tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
stackleak: Rename STACKLEAK to KSTACK_ERASE
In preparation for adding Clang sanitizer coverage stack depth tracking
that can support stack depth callbacks:
- Add the new top-level CONFIG_KSTACK_ERASE option which will be
implemented either with the stackleak GCC plugin, or with the Clang
stack depth callback support.
- Rename CONFIG_GCC_PLUGIN_STACKLEAK as needed to CONFIG_KSTACK_ERASE,
but keep it for anything specific to the GCC plugin itself.
- Rename all exposed "STACKLEAK" names and files to "KSTACK_ERASE" (named
for what it does rather than what it protects against), but leave as
many of the internals alone as possible to avoid even more churn.
While here, also split "prev_lowest_stack" into CONFIG_KSTACK_ERASE_METRICS,
since that's the only place it is referenced from.
Suggested-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20250717232519.2984886-1-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>
+101
-95
+2
-2
Documentation/admin-guide/sysctl/kernel.rst
+2
-2
Documentation/admin-guide/sysctl/kernel.rst
···
1465
1465
=============
1466
1466
1467
1467
This parameter can be used to control kernel stack erasing at the end
1468
-
of syscalls for kernels built with ``CONFIG_GCC_PLUGIN_STACKLEAK``.
1468
+
of syscalls for kernels built with ``CONFIG_KSTACK_ERASE``.
1469
1469
1470
1470
That erasing reduces the information which kernel stack leak bugs
1471
1471
can reveal and blocks some uninitialized stack variable attacks.
···
1473
1473
compilation sees a 1% slowdown, other systems and workloads may vary.
1474
1474
1475
1475
= ====================================================================
1476
-
0 Kernel stack erasing is disabled, STACKLEAK_METRICS are not updated.
1476
+
0 Kernel stack erasing is disabled, KSTACK_ERASE_METRICS are not updated.
1477
1477
1 Kernel stack erasing is enabled (default), it is performed before
1478
1478
returning to the userspace at the end of syscalls.
1479
1479
= ====================================================================
+1
-1
Documentation/arch/x86/x86_64/mm.rst
+1
-1
Documentation/arch/x86/x86_64/mm.rst
···
176
176
range must not overlap with anything except the KASAN shadow area, which is
177
177
correct as KASAN disables KASLR.
178
178
179
-
For both 4- and 5-level layouts, the STACKLEAK_POISON value in the last 2MB
179
+
For both 4- and 5-level layouts, the KSTACK_ERASE_POISON value in the last 2MB
180
180
hole: ffffffffffff4111
+1
-1
Documentation/security/self-protection.rst
+1
-1
Documentation/security/self-protection.rst
···
303
303
304
304
When releasing memory, it is best to poison the contents, to avoid reuse
305
305
attacks that rely on the old contents of memory. E.g., clear stack on a
306
-
syscall return (``CONFIG_GCC_PLUGIN_STACKLEAK``), wipe heap memory on a
306
+
syscall return (``CONFIG_KSTACK_ERASE``), wipe heap memory on a
307
307
free. This frustrates many uninitialized variable attacks, stack content
308
308
exposures, heap content exposures, and use-after-free attacks.
309
309
+1
-1
Documentation/translations/zh_CN/security/self-protection.rst
+1
-1
Documentation/translations/zh_CN/security/self-protection.rst
+2
-2
MAINTAINERS
+2
-2
MAINTAINERS
···
9992
9992
S: Maintained
9993
9993
T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening
9994
9994
F: Documentation/kbuild/gcc-plugins.rst
9995
-
F: include/linux/stackleak.h
9996
-
F: kernel/stackleak.c
9997
9995
F: scripts/Makefile.gcc-plugins
9998
9996
F: scripts/gcc-plugins/
9999
9997
···
13085
13087
F: Documentation/ABI/testing/sysfs-kernel-oops_count
13086
13088
F: Documentation/ABI/testing/sysfs-kernel-warn_count
13087
13089
F: arch/*/configs/hardening.config
13090
+
F: include/linux/kstack_erase.h
13088
13091
F: include/linux/overflow.h
13089
13092
F: include/linux/randomize_kstack.h
13090
13093
F: include/linux/ucopysize.h
13091
13094
F: kernel/configs/hardening.config
13095
+
F: kernel/kstack_erase.c
13092
13096
F: lib/tests/randstruct_kunit.c
13093
13097
F: lib/tests/usercopy_kunit.c
13094
13098
F: mm/usercopy.c
+2
-2
arch/Kconfig
+2
-2
arch/Kconfig
···
630
630
631
631
If unsure, say N.
