2 files changed, 57 insertions, 51 deletions

diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig
index 352f03878a1e..80220ed26a35 100644
--- a/scripts/gcc-plugins/Kconfig
+++ b/scripts/gcc-plugins/Kconfig
@@ -108,57 +108,6 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
           in structures.  This reduces the performance hit of RANDSTRUCT
           at the cost of weakened randomization.
 
-config GCC_PLUGIN_STACKLEAK
-        bool "Erase the kernel stack before returning from syscalls"
-        depends on GCC_PLUGINS
-        depends on HAVE_ARCH_STACKLEAK
-        help
-          This option makes the kernel erase the kernel stack before
-          returning from system calls. That reduces the information which
-          kernel stack leak bugs can reveal and blocks some uninitialized
-          stack variable attacks.
-
-          The tradeoff is the performance impact: on a single CPU system kernel
-          compilation sees a 1% slowdown, other systems and workloads may vary
-          and you are advised to test this feature on your expected workload
-          before deploying it.
-
-          This plugin was ported from grsecurity/PaX. More information at:
-           * https://grsecurity.net/
-           * https://pax.grsecurity.net/
-
-config STACKLEAK_TRACK_MIN_SIZE
-        int "Minimum stack frame size of functions tracked by STACKLEAK"
-        default 100
-        range 0 4096
-        depends on GCC_PLUGIN_STACKLEAK
-        help
-          The STACKLEAK gcc plugin instruments the kernel code for tracking
-          the lowest border of the kernel stack (and for some other purposes).
-          It inserts the stackleak_track_stack() call for the functions with
-          a stack frame size greater than or equal to this parameter.
-          If unsure, leave the default value 100.
-
-config STACKLEAK_METRICS
-        bool "Show STACKLEAK metrics in the /proc file system"
-        depends on GCC_PLUGIN_STACKLEAK
-        depends on PROC_FS
-        help
-          If this is set, STACKLEAK metrics for every task are available in
-          the /proc file system. In particular, /proc/<pid>/stack_depth
-          shows the maximum kernel stack consumption for the current and
-          previous syscalls. Although this information is not precise, it
-          can be useful for estimating the STACKLEAK performance impact for
-          your workloads.
-
-config STACKLEAK_RUNTIME_DISABLE
-        bool "Allow runtime disabling of kernel stack erasing"
-        depends on GCC_PLUGIN_STACKLEAK
-        help
-          This option provides 'stack_erasing' sysctl, which can be used in
-          runtime to control kernel stack erasing for kernels built with
-          CONFIG_GCC_PLUGIN_STACKLEAK.
-
 config GCC_PLUGIN_ARM_SSP_PER_TASK
         bool
         depends on GCC_PLUGINS && ARM
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 19881341f1c2..a96d4a43ca65 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -88,6 +88,63 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE
           initialized. Since not all existing initializers are detected
           by the plugin, this can produce false positive warnings.
 
+config GCC_PLUGIN_STACKLEAK
+        bool "Poison kernel stack before returning from syscalls"
+        depends on GCC_PLUGINS
+        depends on HAVE_ARCH_STACKLEAK
+        help
+          This option makes the kernel erase the kernel stack before
+          returning from system calls. This has the effect of leaving
+          the stack initialized to the poison value, which both reduces
+          the lifetime of any sensitive stack contents and reduces
+          potential for uninitialized stack variable exploits or information
+          exposures (it does not cover functions reaching the same stack
+          depth as prior functions during the same syscall). This blocks
+          most uninitialized stack variable attacks, with the performance
+          impact being driven by the depth of the stack usage, rather than
+          the function calling complexity.
+
+          The performance impact on a single CPU system kernel compilation
+          sees a 1% slowdown, other systems and workloads may vary and you
+          are advised to test this feature on your expected workload before
+          deploying it.
+
+          This plugin was ported from grsecurity/PaX. More information at:
+           * https://grsecurity.net/
+           * https://pax.grsecurity.net/
+
+config STACKLEAK_TRACK_MIN_SIZE
+        int "Minimum stack frame size of functions tracked by STACKLEAK"
+        default 100
+        range 0 4096
+        depends on GCC_PLUGIN_STACKLEAK
+        help
+          The STACKLEAK gcc plugin instruments the kernel code for tracking
+          the lowest border of the kernel stack (and for some other purposes).
+          It inserts the stackleak_track_stack() call for the functions with
+          a stack frame size greater than or equal to this parameter.
+          If unsure, leave the default value 100.
+
+config STACKLEAK_METRICS
+        bool "Show STACKLEAK metrics in the /proc file system"
+        depends on GCC_PLUGIN_STACKLEAK
+        depends on PROC_FS
+        help
+          If this is set, STACKLEAK metrics for every task are available in
+          the /proc file system. In particular, /proc/<pid>/stack_depth
+          shows the maximum kernel stack consumption for the current and
+          previous syscalls. Although this information is not precise, it
+          can be useful for estimating the STACKLEAK performance impact for
+          your workloads.
+
+config STACKLEAK_RUNTIME_DISABLE
+        bool "Allow runtime disabling of kernel stack erasing"
+        depends on GCC_PLUGIN_STACKLEAK
+        help
+          This option provides 'stack_erasing' sysctl, which can be used in
+          runtime to control kernel stack erasing for kernels built with
+          CONFIG_GCC_PLUGIN_STACKLEAK.
+
 endmenu
 
 endmenu