GCC_PLUGINS
108
+
depends on HAVE_ARCH_STACKLEAK
109
+
help
110
+
This option makes the kernel erase the kernel stack before
111
+
returning from system calls. This has the effect of leaving
112
+
the stack initialized to the poison value, which both reduces
113
+
the lifetime of any sensitive stack contents and reduces
114
+
potential for uninitialized stack variable exploits or information
115
+
exposures (it does not cover functions reaching the same stack
116
+
depth as prior functions during the same syscall). This blocks
117
+
most uninitialized stack variable attacks, with the performance
118
+
impact being driven by the depth of the stack usage, rather than
119
+
the function calling complexity.
120
+
121
+
The performance impact on a single CPU system kernel compilation
122
+
sees a 1% slowdown, other systems and workloads may vary and you
123
+
are advised to test this feature on your expected workload before
124
+
deploying it.
125
+
126
+
This plugin was ported from grsecurity/PaX. More information at:
127
+
* https://grsecurity.net/
128
+
* https://pax.grsecurity.net/
129
+
130
+
config STACKLEAK_TRACK_MIN_SIZE
131
+
int "Minimum stack frame size of functions tracked by STACKLEAK"
132
+
default 100
133
+
range 0 4096
134
+
depends on GCC_PLUGIN_STACKLEAK
135
+
help
136
+
The STACKLEAK gcc plugin instruments the kernel code for tracking
137
+
the lowest border of the kernel stack (and for some other purposes).
138
+
It inserts the stackleak_track_stack() call for the functions with
139
+
a stack frame size greater than or equal to this parameter.
140
+
If unsure, leave the default value 100.
141
+
142
+
config STACKLEAK_METRICS
143
+
bool "Show STACKLEAK metrics in the /proc file system"
144
+
depends on GCC_PLUGIN_STACKLEAK
145
+
depends on PROC_FS
146
+
help
147
+
If this is set, STACKLEAK metrics for every task are available in
148
+
the /proc file system. In particular, /proc/<pid>/stack_depth
149
+
shows the maximum kernel stack consumption for the current and
150
+
previous syscalls. Although this information is not precise, it
151
+
can be useful for estimating the STACKLEAK performance impact for
152
+
your workloads.
153
+
154
+
config STACKLEAK_RUNTIME_DISABLE
155
+
bool "Allow runtime disabling of kernel stack erasing"
156
+
depends on GCC_PLUGIN_STACKLEAK
157
+
help
158
+
This option provides 'stack_erasing' sysctl, which can be used in
159
+
runtime to control kernel stack erasing for kernels built with
160
+
CONFIG_GCC_PLUGIN_STACKLEAK.
161
+
162
+
endmenu
163
+
164
+
endmenu