632
632
633
-
config HAVE_ARCH_STACKLEAK
633
+
config HAVE_ARCH_KSTACK_ERASE
634
634
bool
635
635
help
636
636
An architecture should select this if it has the code which
637
-
fills the used part of the kernel stack with the STACKLEAK_POISON
637
+
fills the used part of the kernel stack with the KSTACK_ERASE_POISON
638
638
value before returning from system calls.
639
639
640
640
config HAVE_STACKPROTECTOR
+1
-1
arch/arm/Kconfig
+1
-1
arch/arm/Kconfig
···
87
87
select HAVE_ARCH_KGDB if !CPU_ENDIAN_BE32 && MMU
88
88
select HAVE_ARCH_KASAN if MMU && !XIP_KERNEL
89
89
select HAVE_ARCH_KASAN_VMALLOC if HAVE_ARCH_KASAN
90
+
select HAVE_ARCH_KSTACK_ERASE
90
91
select HAVE_ARCH_MMAP_RND_BITS if MMU
91
92
select HAVE_ARCH_PFN_VALID
92
93
select HAVE_ARCH_SECCOMP
93
94
select HAVE_ARCH_SECCOMP_FILTER if AEABI && !OABI_COMPAT
94
-
select HAVE_ARCH_STACKLEAK
95
95
select HAVE_ARCH_THREAD_STRUCT_WHITELIST
96
96
select HAVE_ARCH_TRACEHOOK
97
97
select HAVE_ARCH_TRANSPARENT_HUGEPAGE if ARM_LPAE
+1
-1
arch/arm/boot/compressed/Makefile
+1
-1
arch/arm/boot/compressed/Makefile
+1
-1
arch/arm/kernel/entry-common.S
+1
-1
arch/arm/kernel/entry-common.S
+1
-1
arch/arm64/Kconfig
+1
-1
arch/arm64/Kconfig
···
187
187
select HAVE_ARCH_KCSAN if EXPERT
188
188
select HAVE_ARCH_KFENCE
189
189
select HAVE_ARCH_KGDB
190
+
select HAVE_ARCH_KSTACK_ERASE
190
191
select HAVE_ARCH_MMAP_RND_BITS
191
192
select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
192
193
select HAVE_ARCH_PREL32_RELOCATIONS
193
194
select HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
194
195
select HAVE_ARCH_SECCOMP_FILTER
195
-
select HAVE_ARCH_STACKLEAK
196
196
select HAVE_ARCH_THREAD_STRUCT_WHITELIST
197
197
select HAVE_ARCH_TRACEHOOK
198
198
select HAVE_ARCH_TRANSPARENT_HUGEPAGE
+1
-1
arch/arm64/kernel/entry.S
+1
-1
arch/arm64/kernel/entry.S
+1
-1
arch/arm64/kernel/pi/Makefile
+1
-1
arch/arm64/kernel/pi/Makefile
···
2
2
# Copyright 2022 Google LLC
3
3
4
4
KBUILD_CFLAGS := $(subst $(CC_FLAGS_FTRACE),,$(KBUILD_CFLAGS)) -fpie \
5
-
-Os -DDISABLE_BRANCH_PROFILING $(DISABLE_STACKLEAK_PLUGIN) \
5
+
-Os -DDISABLE_BRANCH_PROFILING $(DISABLE_KSTACK_ERASE) \
6
6
$(DISABLE_LATENT_ENTROPY_PLUGIN) \
7
7
$(call cc-option,-mbranch-protection=none) \
8
8
-I$(srctree)/scripts/dtc/libfdt -fno-stack-protector \
+1
-1
arch/arm64/kvm/hyp/nvhe/Makefile
+1
-1
arch/arm64/kvm/hyp/nvhe/Makefile
···
12
12
ccflags-y := -D__KVM_NVHE_HYPERVISOR__ -D__DISABLE_EXPORTS -D__DISABLE_TRACE_MMIO__
13
13
ccflags-y += -fno-stack-protector \
14
14
-DDISABLE_BRANCH_PROFILING \
15
-
$(DISABLE_STACKLEAK_PLUGIN)
15
+
$(DISABLE_KSTACK_ERASE)
16
16
17
17
hostprogs := gen-hyprel
18
18
HOST_EXTRACFLAGS += -I$(objtree)/include
+1
-1
arch/loongarch/Kconfig
+1
-1
arch/loongarch/Kconfig
···
120
120
select HAVE_ARCH_KASAN
121
121
select HAVE_ARCH_KFENCE
122
122
select HAVE_ARCH_KGDB if PERF_EVENTS
123
+
select HAVE_ARCH_KSTACK_ERASE
123
124
select HAVE_ARCH_MMAP_RND_BITS if MMU
124
125
select HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
125
126
