diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2019-05-07 15:44:49 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-05-07 15:44:49 -0400 |
| commit | 2d60d96b6f00de90ec2bc60eb4cdcc46e1e1f161 (patch) | |
| tree | 32f01785f971d37bfe5521d0af978462a0a33dfb /security | |
| parent | eac7078a0fff1e72cf2b641721e3f55ec7e5e21e (diff) | |
| parent | 709a972efb01efaeb97cad1adc87fe400119c8ab (diff) | |
Merge tag 'meminit-v5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull compiler-based variable initialization updates from Kees Cook:
"This is effectively part of my gcc-plugins tree, but as this adds some
Clang support, it felt weird to still call it "gcc-plugins". :)
This consolidates Kconfig for the existing stack variable
initialization (via structleak and stackleak gcc plugins) and adds
Alexander Potapenko's support for Clang's new similar functionality.
Summary:
- Consolidate memory initialization Kconfigs (Kees)
- Implement support for Clang's stack variable auto-init (Alexander)"
* tag 'meminit-v5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
security: Implement Clang's stack initialization
security: Move stackleak config to Kconfig.hardening
security: Create "kernel hardening" config area
Diffstat (limited to 'security')
| -rw-r--r-- | security/Kconfig | 2 | ||||
| -rw-r--r-- | security/Kconfig.hardening | 164 |
2 files changed, 166 insertions, 0 deletions
diff --git a/security/Kconfig b/security/Kconfig index 353cfef71d4e..aeac3676dd4d 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
| @@ -287,5 +287,7 @@ config LSM | |||
| 287 | 287 | ||
| 288 | If unsure, leave this as the default. | 288 | If unsure, leave this as the default. |
| 289 | 289 | ||
| 290 | source "security/Kconfig.hardening" | ||
| 291 | |||
| 290 | endmenu | 292 | endmenu |
| 291 | 293 | ||
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening new file mode 100644 index 000000000000..0a1d4ca314f4 --- /dev/null +++ b/security/Kconfig.hardening | |||
| @@ -0,0 +1,164 @@ | |||
| 1 | menu "Kernel hardening options" | ||
| 2 | |||
| 3 | config GCC_PLUGIN_STRUCTLEAK | ||
| 4 | bool | ||
| 5 | help | ||
| 6 | While the kernel is built with warnings enabled for any missed | ||
| 7 | stack variable initializations, this warning is silenced for | ||
| 8 | anything passed by reference to another function, under the | ||
| 9 | occasionally misguided assumption that the function will do | ||
| 10 | the initialization. As this regularly leads to exploitable | ||
| 11 | flaws, this plugin is available to identify and zero-initialize | ||
| 12 | such variables, depending on the chosen level of coverage. | ||
| 13 | |||
| 14 | This plugin was originally ported from grsecurity/PaX. More | ||
| 15 | information at: | ||
| 16 | * https://grsecurity.net/ | ||
| 17 | * https://pax.grsecurity.net/ | ||
| 18 | |||
| 19 | menu "Memory initialization" | ||
| 20 | |||
| 21 | config CC_HAS_AUTO_VAR_INIT | ||
| 22 | def_bool $(cc-option,-ftrivial-auto-var-init=pattern) | ||
| 23 | |||
| 24 | choice | ||
| 25 | prompt "Initialize kernel stack variables at function entry" | ||
| 26 | default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS | ||
| 27 | default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT | ||
| 28 | default INIT_STACK_NONE | ||
| 29 | help | ||
| 30 | This option enables initialization of stack variables at | ||
| 31 | function entry time. This has the possibility to have the | ||
| 32 | greatest coverage (since all functions can have their | ||
| 33 | variables initialized), but the performance impact depends | ||
| 34 | on the function calling complexity of a given workload's | ||
| 35 | syscalls. | ||
| 36 | |||
| 37 | This chooses the level of coverage over classes of potentially | ||
| 38 | uninitialized variables. The selected class will be | ||
| 39 | initialized before use in a function. | ||
| 40 | |||
| 41 | config INIT_STACK_NONE | ||
| 42 | bool "no automatic initialization (weakest)" | ||
| 43 | help | ||
| 44 | Disable automatic stack variable initialization. | ||
| 45 | This leaves the kernel vulnerable to the standard | ||
| 46 | classes of uninitialized stack variable exploits | ||
| 47 | and information exposures. | ||
| 48 | |||
| 49 | config GCC_PLUGIN_STRUCTLEAK_USER | ||
| 50 | bool "zero-init structs marked for userspace (weak)" | ||
| 51 | depends on GCC_PLUGINS | ||
| 52 | select GCC_PLUGIN_STRUCTLEAK | ||
| 53 | help | ||
| 54 | Zero-initialize any structures on the stack containing | ||
| 55 | a __user attribute. This can prevent some classes of | ||
| 56 | uninitialized stack variable exploits and information | ||
| 57 | exposures, like CVE-2013-2141: | ||
| 58 | https://git.kernel.org/linus/b9e146d8eb3b9eca | ||
| 59 | |||
| 60 | config GCC_PLUGIN_STRUCTLEAK_BYREF | ||
| 61 | bool "zero-init structs passed by reference (strong)" | ||
| 62 | depends on GCC_PLUGINS | ||
| 63 | select GCC_PLUGIN_STRUCTLEAK | ||
| 64 | help | ||
