lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250507180852.work.231-kees@kernel.org>
Date: Wed,  7 May 2025 11:16:06 -0700
From: Kees Cook <kees@...nel.org>
To: Arnd Bergmann <arnd@...db.de>
Cc: Kees Cook <kees@...nel.org>,
	"Gustavo A. R. Silva" <gustavoars@...nel.org>,
	Christoph Hellwig <hch@....de>,
	Marco Elver <elver@...gle.com>,
	Andrey Konovalov <andreyknvl@...il.com>,
	Andrey Ryabinin <ryabinin.a.a@...il.com>,
	Ard Biesheuvel <ardb@...nel.org>,
	Masahiro Yamada <masahiroy@...nel.org>,
	Nathan Chancellor <nathan@...nel.org>,
	Nicolas Schier <nicolas.schier@...ux.dev>,
	Nick Desaulniers <nick.desaulniers+lkml@...il.com>,
	Bill Wendling <morbo@...gle.com>,
	Justin Stitt <justinstitt@...gle.com>,
	linux-kernel@...r.kernel.org,
	x86@...nel.org,
	kasan-dev@...glegroups.com,
	linux-doc@...r.kernel.org,
	linux-arm-kernel@...ts.infradead.org,
	kvmarm@...ts.linux.dev,
	linux-riscv@...ts.infradead.org,
	linux-s390@...r.kernel.org,
	linux-efi@...r.kernel.org,
	linux-hardening@...r.kernel.org,
	linux-kbuild@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-kselftest@...r.kernel.org,
	sparclinux@...r.kernel.org,
	llvm@...ts.linux.dev
Subject: [PATCH 0/8] stackleak: Support Clang stack depth tracking

Hi,

As part of looking at what GCC plugins could be replaced with Clang
implementations, this series uses the recently landed stack depth tracking
callback in Clang[1] to implement the stackleak feature. Since the Clang
feature is now landed, I'm moving this out of RFC to a v1.

Since this touches a lot of arch-specific Makefiles, I tried to trim
the CC list down to just mailing lists in those cases, otherwise the CC
was giant.

Thanks!

-Kees

[1] https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-stack-depth

 v1:
  - Finalize Clang URLs for landed feature
  - Perform CFLAGS enabling more sanely, as done for randstruct
  - Split __no_sanitize_coverage into separate patch
  - Update hardening.config and MAINTAINERS
  - Fix bug found with nvme tree
 RFC: https://lore.kernel.org/lkml/20250502185834.work.560-kees@kernel.org/

Kees Cook (8):
  nvme-pci: Make nvme_pci_npages_prp() __always_inline
  init.h: Disable sanitizer coverage for __init and __head
  stackleak: Rename CONFIG_GCC_PLUGIN_STACKLEAK to CONFIG_STACKLEAK
  stackleak: Rename stackleak_track_stack to __sanitizer_cov_stack_depth
  stackleak: Split STACKLEAK_CFLAGS from GCC_PLUGINS_CFLAGS
  stackleak: Support Clang stack depth tracking
  configs/hardening: Enable CONFIG_STACKLEAK
  configs/hardening: Enable CONFIG_INIT_ON_FREE_DEFAULT_ON

 security/Kconfig.hardening                  | 25 ++++++----
 Makefile                                    |  1 +
 arch/arm/boot/compressed/Makefile           |  2 +-
 arch/arm/vdso/Makefile                      |  2 +-
 arch/arm64/kernel/pi/Makefile               |  2 +-
 arch/arm64/kernel/vdso/Makefile             |  3 +-
 arch/arm64/kvm/hyp/nvhe/Makefile            |  2 +-
 arch/riscv/kernel/pi/Makefile               |  2 +-
 arch/riscv/purgatory/Makefile               |  2 +-
 arch/sparc/vdso/Makefile                    |  3 +-
 arch/x86/entry/vdso/Makefile                |  3 +-
 arch/x86/purgatory/Makefile                 |  2 +-
 drivers/firmware/efi/libstub/Makefile       |  6 +--
 kernel/Makefile                             |  4 +-
 lib/Makefile                                |  2 +-
 scripts/Makefile.gcc-plugins                | 16 +------
 scripts/Makefile.stackleak                  | 21 +++++++++
 scripts/gcc-plugins/stackleak_plugin.c      | 52 ++++++++++-----------
 Documentation/admin-guide/sysctl/kernel.rst |  2 +-
 Documentation/security/self-protection.rst  |  2 +-
 arch/x86/entry/calling.h                    |  4 +-
 arch/x86/include/asm/init.h                 |  2 +-
 include/linux/init.h                        |  4 +-
 include/linux/sched.h                       |  4 +-
 include/linux/stackleak.h                   |  6 +--
 arch/arm/kernel/entry-common.S              |  2 +-
 arch/arm64/kernel/entry.S                   |  2 +-
 arch/riscv/kernel/entry.S                   |  2 +-
 arch/s390/kernel/entry.S                    |  2 +-
 drivers/misc/lkdtm/stackleak.c              |  8 ++--
 drivers/nvme/host/pci.c                     |  2 +-
 kernel/stackleak.c                          |  4 +-
 tools/objtool/check.c                       |  2 +-
 tools/testing/selftests/lkdtm/config        |  2 +-
 MAINTAINERS                                 |  6 ++-
 kernel/configs/hardening.config             |  6 +++
 36 files changed, 122 insertions(+), 90 deletions(-)
 create mode 100644 scripts/Makefile.stackleak

-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