| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250507181615.1947159-6-kees@kernel.org> Date: Wed, 7 May 2025 11:16:12 -0700 From: Kees Cook <kees@...nel.org> To: Arnd Bergmann <arnd@...db.de> Cc: Kees Cook <kees@...nel.org>, Masahiro Yamada <masahiroy@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Nicolas Schier <nicolas.schier@...ux.dev>, Marco Elver <elver@...gle.com>, Andrey Konovalov <andreyknvl@...il.com>, Andrey Ryabinin <ryabinin.a.a@...il.com>, Ard Biesheuvel <ardb@...nel.org>, "Gustavo A. R. Silva" <gustavoars@...nel.org>, linux-kbuild@...r.kernel.org, kasan-dev@...glegroups.com, linux-hardening@...r.kernel.org, Christoph Hellwig <hch@....de>, Nick Desaulniers <nick.desaulniers+lkml@...il.com>, Bill Wendling <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>, linux-kernel@...r.kernel.org, x86@...nel.org, linux-doc@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, kvmarm@...ts.linux.dev, linux-riscv@...ts.infradead.org, linux-s390@...r.kernel.org, linux-efi@...r.kernel.org, linux-security-module@...r.kernel.org, linux-kselftest@...r.kernel.org, sparclinux@...r.kernel.org, llvm@...ts.linux.dev Subject: [PATCH 6/8] stackleak: Support Clang stack depth tracking Wire up CONFIG_STACKLEAK to Clang 21's new stack depth tracking callback[1] option. Link: https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-stack-depth [1] Signed-off-by: Kees Cook <kees@...nel.org> --- Cc: Arnd Bergmann <arnd@...db.de> Cc: Masahiro Yamada <masahiroy@...nel.org> Cc: Nathan Chancellor <nathan@...nel.org> Cc: Nicolas Schier <nicolas.schier@...ux.dev> Cc: Marco Elver <elver@...gle.com> Cc: Andrey Konovalov <andreyknvl@...il.com> Cc: Andrey Ryabinin <ryabinin.a.a@...il.com> Cc: Ard Biesheuvel <ardb@...nel.org> Cc: "Gustavo A. R. Silva" <gustavoars@...nel.org> Cc: <linux-kbuild@...r.kernel.org> Cc: <kasan-dev@...glegroups.com> Cc: <linux-hardening@...r.kernel.org> --- security/Kconfig.hardening | 5 ++++- scripts/Makefile.stackleak | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index 2be6aed71c92..94aa8612c4e4 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -158,10 +158,13 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE initialized. Since not all existing initializers are detected by the plugin, this can produce false positive warnings. +config CC_HAS_SANCOV_STACK_DEPTH_CALLBACK + def_bool $(cc-option,-fsanitize-coverage-stack-depth-callback-min=1) + config STACKLEAK bool "Poison kernel stack before returning from syscalls" depends on HAVE_ARCH_STACKLEAK - depends on GCC_PLUGINS + depends on GCC_PLUGINS || CC_HAS_SANCOV_STACK_DEPTH_CALLBACK help This option makes the kernel erase the kernel stack before returning from system calls. This has the effect of leaving diff --git a/scripts/Makefile.stackleak b/scripts/Makefile.stackleak index 1db0835b29d4..639cc32bcd1d 100644 --- a/scripts/Makefile.stackleak +++ b/scripts/Makefile.stackleak @@ -8,6 +8,12 @@ stackleak-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE) += -fplugin-arg-stacklea DISABLE_STACKLEAK := -fplugin-arg-stackleak_plugin-disable endif +ifdef CONFIG_CC_IS_CLANG +stackleak-cflags-y += -fsanitize-coverage=stack-depth +stackleak-cflags-y += -fsanitize-coverage-stack-depth-callback-min=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE) +DISABLE_STACKLEAK := -fno-sanitize-coverage=stack-depth +endif + STACKLEAK_CFLAGS := $(stackleak-cflags-y) export STACKLEAK_CFLAGS DISABLE_STACKLEAK -- 2.34.1
Powered by blists - more mailing lists