select HAVE_ARCH_SECCOMP
126
127
select HAVE_ARCH_SECCOMP_FILTER
127
-
select HAVE_ARCH_STACKLEAK
128
128
select HAVE_ARCH_TRACEHOOK
129
129
select HAVE_ARCH_TRANSPARENT_HUGEPAGE
130
130
select HAVE_ARCH_USERFAULTFD_MINOR if USERFAULTFD
+1
-1
arch/riscv/Kconfig
+1
-1
arch/riscv/Kconfig
···
135
135
select HAVE_ARCH_KASAN if MMU && 64BIT
136
136
select HAVE_ARCH_KASAN_VMALLOC if MMU && 64BIT
137
137
select HAVE_ARCH_KFENCE if MMU && 64BIT
138
+
select HAVE_ARCH_KSTACK_ERASE
138
139
select HAVE_ARCH_KGDB if !XIP_KERNEL
139
140
select HAVE_ARCH_KGDB_QXFER_PKT
140
141
select HAVE_ARCH_MMAP_RND_BITS if MMU
141
142
select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
142
143
select HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
143
144
select HAVE_ARCH_SECCOMP_FILTER
144
-
select HAVE_ARCH_STACKLEAK
145
145
select HAVE_ARCH_THREAD_STRUCT_WHITELIST
146
146
select HAVE_ARCH_TRACEHOOK
147
147
select HAVE_ARCH_TRANSPARENT_HUGEPAGE if 64BIT && MMU
+1
-1
arch/riscv/kernel/entry.S
+1
-1
arch/riscv/kernel/entry.S
+1
-1
arch/riscv/kernel/pi/Makefile
+1
-1
arch/riscv/kernel/pi/Makefile
···
2
2
# This file was copied from arm64/kernel/pi/Makefile.
3
3
4
4
KBUILD_CFLAGS := $(subst $(CC_FLAGS_FTRACE),,$(KBUILD_CFLAGS)) -fpie \
5
-
-Os -DDISABLE_BRANCH_PROFILING $(DISABLE_STACKLEAK_PLUGIN) \
5
+
-Os -DDISABLE_BRANCH_PROFILING $(DISABLE_KSTACK_ERASE) \
6
6
$(call cc-option,-mbranch-protection=none) \
7
7
-I$(srctree)/scripts/dtc/libfdt -fno-stack-protector \
8
8
-include $(srctree)/include/linux/hidden.h \
+1
-1
arch/riscv/purgatory/Makefile
+1
-1
arch/riscv/purgatory/Makefile
···
53
53
54
54
PURGATORY_CFLAGS_REMOVE := -mcmodel=kernel
55
55
PURGATORY_CFLAGS := -mcmodel=medany -ffreestanding -fno-zero-initialized-in-bss
56
-
PURGATORY_CFLAGS += $(DISABLE_STACKLEAK_PLUGIN) -DDISABLE_BRANCH_PROFILING
56
+
PURGATORY_CFLAGS += $(DISABLE_KSTACK_ERASE) -DDISABLE_BRANCH_PROFILING
57
57
PURGATORY_CFLAGS += -fno-stack-protector -g0
58
58
59
59
# Default KBUILD_CFLAGS can have -pg option set when FTRACE is enabled. That
+1
-1
arch/s390/Kconfig
+1
-1
arch/s390/Kconfig
···
176
176
select HAVE_ARCH_KCSAN
177
177
select HAVE_ARCH_KMSAN
178
178
select HAVE_ARCH_KFENCE
179
+
select HAVE_ARCH_KSTACK_ERASE
179
180
select HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
180
181
select HAVE_ARCH_SECCOMP_FILTER
181
182
select HAVE_ARCH_SOFT_DIRTY
182
-
select HAVE_ARCH_STACKLEAK
183
183
select HAVE_ARCH_TRACEHOOK
184
184
select HAVE_ARCH_TRANSPARENT_HUGEPAGE
185
185
select HAVE_ARCH_VMAP_STACK
+1
-1
arch/s390/kernel/entry.S
+1
-1
arch/s390/kernel/entry.S
+1
-1
arch/x86/Kconfig
+1
-1
arch/x86/Kconfig
···
204
204
select HAVE_ARCH_KFENCE
205
205
select HAVE_ARCH_KMSAN if X86_64
206
206
select HAVE_ARCH_KGDB
207
+
select HAVE_ARCH_KSTACK_ERASE
207
208
select HAVE_ARCH_MMAP_RND_BITS if MMU
208
209
select HAVE_ARCH_MMAP_RND_COMPAT_BITS if MMU && COMPAT
209
210
select HAVE_ARCH_COMPAT_MMAP_BASES if MMU && COMPAT
210
211
select HAVE_ARCH_PREL32_RELOCATIONS
211
212
select HAVE_ARCH_SECCOMP_FILTER
212
