| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250502190129.246328-4-kees@kernel.org>
Date: Fri, 2 May 2025 12:01:27 -0700
From: Kees Cook <kees@...nel.org>
To: Arnd Bergmann <arnd@...db.de>
Cc: Kees Cook <kees@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>,
Masahiro Yamada <masahiroy@...nel.org>,
Nathan Chancellor <nathan@...nel.org>,
Nicolas Schier <nicolas.schier@...ux.dev>,
Marco Elver <elver@...gle.com>,
Andrey Konovalov <andreyknvl@...il.com>,
Andrey Ryabinin <ryabinin.a.a@...il.com>,
Ard Biesheuvel <ardb@...nel.org>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
Paul Moore <paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Kai Huang <kai.huang@...el.com>,
Hou Wenlong <houwenlong.hwl@...group.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Andrew Morton <akpm@...ux-foundation.org>,
"Peter Zijlstra (Intel)" <peterz@...radead.org>,
Sami Tolvanen <samitolvanen@...gle.com>,
Christophe Leroy <christophe.leroy@...roup.eu>,
linux-kbuild@...r.kernel.org,
kasan-dev@...glegroups.com,
linux-hardening@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org,
kvmarm@...ts.linux.dev,
linux-riscv@...ts.infradead.org,
linux-s390@...r.kernel.org,
linux-efi@...r.kernel.org,
linux-kselftest@...r.kernel.org,
sparclinux@...r.kernel.org,
llvm@...ts.linux.dev
Subject: [PATCH RFC 4/4] stackleak: Support Clang stack depth tracking
Wire up stackleak to Clang's proposed[1] stack depth tracking callback
option. While __noinstr already contained __no_sanitize_coverage, it was
still needed for __init and __head section markings. This is needed to
make sure the callback is not executed in unsupported contexts.
Link: https://github.com/llvm/llvm-project/pull/138323 [1]
Signed-off-by: Kees Cook <kees@...nel.org>
---
Cc: Arnd Bergmann <arnd@...db.de>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Ingo Molnar <mingo@...hat.com>
Cc: Borislav Petkov <bp@...en8.de>
Cc: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: <x86@...nel.org>
Cc: "H. Peter Anvin" <hpa@...or.com>
Cc: Masahiro Yamada <masahiroy@...nel.org>
Cc: Nathan Chancellor <nathan@...nel.org>
Cc: Nicolas Schier <nicolas.schier@...ux.dev>
Cc: Marco Elver <elver@...gle.com>
Cc: Andrey Konovalov <andreyknvl@...il.com>
Cc: Andrey Ryabinin <ryabinin.a.a@...il.com>
Cc: Ard Biesheuvel <ardb@...nel.org>
Cc: "Gustavo A. R. Silva" <gustavoars@...nel.org>
Cc: Paul Moore <paul@...l-moore.com>
Cc: James Morris <jmorris@...ei.org>
Cc: "Serge E. Hallyn" <serge@...lyn.com>
Cc: Kai Huang <kai.huang@...el.com>
Cc: Hou Wenlong <houwenlong.hwl@...group.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: "Peter Zijlstra (Intel)" <peterz@...radead.org>
Cc: Sami Tolvanen <samitolvanen@...gle.com>
Cc: Christophe Leroy <christophe.leroy@...roup.eu>
Cc: <linux-kbuild@...r.kernel.org>
Cc: <kasan-dev@...glegroups.com>
Cc: <linux-hardening@...r.kernel.org>
Cc: <linux-security-module@...r.kernel.org>
---
arch/x86/include/asm/init.h | 2 +-
include/linux/init.h | 4 +++-
scripts/Makefile.ubsan | 12 ++++++++++++
security/Kconfig.hardening | 5 ++++-
4 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/asm/init.h b/arch/x86/include/asm/init.h
index 8b1b1abcef15..6bfdaeddbae8 100644
--- a/arch/x86/include/asm/init.h
+++ b/arch/x86/include/asm/init.h
@@ -5,7 +5,7 @@
#if defined(CONFIG_CC_IS_CLANG) && CONFIG_CLANG_VERSION < 170000
#define __head __section(".head.text") __no_sanitize_undefined __no_stack_protector
#else
-#define __head __section(".head.text") __no_sanitize_undefined
+#define __head __section(".head.text") __no_sanitize_undefined __no_sanitize_coverage
#endif
struct x86_mapping_info {
diff --git a/include/linux/init.h b/include/linux/init.h
index ee1309473bc6..c65a050d52a7 100644
--- a/include/linux/init.h
+++ b/include/linux/init.h
@@ -49,7 +49,9 @@
/* These are for everybody (although not all archs will actually
discard it in modules) */
-#define __init __section(".init.text") __cold __latent_entropy __noinitretpoline
+#define __init __section(".init.text") __cold __latent_entropy \
+ __noinitretpoline \
+ __no_sanitize_coverage
#define __initdata __section(".init.data")
#define __initconst __section(".init.rodata")
#define __exitdata __section(".exit.data")
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
index 9e35198edbf0..cfb3ecde07dd 100644
--- a/scripts/Makefile.ubsan
+++ b/scripts/Makefile.ubsan
@@ -22,3 +22,15 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \
-fsanitize=implicit-unsigned-integer-truncation \
-fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl
export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y)
+
+ifdef CONFIG_CC_IS_CLANG
+stackleak-cflags-$(CONFIG_STACKLEAK) += \
+ -fsanitize-coverage=stack-depth \
+ -fsanitize-coverage-stack-depth-callback-min=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE)
+export STACKLEAK_CFLAGS := $(stackleak-cflags-y)
+ifdef CONFIG_STACKLEAK
+ DISABLE_STACKLEAK := -fno-sanitize-coverage=stack-depth
+endif
+export DISABLE_STACKLEAK
+KBUILD_CFLAGS += $(STACKLEAK_CFLAGS)
+endif
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index edcc489a6805..e86b61e44b33 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -158,10 +158,13 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE
initialized. Since not all existing initializers are detected
by the plugin, this can produce false positive warnings.
+config CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
+ def_bool $(cc-option,-fsanitize-coverage-stack-depth-callback-min=1)
+
config STACKLEAK
bool "Poison kernel stack before returning from syscalls"
depends on HAVE_ARCH_STACKLEAK
- depends on GCC_PLUGINS
+ depends on GCC_PLUGINS || CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
help
This option makes the kernel erase the kernel stack before
returning from system calls. This has the effect of leaving
--
2.34.1
Powered by blists - more mailing lists