diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2019-05-07 15:44:49 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-05-07 15:44:49 -0400 |
| commit | 2d60d96b6f00de90ec2bc60eb4cdcc46e1e1f161 (patch) | |
| tree | 32f01785f971d37bfe5521d0af978462a0a33dfb /scripts | |
| parent | eac7078a0fff1e72cf2b641721e3f55ec7e5e21e (diff) | |
| parent | 709a972efb01efaeb97cad1adc87fe400119c8ab (diff) | |
Merge tag 'meminit-v5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull compiler-based variable initialization updates from Kees Cook:
"This is effectively part of my gcc-plugins tree, but as this adds some
Clang support, it felt weird to still call it "gcc-plugins". :)
This consolidates Kconfig for the existing stack variable
initialization (via structleak and stackleak gcc plugins) and adds
Alexander Potapenko's support for Clang's new similar functionality.
Summary:
- Consolidate memory initialization Kconfigs (Kees)
- Implement support for Clang's stack variable auto-init (Alexander)"
* tag 'meminit-v5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
security: Implement Clang's stack initialization
security: Move stackleak config to Kconfig.hardening
security: Create "kernel hardening" config area
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/gcc-plugins/Kconfig | 126 |
1 files changed, 6 insertions, 120 deletions
diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index 74271dba4f94..80220ed26a35 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig | |||
| @@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS | |||
| 13 | An arch should select this symbol if it supports building with | 13 | An arch should select this symbol if it supports building with |
| 14 | GCC plugins. | 14 | GCC plugins. |
| 15 | 15 | ||
| 16 | menuconfig GCC_PLUGINS | 16 | config GCC_PLUGINS |
| 17 | bool "GCC plugins" | 17 | bool |
| 18 | depends on HAVE_GCC_PLUGINS | 18 | depends on HAVE_GCC_PLUGINS |
| 19 | depends on PLUGIN_HOSTCC != "" | 19 | depends on PLUGIN_HOSTCC != "" |
| 20 | default y | ||
| 20 | help | 21 | help |
| 21 | GCC plugins are loadable modules that provide extra features to the | 22 | GCC plugins are loadable modules that provide extra features to the |
| 22 | compiler. They are useful for runtime instrumentation and static analysis. | 23 | compiler. They are useful for runtime instrumentation and static analysis. |
| 23 | 24 | ||
| 24 | See Documentation/gcc-plugins.txt for details. | 25 | See Documentation/gcc-plugins.txt for details. |
| 25 | 26 | ||
| 26 | if GCC_PLUGINS | 27 | menu "GCC plugins" |
| 28 | depends on GCC_PLUGINS | ||
| 27 | 29 | ||
| 28 | config GCC_PLUGIN_CYC_COMPLEXITY | 30 | config GCC_PLUGIN_CYC_COMPLEXITY |
| 29 | bool "Compute the cyclomatic complexity of a function" if EXPERT | 31 | bool "Compute the cyclomatic complexity of a function" if EXPERT |
| @@ -66,71 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY | |||
| 66 | * https://grsecurity.net/ | 68 | * https://grsecurity.net/ |
| 67 | * https://pax.grsecurity.net/ | 69 | * https://pax.grsecurity.net/ |
| 68 | 70 | ||
| 69 | config GCC_PLUGIN_STRUCTLEAK | ||
| 70 | bool "Zero initialize stack variables" | ||
| 71 | help | ||
| 72 | While the kernel is built with warnings enabled for any missed | ||
| 73 | stack variable initializations, this warning is silenced for | ||
| 74 | anything passed by reference to another function, under the | ||
| 75 | occasionally misguided assumption that the function will do | ||
| 76 | the initialization. As this regularly leads to exploitable | ||
| 77 | flaws, this plugin is available to identify and zero-initialize | ||
| 78 | such variables, depending on the chosen level of coverage. | ||
| 79 | |||
| 80 | This plugin was originally ported from grsecurity/PaX. More | ||
| 81 | information at: | ||
| 82 | * https://grsecurity.net/ | ||
| 83 | * https://pax.grsecurity.net/ | ||
| 84 | |||
| 85 | choice | ||
| 86 | prompt "Coverage" | ||
| 87 | depends on GCC_PLUGIN_STRUCTLEAK | ||
| 88 | default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | ||
| 89 | help | ||
| 90 | This chooses the level of coverage over classes of potentially | ||
| 91 | uninitialized variables. The selected class will be | ||
| 92 | zero-initialized before use. | ||
| 93 | |||
| 94 | config GCC_PLUGIN_STRUCTLEAK_USER | ||
| 95 | bool "structs marked for userspace" | ||
| 96 | help | ||
| 97 | Zero-initialize any structures on the stack containing | ||
| 98 | a __user attribute. This can prevent some classes of | ||
| 99 | uninitialized stack variable exploits and information | ||
| 100 | exposures, like CVE-2013-2141: | ||
| 101 | https://git.kernel.org/linus/b9e146d8eb3b9eca | ||
| 102 | |||
| 103 | config GCC_PLUGIN_STRUCTLEAK_BYREF | ||
| 104 | bool "structs passed by reference" | ||
| 105 | help | ||