213
select HAVE_ARCH_THREAD_STRUCT_WHITELIST
213
-
select HAVE_ARCH_STACKLEAK
214
214
select HAVE_ARCH_TRACEHOOK
215
215
select HAVE_ARCH_TRANSPARENT_HUGEPAGE
216
216
select HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD if X86_64
+2
-2
arch/x86/entry/calling.h
+2
-2
arch/x86/entry/calling.h
···
369
369
.endm
370
370
371
371
.macro STACKLEAK_ERASE_NOCLOBBER
372
-
#ifdef CONFIG_GCC_PLUGIN_STACKLEAK
372
+
#ifdef CONFIG_KSTACK_ERASE
373
373
PUSH_AND_CLEAR_REGS
374
374
call stackleak_erase
375
375
POP_REGS
···
388
388
#endif /* !CONFIG_X86_64 */
389
389
390
390
.macro STACKLEAK_ERASE
391
-
#ifdef CONFIG_GCC_PLUGIN_STACKLEAK
391
+
#ifdef CONFIG_KSTACK_ERASE
392
392
call stackleak_erase
393
393
#endif
394
394
.endm
+1
-1
arch/x86/purgatory/Makefile
+1
-1
arch/x86/purgatory/Makefile
···
35
35
PURGATORY_CFLAGS_REMOVE := -mcmodel=kernel
36
36
PURGATORY_CFLAGS := -mcmodel=small -ffreestanding -fno-zero-initialized-in-bss -g0
37
37
PURGATORY_CFLAGS += -fpic -fvisibility=hidden
38
-
PURGATORY_CFLAGS += $(DISABLE_STACKLEAK_PLUGIN) -DDISABLE_BRANCH_PROFILING
38
+
PURGATORY_CFLAGS += $(DISABLE_KSTACK_ERASE) -DDISABLE_BRANCH_PROFILING
39
39
PURGATORY_CFLAGS += -fno-stack-protector
40
40
41
41
# Default KBUILD_CFLAGS can have -pg option set when FTRACE is enabled. That
+4
-4
drivers/firmware/efi/libstub/Makefile
+4
-4
drivers/firmware/efi/libstub/Makefile
···
22
22
23
23
# arm64 uses the full KBUILD_CFLAGS so it's necessary to explicitly
24
24
# disable the stackleak plugin
25
-
cflags-$(CONFIG_ARM64) += -fpie $(DISABLE_STACKLEAK_PLUGIN) \
25
+
cflags-$(CONFIG_ARM64) += -fpie $(DISABLE_KSTACK_ERASE) \
26
26
-fno-unwind-tables -fno-asynchronous-unwind-tables
27
27
cflags-$(CONFIG_ARM) += -DEFI_HAVE_STRLEN -DEFI_HAVE_STRNLEN \
28
28
-DEFI_HAVE_MEMCHR -DEFI_HAVE_STRRCHR \
29
29
-DEFI_HAVE_STRCMP -fno-builtin -fpic \
30
30
$(call cc-option,-mno-single-pic-base) \
31
-
$(DISABLE_STACKLEAK_PLUGIN)
31
+
$(DISABLE_KSTACK_ERASE)
32
32
cflags-$(CONFIG_RISCV) += -fpic -DNO_ALTERNATIVE -mno-relax \
33
-
$(DISABLE_STACKLEAK_PLUGIN)
34
-
cflags-$(CONFIG_LOONGARCH) += -fpie $(DISABLE_STACKLEAK_PLUGIN)
33
+
$(DISABLE_KSTACK_ERASE)
34
+
cflags-$(CONFIG_LOONGARCH) += -fpie $(DISABLE_KSTACK_ERASE)
35
35
36
36
cflags-$(CONFIG_EFI_PARAMS_FROM_FDT) += -I$(srctree)/scripts/dtc/libfdt
37
37
+1
-1
drivers/misc/lkdtm/Makefile
+1
-1
drivers/misc/lkdtm/Makefile
···
8
8
lkdtm-$(CONFIG_LKDTM) += refcount.o
9
9
lkdtm-$(CONFIG_LKDTM) += rodata_objcopy.o
10
10
lkdtm-$(CONFIG_LKDTM) += usercopy.o
11
-
lkdtm-$(CONFIG_LKDTM) += stackleak.o
11
+
lkdtm-$(CONFIG_LKDTM) += kstack_erase.o
12
12
lkdtm-$(CONFIG_LKDTM) += cfi.o
13
13
lkdtm-$(CONFIG_LKDTM) += fortify.o
14
14
lkdtm-$(CONFIG_PPC_64S_HASH_MMU) += powerpc.o
+13
-13
drivers/misc/lkdtm/stackleak.c
drivers/misc/lkdtm/kstack_erase.c
+13
-13
drivers/misc/lkdtm/stackleak.c
drivers/misc/lkdtm/kstack_erase.c
···
1
1
// SPDX-License-Identifier: GPL-2.0
2
2
/*
3
3
* This code tests that the current task stack is properly erased (filled
4
-
* with STACKLEAK_POISON).
