Merge tag 'meminit-v5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull compiler-based variable initialization updates from Kees Cook: "This is effectively part of my gcc-plugins tree, but as this adds some Clang support, it felt weird to still call it "gcc-plugins". :) This consolidates Kconfig for the existing stack variable initialization (via structleak and stackleak gcc plugins) and adds Alexander Potapenko's support for Clang's new similar functionality. Summary: - Consolidate memory initialization Kconfigs (Kees) - Implement support for Clang's stack variable auto-init (Alexander)" * tag 'meminit-v5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: security: Implement Clang's stack initialization security: Move stackleak config to Kconfig.hardening security: Create "kernel hardening" config area
This commit is contained in:
Linus Torvalds
@@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS
|
||||
An arch should select this symbol if it supports building with
|
||||
GCC plugins.
|
||||
|
||||
menuconfig GCC_PLUGINS
|
||||
bool "GCC plugins"
|
||||
config GCC_PLUGINS
|
||||
bool
|
||||
depends on HAVE_GCC_PLUGINS
|
||||
depends on PLUGIN_HOSTCC != ""
|
||||
default y
|
||||
help
|
||||
GCC plugins are loadable modules that provide extra features to the
|
||||
compiler. They are useful for runtime instrumentation and static analysis.
|
||||
|
||||
See Documentation/gcc-plugins.txt for details.
|
||||
|
||||
if GCC_PLUGINS
|
||||
menu "GCC plugins"
|
||||
depends on GCC_PLUGINS
|
||||
|
||||
config GCC_PLUGIN_CYC_COMPLEXITY
|
||||
bool "Compute the cyclomatic complexity of a function" if EXPERT
|
||||
@@ -66,71 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
|
||||
* https://grsecurity.net/
|
||||
* https://pax.grsecurity.net/
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK
|
||||
bool "Zero initialize stack variables"
|
||||
help
|
||||
While the kernel is built with warnings enabled for any missed
|
||||
stack variable initializations, this warning is silenced for
|
||||
anything passed by reference to another function, under the
|
||||
occasionally misguided assumption that the function will do
|
||||
the initialization. As this regularly leads to exploitable
|
||||
flaws, this plugin is available to identify and zero-initialize
|
||||
such variables, depending on the chosen level of coverage.
|
||||
|
||||
This plugin was originally ported from grsecurity/PaX. More
|
||||
information at:
|
||||
* https://grsecurity.net/
|
||||
* https://pax.grsecurity.net/
|
||||
|
||||
choice
|
||||
prompt "Coverage"
|
||||
depends on GCC_PLUGIN_STRUCTLEAK
|
||||
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
|
||||
help
|
||||
This chooses the level of coverage over classes of potentially
|
||||
uninitialized variables. The selected class will be
|
||||
zero-initialized before use.
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_USER
|
||||
bool "structs marked for userspace"
|
||||
help
|
||||
Zero-initialize any structures on the stack containing
|
||||
a __user attribute. This can prevent some classes of
|
||||
uninitialized stack variable exploits and information
|
||||
exposures, like CVE-2013-2141:
|
||||
https://git.kernel.org/linus/b9e146d8eb3b9eca
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_BYREF
|
||||
bool "structs passed by reference"
|
||||
help
|
||||
Zero-initialize any structures on the stack that may
|
||||
be passed by reference and had not already been
|
||||
explicitly initialized. This can prevent most classes
|
||||
of uninitialized stack variable exploits and information
|
||||
exposures, like CVE-2017-1000410:
|
||||
https://git.kernel.org/linus/06e7e776ca4d3654
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
|
||||
bool "anything passed by reference"
|
||||
help
|
||||
Zero-initialize any stack variables that may be passed
|
||||
by reference and had not already been explicitly
|
||||
initialized. This is intended to eliminate all classes
|
||||
of uninitialized stack variable exploits and information
|
||||
exposures.
|
||||
|
||||
endchoice
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
|
||||
bool "Report forcefully initialized variables"
|
||||
depends on GCC_PLUGIN_STRUCTLEAK
|
||||
depends on !COMPILE_TEST # too noisy
|
||||
help
|
||||
This option will cause a warning to be printed each time the
|
||||
structleak plugin finds a variable it thinks needs to be
|
||||
initialized. Since not all existing initializers are detected
|
||||
by the plugin, this can produce false positive warnings.
|
||||
|
||||
config GCC_PLUGIN_RANDSTRUCT
|
||||
bool "Randomize layout of sensitive kernel structures"
|
||||
select MODVERSIONS if MODULES
|
||||
@@ -171,59 +108,8 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
|
||||
in structures. This reduces the performance hit of RANDSTRUCT
|
||||
at the cost of weakened randomization.
|
||||
|
||||
config GCC_PLUGIN_STACKLEAK
|
||||
bool "Erase the kernel stack before returning from syscalls"
|
||||
depends on GCC_PLUGINS
|
||||
depends on HAVE_ARCH_STACKLEAK
|
||||
help
|
||||
This option makes the kernel erase the kernel stack before
|
||||
returning from system calls. That reduces the information which
|
||||
kernel stack leak bugs can reveal and blocks some uninitialized
|
||||
stack variable attacks.
|
||||
|
||||
The tradeoff is the performance impact: on a single CPU system kernel
|
||||
compilation sees a 1% slowdown, other systems and workloads may vary
|
||||
and you are advised to test this feature on your expected workload
|
||||
before deploying it.
|
||||
|
||||
This plugin was ported from grsecurity/PaX. More information at:
|
||||
* https://grsecurity.net/
|
||||
* https://pax.grsecurity.net/
|
||||
|
||||
config STACKLEAK_TRACK_MIN_SIZE
|
||||
int "Minimum stack frame size of functions tracked by STACKLEAK"
|
||||
default 100
|
||||
range 0 4096
|
||||
depends on GCC_PLUGIN_STACKLEAK
|
||||
help
|
||||
The STACKLEAK gcc plugin instruments the kernel code for tracking
|
||||
the lowest border of the kernel stack (and for some other purposes).
|
||||
It inserts the stackleak_track_stack() call for the functions with
|
||||
a stack frame size greater than or equal to this parameter.
|
||||
If unsure, leave the default value 100.
|
||||
|
||||
config STACKLEAK_METRICS
|
||||
bool "Show STACKLEAK metrics in the /proc file system"
|
||||
depends on GCC_PLUGIN_STACKLEAK
|
||||
depends on PROC_FS
|
||||
help
|
||||
If this is set, STACKLEAK metrics for every task are available in
|
||||
the /proc file system. In particular, /proc/<pid>/stack_depth
|
||||
shows the maximum kernel stack consumption for the current and
|
||||
previous syscalls. Although this information is not precise, it
|
||||
can be useful for estimating the STACKLEAK performance impact for
|
||||
your workloads.
|
||||
|
||||
config STACKLEAK_RUNTIME_DISABLE
|
||||
bool "Allow runtime disabling of kernel stack erasing"
|
||||
depends on GCC_PLUGIN_STACKLEAK
|
||||
help
|
||||
This option provides 'stack_erasing' sysctl, which can be used in
|
||||
runtime to control kernel stack erasing for kernels built with
|
||||
CONFIG_GCC_PLUGIN_STACKLEAK.
|
||||
|
||||
config GCC_PLUGIN_ARM_SSP_PER_TASK
|
||||
bool
|
||||
depends on GCC_PLUGINS && ARM
|
||||
|
||||
endif
|
||||
endmenu
|
||||
|
||||
Reference in New Issue
Block a user