| 106 | Zero-initialize any structures on the stack that may | ||
| 107 | be passed by reference and had not already been | ||
| 108 | explicitly initialized. This can prevent most classes | ||
| 109 | of uninitialized stack variable exploits and information | ||
| 110 | exposures, like CVE-2017-1000410: | ||
| 111 | https://git.kernel.org/linus/06e7e776ca4d3654 | ||
| 112 | |||
| 113 | config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | ||
| 114 | bool "anything passed by reference" | ||
| 115 | help | ||
| 116 | Zero-initialize any stack variables that may be passed | ||
| 117 | by reference and had not already been explicitly | ||
| 118 | initialized. This is intended to eliminate all classes | ||
| 119 | of uninitialized stack variable exploits and information | ||
| 120 | exposures. | ||
| 121 | |||
| 122 | endchoice | ||
| 123 | |||
| 124 | config GCC_PLUGIN_STRUCTLEAK_VERBOSE | ||
| 125 | bool "Report forcefully initialized variables" | ||
| 126 | depends on GCC_PLUGIN_STRUCTLEAK | ||
| 127 | depends on !COMPILE_TEST # too noisy | ||
| 128 | help | ||
| 129 | This option will cause a warning to be printed each time the | ||
| 130 | structleak plugin finds a variable it thinks needs to be | ||
| 131 | initialized. Since not all existing initializers are detected | ||
| 132 | by the plugin, this can produce false positive warnings. | ||
| 133 | |||
| 134 | config GCC_PLUGIN_RANDSTRUCT | 71 | config GCC_PLUGIN_RANDSTRUCT |
| 135 | bool "Randomize layout of sensitive kernel structures" | 72 | bool "Randomize layout of sensitive kernel structures" |
| 136 | select MODVERSIONS if MODULES | 73 | select MODVERSIONS if MODULES |
| @@ -171,59 +108,8 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | |||
| 171 | in structures. This reduces the performance hit of RANDSTRUCT | 108 | in structures. This reduces the performance hit of RANDSTRUCT |
| 172 | at the cost of weakened randomization. | 109 | at the cost of weakened randomization. |
| 173 | 110 | ||
| 174 | config GCC_PLUGIN_STACKLEAK | ||
| 175 | bool "Erase the kernel stack before returning from syscalls" | ||
| 176 | depends on GCC_PLUGINS | ||
| 177 | depends on HAVE_ARCH_STACKLEAK | ||
| 178 | help | ||
| 179 | This option makes the kernel erase the kernel stack before | ||
| 180 | returning from system calls. That reduces the information which | ||
| 181 | kernel stack leak bugs can reveal and blocks some uninitialized | ||
| 182 | stack variable attacks. | ||
| 183 | |||
| 184 | The tradeoff is the performance impact: on a single CPU system kernel | ||
| 185 | compilation sees a 1% slowdown, other systems and workloads may vary | ||
| 186 | and you are advised to test this feature on your expected workload | ||
| 187 | before deploying it. | ||
| 188 | |||
| 189 | This plugin was ported from grsecurity/PaX. More information at: | ||
| 190 | * https://grsecurity.net/ | ||
| 191 | * https://pax.grsecurity.net/ | ||
| 192 | |||
| 193 | config STACKLEAK_TRACK_MIN_SIZE | ||
| 194 | int "Minimum stack frame size of functions tracked by STACKLEAK" | ||
| 195 | default 100 | ||
| 196 | range 0 4096 | ||
| 197 | depends on GCC_PLUGIN_STACKLEAK | ||
| 198 | help | ||
| 199 | The STACKLEAK gcc plugin instruments the kernel code for tracking | ||
| 200 | the lowest border of the kernel stack (and for some other purposes). | ||
| 201 | It inserts the stackleak_track_stack() call for the functions with | ||
| 202 | a stack frame size greater than or equal to this parameter. | ||
| 203 | If unsure, leave the default value 100. | ||
| 204 | |||
| 205 | config STACKLEAK_METRICS | ||
| 206 | bool "Show STACKLEAK metrics in the /proc file system" | ||
| 207 | depends on GCC_PLUGIN_STACKLEAK | ||
| 208 | depends on PROC_FS | ||
| 209 | help | ||
| 210 | If this is set, STACKLEAK metrics for every task are available in | ||
| 211 | the /proc file system. In particular, /proc/<pid>/stack_depth | ||
| 212 | shows the maximum kernel stack consumption for the current and | ||
| 213 | previous syscalls. Although this information is not precise, it | ||
| 214 | can be useful for estimating the STACKLEAK performance impact for | ||
| 215 | your workloads. | ||
| 216 | |||
| 217 | config STACKLEAK_RUNTIME_DISABLE | ||
| 218 | bool "Allow runtime disabling of kernel stack erasing" | ||
| 219 | depends on GCC_PLUGIN_STACKLEAK | ||
| 220 | help | ||
| 221 | This option provides 'stack_erasing' sysctl, which can be used in | ||
| 222 | runtime to control kernel stack erasing for kernels built with | ||
| 223 | CONFIG_GCC_PLUGIN_STACKLEAK. | ||
| 224 | |||
| 225 | config GCC_PLUGIN_ARM_SSP_PER_TASK | 111 | config GCC_PLUGIN_ARM_SSP_PER_TASK |
| 226 | bool | 112 | bool |
| 227 | depends on GCC_PLUGINS && ARM | 113 | depends on GCC_PLUGINS && ARM |
| 228 | 114 | ||
| 229 | endif | 115 | endmenu |