4
+
* with KSTACK_ERASE_POISON).
5
5
*
6
6
* Authors:
7
7
* Alexander Popov <alex.popov@linux.com>
···
9
9
*/
10
10
11
11
#include "lkdtm.h"
12
-
#include <linux/stackleak.h>
12
+
#include <linux/kstack_erase.h>
13
13
14
-
#if defined(CONFIG_GCC_PLUGIN_STACKLEAK)
14
+
#if defined(CONFIG_KSTACK_ERASE)
15
15
/*
16
16
* Check that stackleak tracks the lowest stack pointer and erases the stack
17
17
* below this as expected.
···
85
85
while (poison_low > task_stack_low) {
86
86
poison_low -= sizeof(unsigned long);
87
87
88
-
if (*(unsigned long *)poison_low == STACKLEAK_POISON)
88
+
if (*(unsigned long *)poison_low == KSTACK_ERASE_POISON)
89
89
continue;
90
90
91
91
instrumentation_begin();
···
96
96
}
97
97
98
98
instrumentation_begin();
99
-
pr_info("stackleak stack usage:\n"
99
+
pr_info("kstack erase stack usage:\n"
100
100
" high offset: %lu bytes\n"
101
101
" current: %lu bytes\n"
102
102
" lowest: %lu bytes\n"
···
121
121
instrumentation_end();
122
122
}
123
123
124
-
static void lkdtm_STACKLEAK_ERASING(void)
124
+
static void lkdtm_KSTACK_ERASE(void)
125
125
{
126
126
unsigned long flags;
127
127
···
129
129
check_stackleak_irqoff();
130
130
local_irq_restore(flags);
131
131
}
132
-
#else /* defined(CONFIG_GCC_PLUGIN_STACKLEAK) */
133
-
static void lkdtm_STACKLEAK_ERASING(void)
132
+
#else /* defined(CONFIG_KSTACK_ERASE) */
133
+
static void lkdtm_KSTACK_ERASE(void)
134
134
{
135
-
if (IS_ENABLED(CONFIG_HAVE_ARCH_STACKLEAK)) {
136
-
pr_err("XFAIL: stackleak is not enabled (CONFIG_GCC_PLUGIN_STACKLEAK=n)\n");
135
+
if (IS_ENABLED(CONFIG_HAVE_ARCH_KSTACK_ERASE)) {
136
+
pr_err("XFAIL: stackleak is not enabled (CONFIG_KSTACK_ERASE=n)\n");
137
137
} else {
138
-
pr_err("XFAIL: stackleak is not supported on this arch (HAVE_ARCH_STACKLEAK=n)\n");
138
+
pr_err("XFAIL: stackleak is not supported on this arch (HAVE_ARCH_KSTACK_ERASE=n)\n");
139
139
}
140
140
}
141
-
#endif /* defined(CONFIG_GCC_PLUGIN_STACKLEAK) */
141
+
#endif /* defined(CONFIG_KSTACK_ERASE) */
142
142
143
143
static struct crashtype crashtypes[] = {
144
-
CRASHTYPE(STACKLEAK_ERASING),
144
+
CRASHTYPE(KSTACK_ERASE),
145
145
};
146
146
147
147
struct crashtype_category stackleak_crashtypes = {
+3
-3
fs/proc/base.c
+3
-3
fs/proc/base.c
···
3291
3291
}
3292
3292
#endif /* CONFIG_KSM */
3293
3293
3294
-
#ifdef CONFIG_STACKLEAK_METRICS
3294
+
#ifdef CONFIG_KSTACK_ERASE_METRICS
3295
3295
static int proc_stack_depth(struct seq_file *m, struct pid_namespace *ns,
3296
3296
struct pid *pid, struct task_struct *task)
3297
3297
{
···
3304
3304
prev_depth, depth);
3305
3305
return 0;
3306
3306
}
3307
-
#endif /* CONFIG_STACKLEAK_METRICS */
3307
+
#endif /* CONFIG_KSTACK_ERASE_METRICS */
3308
3308
3309
3309
/*
3310
3310
* Thread groups
···
3411
3411
#ifdef CONFIG_LIVEPATCH
3412
3412
ONE("patch_state", S_IRUSR, proc_pid_patch_state),
3413
3413
#endif
3414
-
#ifdef CONFIG_STACKLEAK_METRICS
3414
+
#ifdef CONFIG_KSTACK_ERASE_METRICS
3415
3415
ONE("stack_depth", S_IRUGO, proc_stack_depth),
3416
3416
#endif
3417
3417
#ifdef CONFIG_PROC_PID_ARCH_STATUS
+3
-1
include/linux/sched.h
+3
-1
include/linux/sched.h
···
1607
1607
/* Used by BPF for per-TASK xdp storage */
1608
1608
struct bpf_net_context *bpf_net_context;
1609
1609
1610
-
#ifdef CONFIG_GCC_PLUGIN_STACKLEAK
1610
+
#ifdef CONFIG_KSTACK_ERASE
1611
1611
unsigned long lowest_stack;
1612