| 65 | Zero-initialize any structures on the stack that may | ||
| 66 | be passed by reference and had not already been | ||
| 67 | explicitly initialized. This can prevent most classes | ||
| 68 | of uninitialized stack variable exploits and information | ||
| 69 | exposures, like CVE-2017-1000410: | ||
| 70 | https://git.kernel.org/linus/06e7e776ca4d3654 | ||
| 71 | |||
| 72 | config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | ||
| 73 | bool "zero-init anything passed by reference (very strong)" | ||
| 74 | depends on GCC_PLUGINS | ||
| 75 | select GCC_PLUGIN_STRUCTLEAK | ||
| 76 | help | ||
| 77 | Zero-initialize any stack variables that may be passed | ||
| 78 | by reference and had not already been explicitly | ||
| 79 | initialized. This is intended to eliminate all classes | ||
| 80 | of uninitialized stack variable exploits and information | ||
| 81 | exposures. | ||
| 82 | |||
| 83 | config INIT_STACK_ALL | ||
| 84 | bool "0xAA-init everything on the stack (strongest)" | ||
| 85 | depends on CC_HAS_AUTO_VAR_INIT | ||
| 86 | help | ||
| 87 | Initializes everything on the stack with a 0xAA | ||
| 88 | pattern. This is intended to eliminate all classes | ||
| 89 | of uninitialized stack variable exploits and information | ||
| 90 | exposures, even variables that were warned to have been | ||
| 91 | left uninitialized. | ||
| 92 | |||
| 93 | endchoice | ||
| 94 | |||
| 95 | config GCC_PLUGIN_STRUCTLEAK_VERBOSE | ||
| 96 | bool "Report forcefully initialized variables" | ||
| 97 | depends on GCC_PLUGIN_STRUCTLEAK | ||
| 98 | depends on !COMPILE_TEST # too noisy | ||
| 99 | help | ||
| 100 | This option will cause a warning to be printed each time the | ||
| 101 | structleak plugin finds a variable it thinks needs to be | ||
| 102 | initialized. Since not all existing initializers are detected | ||
| 103 | by the plugin, this can produce false positive warnings. | ||
| 104 | |||
| 105 | config GCC_PLUGIN_STACKLEAK | ||
| 106 | bool "Poison kernel stack before returning from syscalls" | ||
| 107 | depends on GCC_PLUGINS | ||
| 108 | depends on HAVE_ARCH_STACKLEAK | ||
| 109 | help | ||
| 110 | This option makes the kernel erase the kernel stack before | ||
| 111 | returning from system calls. This has the effect of leaving | ||
| 112 | the stack initialized to the poison value, which both reduces | ||
| 113 | the lifetime of any sensitive stack contents and reduces | ||
| 114 | potential for uninitialized stack variable exploits or information | ||
| 115 | exposures (it does not cover functions reaching the same stack | ||
| 116 | depth as prior functions during the same syscall). This blocks | ||
| 117 | most uninitialized stack variable attacks, with the performance | ||
| 118 | impact being driven by the depth of the stack usage, rather than | ||
| 119 | the function calling complexity. | ||
| 120 | |||
| 121 | The performance impact on a single CPU system kernel compilation | ||
| 122 | sees a 1% slowdown, other systems and workloads may vary and you | ||
| 123 | are advised to test this feature on your expected workload before | ||
| 124 | deploying it. | ||
| 125 | |||
| 126 | This plugin was ported from grsecurity/PaX. More information at: | ||
| 127 | * https://grsecurity.net/ | ||
| 128 | * https://pax.grsecurity.net/ | ||
| 129 | |||
| 130 | config STACKLEAK_TRACK_MIN_SIZE | ||
| 131 | int "Minimum stack frame size of functions tracked by STACKLEAK" | ||
| 132 | default 100 | ||
| 133 | range 0 4096 | ||
| 134 | depends on GCC_PLUGIN_STACKLEAK | ||
| 135 | help | ||
| 136 | The STACKLEAK gcc plugin instruments the kernel code for tracking | ||
| 137 | the lowest border of the kernel stack (and for some other purposes). | ||
| 138 | It inserts the stackleak_track_stack() call for the functions with | ||
| 139 | a stack frame size greater than or equal to this parameter. | ||
| 140 | If unsure, leave the default value 100. | ||
| 141 | |||
| 142 | config STACKLEAK_METRICS | ||
| 143 | bool "Show STACKLEAK metrics in the /proc file system" | ||
| 144 | depends on GCC_PLUGIN_STACKLEAK | ||
| 145 | depends on PROC_FS | ||
| 146 | help | ||
| 147 | If this is set, STACKLEAK metrics for every task are available in | ||
| 148 | the /proc file system. In particular, /proc/<pid>/stack_depth | ||
| 149 | shows the maximum kernel stack consumption for the current and | ||
| 150 | previous syscalls. Although this information is not precise, it | ||
| 151 | can be useful for estimating the STACKLEAK performance impact for | ||
| 152 | your workloads. | ||
| 153 | |||
| 154 | config STACKLEAK_RUNTIME_DISABLE | ||
| 155 | bool "Allow runtime disabling of kernel stack erasing" | ||
| 156 | depends on GCC_PLUGIN_STACKLEAK | ||
| 157 | help | ||
| 158 | This option provides 'stack_erasing' sysctl, which can be used in | ||
| 159 | runtime to control kernel stack erasing for kernels built with | ||
| 160 | CONFIG_GCC_PLUGIN_STACKLEAK. | ||
| 161 | |||
| 162 | endmenu | ||
| 163 | |||
| 164 | endmenu | ||