diff options
| author | Kees Cook <keescook@chromium.org> | 2019-04-10 11:48:31 -0400 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2019-04-24 17:00:56 -0400 |
| commit | 709a972efb01efaeb97cad1adc87fe400119c8ab (patch) | |
| tree | 395292ab51f012c21b436c404811e810bc863b4d /security/Kconfig.hardening | |
| parent | b6a6a3772d20b8552e703bb2a651760a22167cf6 (diff) | |
security: Implement Clang's stack initialization
CONFIG_INIT_STACK_ALL turns on stack initialization based on
-ftrivial-auto-var-init in Clang builds, which has greater coverage
than CONFIG_GCC_PLUGINS_STRUCTLEAK_BYREF_ALL.
-ftrivial-auto-var-init Clang option provides trivial initializers for
uninitialized local variables, variable fields and padding.
It has three possible values:
pattern - uninitialized locals are filled with a fixed pattern
(mostly 0xAA on 64-bit platforms, see https://reviews.llvm.org/D54604
for more details, but 0x000000AA for 32-bit pointers) likely to cause
crashes when uninitialized value is used;
zero (it's still debated whether this flag makes it to the official
Clang release) - uninitialized locals are filled with zeroes;
uninitialized (default) - uninitialized locals are left intact.
This patch uses only the "pattern" mode when CONFIG_INIT_STACK_ALL is
enabled.
Developers have the possibility to opt-out of this feature on a
per-variable basis by using __attribute__((uninitialized)), but such
use should be well justified in comments.
Co-developed-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Tested-by: Alexander Potapenko <glider@google.com>
Acked-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Diffstat (limited to 'security/Kconfig.hardening')
| -rw-r--r-- | security/Kconfig.hardening | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index a96d4a43ca65..0a1d4ca314f4 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening | |||
| @@ -18,9 +18,13 @@ config GCC_PLUGIN_STRUCTLEAK | |||
| 18 | 18 | ||
| 19 | menu "Memory initialization" | 19 | menu "Memory initialization" |
| 20 | 20 | ||
| 21 | config CC_HAS_AUTO_VAR_INIT | ||
| 22 | def_bool $(cc-option,-ftrivial-auto-var-init=pattern) | ||
| 23 | |||
| 21 | choice | 24 | choice |
| 22 | prompt "Initialize kernel stack variables at function entry" | 25 | prompt "Initialize kernel stack variables at function entry" |
| 23 | default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS | 26 | default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS |
| 27 | default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT | ||
| 24 | default INIT_STACK_NONE | 28 | default INIT_STACK_NONE |
| 25 | help | 29 | help |
| 26 | This option enables initialization of stack variables at | 30 | This option enables initialization of stack variables at |
| @@ -76,6 +80,16 @@ choice | |||
| 76 | of uninitialized stack variable exploits and information | 80 | of uninitialized stack variable exploits and information |
| 77 | exposures. | 81 | exposures. |
| 78 | 82 | ||
| 83 | config INIT_STACK_ALL | ||
| 84 | bool "0xAA-init everything on the stack (strongest)" | ||
| 85 | depends on CC_HAS_AUTO_VAR_INIT | ||
| 86 | help | ||
| 87 | Initializes everything on the stack with a 0xAA | ||
| 88 | pattern. This is intended to eliminate all classes | ||
| 89 | of uninitialized stack variable exploits and information | ||
| 90 | exposures, even variables that were warned to have been | ||
| 91 | left uninitialized. | ||
| 92 | |||
| 79 | endchoice | 93 | endchoice |
| 80 | 94 | ||
| 81 | config GCC_PLUGIN_STRUCTLEAK_VERBOSE | 95 | config GCC_PLUGIN_STRUCTLEAK_VERBOSE |