+
#endif
1613
+
#ifdef CONFIG_KSTACK_ERASE_METRICS
1612
1614
unsigned long prev_lowest_stack;
1613
1615
#endif
1614
1616
+9
-9
include/linux/stackleak.h
include/linux/kstack_erase.h
+9
-9
include/linux/stackleak.h
include/linux/kstack_erase.h
···
1
1
/* SPDX-License-Identifier: GPL-2.0 */
2
-
#ifndef _LINUX_STACKLEAK_H
3
-
#define _LINUX_STACKLEAK_H
2
+
#ifndef _LINUX_KSTACK_ERASE_H
3
+
#define _LINUX_KSTACK_ERASE_H
4
4
5
5
#include <linux/sched.h>
6
6
#include <linux/sched/task_stack.h>
···
9
9
* Check that the poison value points to the unused hole in the
10
10
* virtual memory map for your platform.
11
11
*/
12
-
#define STACKLEAK_POISON -0xBEEF
13
-
#define STACKLEAK_SEARCH_DEPTH 128
12
+
#define KSTACK_ERASE_POISON -0xBEEF
13
+
#define KSTACK_ERASE_SEARCH_DEPTH 128
14
14
15
-
#ifdef CONFIG_GCC_PLUGIN_STACKLEAK
15
+
#ifdef CONFIG_KSTACK_ERASE
16
16
#include <asm/stacktrace.h>
17
17
#include <linux/linkage.h>
18
18
···
50
50
static __always_inline unsigned long
51
51
stackleak_find_top_of_poison(const unsigned long low, const unsigned long high)
52
52
{
53
-
const unsigned int depth = STACKLEAK_SEARCH_DEPTH / sizeof(unsigned long);
53
+
const unsigned int depth = KSTACK_ERASE_SEARCH_DEPTH / sizeof(unsigned long);
54
54
unsigned int poison_count = 0;
55
55
unsigned long poison_high = high;
56
56
unsigned long sp = high;
···
58
58
while (sp > low && poison_count < depth) {
59
59
sp -= sizeof(unsigned long);
60
60
61
-
if (*(unsigned long *)sp == STACKLEAK_POISON) {
61
+
if (*(unsigned long *)sp == KSTACK_ERASE_POISON) {
62
62
poison_count++;
63
63
} else {
64
64
poison_count = 0;
···
72
72
static inline void stackleak_task_init(struct task_struct *t)
73
73
{
74
74
t->lowest_stack = stackleak_task_low_bound(t);
75
-
# ifdef CONFIG_STACKLEAK_METRICS
75
+
# ifdef CONFIG_KSTACK_ERASE_METRICS
76
76
t->prev_lowest_stack = t->lowest_stack;
77
77
# endif
78
78
}
···
82
82
asmlinkage void noinstr stackleak_erase_off_task_stack(void);
83
83
void __no_caller_saved_registers noinstr stackleak_track_stack(void);
84
84
85
-
#else /* !CONFIG_GCC_PLUGIN_STACKLEAK */
85
+
#else /* !CONFIG_KSTACK_ERASE */
86
86
static inline void stackleak_task_init(struct task_struct *t) { }
87
87
#endif
88
88
+5
-5
kernel/Makefile
+5
-5
kernel/Makefile
···
139
139
obj-$(CONFIG_RESOURCE_KUNIT_TEST) += resource_kunit.o
140
140
obj-$(CONFIG_SYSCTL_KUNIT_TEST) += sysctl-test.o
141
141
142
-
CFLAGS_stackleak.o += $(DISABLE_STACKLEAK_PLUGIN)
143
-
obj-$(CONFIG_GCC_PLUGIN_STACKLEAK) += stackleak.o
144
-
KASAN_SANITIZE_stackleak.o := n
145
-
KCSAN_SANITIZE_stackleak.o := n
146
-
KCOV_INSTRUMENT_stackleak.o := n
142
+
CFLAGS_kstack_erase.o += $(DISABLE_KSTACK_ERASE)
143
+
obj-$(CONFIG_KSTACK_ERASE) += kstack_erase.o
144
+
KASAN_SANITIZE_kstack_erase.o := n
145
+
KCSAN_SANITIZE_kstack_erase.o := n
146
+
KCOV_INSTRUMENT_kstack_erase.o := n
147
147
148
148
obj-$(CONFIG_SCF_TORTURE_TEST) += scftorture.o
149
149
+1
-1
kernel/fork.c
+1
-1
kernel/fork.c
+9
-9
kernel/stackleak.c
kernel/kstack_erase.c
+9
-9
kernel/stackleak.c
kernel/kstack_erase.c
···
6
6
*
7
7
* Author: Alexander Popov <alex.popov@linux.com>
8
8
*
9
-
* STACKLEAK reduces the information which kernel stack leak bugs can
9
+
* KSTACK_ERASE reduces the information which kernel stack leak bugs can
10
10
* reveal and blocks some uninitialized stack variable attacks.
