stack: Introduce CONFIG_RANDOMIZE_KSTACK_OFFSET

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The randomize_kstack_offset feature is unconditionally compiled in when
the architecture supports it.

To add constraints on compiler versions, we require a dedicated Kconfig
variable. Therefore, introduce RANDOMIZE_KSTACK_OFFSET.

Furthermore, this option is now also configurable by EXPERT kernels:
while the feature is supposed to have zero performance overhead when
disabled, due to its use of static branches, there are few cases where
giving a distribution the option to disable the feature entirely makes
sense. For example, in very resource constrained environments, which
would never enable the feature to begin with, in which case the
additional kernel code size increase would be redundant.

Signed-off-by: Marco Elver <elver@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220131090521.1947110-1-elver@google.com

authored by

Marco Elver and committed by

Kees Cook 4 years ago 8cb37a59 ae978009

+24 -6

3 changed files

expand all

arch

Kconfig

include

linux

randomize_kstack.h

init

main.c

+18 -5

arch/Kconfig

··· 1159 1159 to the compiler, so it will attempt to add canary checks regardless 1160 1160 of the static branch state. 1161 1161 1162 - config RANDOMIZE_KSTACK_OFFSET_DEFAULT 1163 - bool "Randomize kernel stack offset on syscall entry" 1162 + config RANDOMIZE_KSTACK_OFFSET 1163 + bool "Support for randomizing kernel stack offset on syscall entry" if EXPERT 1164 + default y 1164 1165 depends on HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET 1165 1166 help 1166 1167 The kernel stack offset can be randomized (after pt_regs) by 1167 1168 roughly 5 bits of entropy, frustrating memory corruption 1168 1169 attacks that depend on stack address determinism or 1169 - cross-syscall address exposures. This feature is controlled 1170 - by kernel boot param "randomize_kstack_offset=on/off", and this 1171 - config chooses the default boot state. 1170 + cross-syscall address exposures. 1171 + 1172 + The feature is controlled via the "randomize_kstack_offset=on/off" 1173 + kernel boot param, and if turned off has zero overhead due to its use 1174 + of static branches (see JUMP_LABEL). 1175 + 1176 + If unsure, say Y. 1177 + 1178 + config RANDOMIZE_KSTACK_OFFSET_DEFAULT 1179 + bool "Default state of kernel stack offset randomization" 1180 + depends on RANDOMIZE_KSTACK_OFFSET 1181 + help 1182 + Kernel stack offset randomization is controlled by kernel boot param 1183 + "randomize_kstack_offset=on/off", and this config chooses the default 1184 + boot state. 1172 1185 1173 1186 config ARCH_OPTIONAL_KERNEL_RWX 1174 1187 def_bool n

include/linux/randomize_kstack.h

··· 2 2 #ifndef _LINUX_RANDOMIZE_KSTACK_H 3 3 #define _LINUX_RANDOMIZE_KSTACK_H 4 4 5 + #ifdef CONFIG_RANDOMIZE_KSTACK_OFFSET 5 6 #include <linux/kernel.h> 6 7 #include <linux/jump_label.h> 7 8 #include <linux/percpu-defs.h> ··· 51 50 raw_cpu_write(kstack_offset, offset); \ 52 51 } \ 53 52 } while (0) 53 + #else /* CONFIG_RANDOMIZE_KSTACK_OFFSET */ 54 + #define add_random_kstack_offset() do { } while (0) 55 + #define choose_random_kstack_offset(rand) do { } while (0) 56 + #endif /* CONFIG_RANDOMIZE_KSTACK_OFFSET */ 54 57 55 58 #endif

+1 -1

init/main.c

··· 853 853 pti_init(); 854 854 } 855 855 856 - #ifdef CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET 856 + #ifdef CONFIG_RANDOMIZE_KSTACK_OFFSET 857 857 DEFINE_STATIC_KEY_MAYBE_RO(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, 858 858 randomize_kstack_offset); 859 859 DEFINE_PER_CPU(u32, kstack_offset);