11
11
*/
12
12
13
-
#include <linux/stackleak.h>
13
+
#include <linux/kstack_erase.h>
14
14
#include <linux/kprobes.h>
15
15
16
-
#ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
16
+
#ifdef CONFIG_KSTACK_ERASE_RUNTIME_DISABLE
17
17
#include <linux/jump_label.h>
18
18
#include <linux/string_choices.h>
19
19
#include <linux/sysctl.h>
···
68
68
#define skip_erasing() static_branch_unlikely(&stack_erasing_bypass)
69
69
#else
70
70
#define skip_erasing() false
71
-
#endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */
71
+
#endif /* CONFIG_KSTACK_ERASE_RUNTIME_DISABLE */
72
72
73
73
#ifndef __stackleak_poison
74
74
static __always_inline void __stackleak_poison(unsigned long erase_low,
···
91
91
erase_low = stackleak_find_top_of_poison(task_stack_low,
92
92
current->lowest_stack);
93
93
94
-
#ifdef CONFIG_STACKLEAK_METRICS
94
+
#ifdef CONFIG_KSTACK_ERASE_METRICS
95
95
current->prev_lowest_stack = erase_low;
96
96
#endif
97
97
···
113
113
else
114
114
erase_high = task_stack_high;
115
115
116
-
__stackleak_poison(erase_low, erase_high, STACKLEAK_POISON);
116
+
__stackleak_poison(erase_low, erase_high, KSTACK_ERASE_POISON);
117
117
118
118
/* Reset the 'lowest_stack' value for the next syscall */
119
119
current->lowest_stack = task_stack_high;
···
161
161
unsigned long sp = current_stack_pointer;
162
162
163
163
/*
164
-
* Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
165
-
* STACKLEAK_SEARCH_DEPTH makes the poison search in
164
+
* Having CONFIG_KSTACK_ERASE_TRACK_MIN_SIZE larger than
165
+
* KSTACK_ERASE_SEARCH_DEPTH makes the poison search in
166
166
* stackleak_erase() unreliable. Let's prevent that.
167
167
*/
168
-
BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);
168
+
BUILD_BUG_ON(CONFIG_KSTACK_ERASE_TRACK_MIN_SIZE > KSTACK_ERASE_SEARCH_DEPTH);
169
169
170
170
/* 'lowest_stack' should be aligned on the register width boundary */
171
171
sp = ALIGN(sp, sizeof(unsigned long));
+1
-1
lib/Makefile
+1
-1
lib/Makefile
···
337
337
UBSAN_SANITIZE_ubsan.o := n
338
338
KASAN_SANITIZE_ubsan.o := n
339
339
KCSAN_SANITIZE_ubsan.o := n
340
-
CFLAGS_ubsan.o := -fno-stack-protector $(DISABLE_STACKLEAK_PLUGIN)
340
+
CFLAGS_ubsan.o := -fno-stack-protector $(DISABLE_KSTACK_ERASE)
341
341
342
342
obj-$(CONFIG_SBITMAP) += sbitmap.o
343
343
+3
-3
scripts/Makefile.gcc-plugins
+3
-3
scripts/Makefile.gcc-plugins
···
12
12
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \
13
13
+= -DSTACKLEAK_PLUGIN
14
14
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \
15
-
+= -fplugin-arg-stackleak_plugin-track-min-size=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE)
15
+
+= -fplugin-arg-stackleak_plugin-track-min-size=$(CONFIG_KSTACK_ERASE_TRACK_MIN_SIZE)
16
16
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \
17
17
+= -fplugin-arg-stackleak_plugin-arch=$(SRCARCH)
18
18
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE) \
19
19
+= -fplugin-arg-stackleak_plugin-verbose
20
20
ifdef CONFIG_GCC_PLUGIN_STACKLEAK
21
-
DISABLE_STACKLEAK_PLUGIN += -fplugin-arg-stackleak_plugin-disable
21
+
DISABLE_KSTACK_ERASE += -fplugin-arg-stackleak_plugin-disable
22
22
endif
23
-
export DISABLE_STACKLEAK_PLUGIN
23
+
export DISABLE_KSTACK_ERASE
24
24
25
25
# All the plugin CFLAGS are collected here in case a build target needs to
26
26
# filter them out of the KBUILD_CFLAGS.
+20
-16
security/Kconfig.hardening
+20
-16
security/Kconfig.hardening
···
82
82
83
83
endchoice
84
84
85
-
config GCC_PLUGIN_STACKLEAK
85
+
config KSTACK_ERASE
86
86
bool "Poison kernel stack before returning from syscalls"
87
+
depends on HAVE_ARCH_KSTACK_ERASE
87
88
depends on GCC_PLUGINS
88
-
depends on HAVE_ARCH_STACKLEAK
89
89
help
90
90
This option makes the kernel erase the kernel stack before
91
91
returning from system calls. This has the effect of leaving
···
103
103
are advised to test this feature on your expected workload before
104
104
deploying it.
105
105
106
+
config GCC_PLUGIN_STACKLEAK
107
+
def_bool KSTACK_ERASE
108
+
depends on GCC_PLUGINS
109
+
help
106
110
This plugin was ported from grsecurity/PaX. More information at:
107
111
* https://grsecurity.net/
108
112
* https://pax.grsecurity.net/
···
121
117
instrumented. This is useful for comparing coverage between
122
118
builds.
123
119
124
-
config STACKLEAK_TRACK_MIN_SIZE
125
-
int "Minimum stack frame size of functions tracked by STACKLEAK"
120
+
config KSTACK_ERASE_TRACK_MIN_SIZE
121
+
int "Minimum stack frame size of functions tracked by KSTACK_ERASE"
126
122
default 100
127
123
range 0 4096
128
-
depends on GCC_PLUGIN_STACKLEAK
124
+
depends on KSTACK_ERASE
129
125
help
130
-
The STACKLEAK gcc plugin instruments the kernel code for tracking
126
+
The KSTACK_ERASE option instruments the kernel code for tracking
131
127
the lowest border of the kernel stack (and for some other purposes).
132
128
It inserts the stackleak_track_stack() call for the functions with
133
129
a stack frame size greater than or equal to this parameter.
134
130
If unsure, leave the default value 100.
135
131
136
-
config STACKLEAK_METRICS
137
-
bool "Show STACKLEAK metrics in the /proc file system"
138
-
depends on GCC_PLUGIN_STACKLEAK
132
+
config KSTACK_ERASE_METRICS
133
+
bool "Show KSTACK_ERASE metrics in the /proc file system"
134
+
depends on KSTACK_ERASE
139
135
depends on PROC_FS
140
136
help
141
-
If this is set, STACKLEAK metrics for every task are available in
142
-
the /proc file system. In particular, /proc/<pid>/stack_depth
137
+
If this is set, KSTACK_ERASE metrics for every task are available
138
+
in the /proc file system. In particular, /proc/<pid>/stack_depth
143
139
shows the maximum kernel stack consumption for the current and
144
140
previous syscalls. Although this information is not precise, it
145
-
can be useful for estimating the STACKLEAK performance impact for
146
-
your workloads.
141
+
can be useful for estimating the KSTACK_ERASE performance impact
142
+
for your workloads.
147
143
148
-
config STACKLEAK_RUNTIME_DISABLE
144
+
config KSTACK_ERASE_RUNTIME_DISABLE
149
145
bool "Allow runtime disabling of kernel stack erasing"
150
-
depends on GCC_PLUGIN_STACKLEAK
146
+
depends on KSTACK_ERASE
151
147
help
152
148
This option provides 'stack_erasing' sysctl, which can be used in
153
149
runtime to control kernel stack erasing for kernels built with
154
-
CONFIG_GCC_PLUGIN_STACKLEAK.
150
+
CONFIG_KSTACK_ERASE.
155
151
156
152
config INIT_ON_ALLOC_DEFAULT_ON
157
153
bool "Enable heap memory zeroing on allocation by default"
+1
-1
tools/objtool/check.c
+1
-1
tools/objtool/check.c
···
1192
1192
"__ubsan_handle_type_mismatch_v1",
1193
1193
"__ubsan_handle_shift_out_of_bounds",
1194
1194
"__ubsan_handle_load_invalid_value",
1195
-
/* STACKLEAK */
1195
+
/* KSTACK_ERASE */
1196
1196
"stackleak_track_stack",
1197
1197
/* TRACE_BRANCH_PROFILING */
1198
1198
"ftrace_likely_update",
+1
-1
tools/testing/selftests/lkdtm/config
+1
-1
tools/testing/selftests/lkdtm/config