From: Kamal Mostafa <kamal@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
kernel-team@lists.ubuntu.com
Cc: Kees Cook <keescook@chromium.org>,
Arjan van de Ven <arjan@linux.intel.com>,
Michal Marek <mmarek@suse.cz>,
Russell King <linux@arm.linux.org.uk>,
Ralf Baechle <ralf@linux-mips.org>,
Paul Mundt <lethal@linux-sh.org>,
James Hogan <james.hogan@imgtec.com>,
Stephen Rothwell <sfr@canb.auug.org.au>,
Shawn Guo <shawn.guo@linaro.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
linux-arm-kernel@lists.infradead.org, linux-mips@linux-mips.org,
linux-arch@vger.kernel.org, Ingo Molnar <mingo@kernel.org>,
Kamal Mostafa <kamal@canonical.com>
Subject: [PATCH 3.13.y-ckt 03/78] stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG
Date: Wed, 16 Dec 2015 16:38:47 -0800 [thread overview]
Message-ID: <1450312802-4938-4-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1450312802-4938-1-git-send-email-kamal@canonical.com>
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 8779657d29c0ebcc0c94ede4df2f497baf1b563f upstream.
This changes the stack protector config option into a choice of
"None", "Regular", and "Strong":
CONFIG_CC_STACKPROTECTOR_NONE
CONFIG_CC_STACKPROTECTOR_REGULAR
CONFIG_CC_STACKPROTECTOR_STRONG
"Regular" means the old CONFIG_CC_STACKPROTECTOR=y option.
"Strong" is a new mode introduced by this patch. With "Strong" the
kernel is built with -fstack-protector-strong (available in
gcc 4.9 and later). This option increases the coverage of the stack
protector without the heavy performance hit of -fstack-protector-all.
For reference, the stack protector options available in gcc are:
-fstack-protector-all:
Adds the stack-canary saving prefix and stack-canary checking
suffix to _all_ function entry and exit. Results in substantial
use of stack space for saving the canary for deep stack users
(e.g. historically xfs), and measurable (though shockingly still
low) performance hit due to all the saving/checking. Really not
suitable for sane systems, and was entirely removed as an option
from the kernel many years ago.
-fstack-protector:
Adds the canary save/check to functions that define an 8
(--param=ssp-buffer-size=N, N=8 by default) or more byte local
char array. Traditionally, stack overflows happened with
string-based manipulations, so this was a way to find those
functions. Very few total functions actually get the canary; no
measurable performance or size overhead.
-fstack-protector-strong
Adds the canary for a wider set of functions, since it's not
just those with strings that have ultimately been vulnerable to
stack-busting. With this superset, more functions end up with a
canary, but it still remains small compared to all functions
with only a small change in performance. Based on the original
design document, a function gets the canary when it contains any
of:
- local variable's address used as part of the right hand side
of an assignment or function argument
- local variable is an array (or union containing an array),
regardless of array type or length
- uses register local variables
https://docs.google.com/a/google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU
Find below a comparison of "size" and "objdump" output when built with
gcc-4.9 in three configurations:
- defconfig
11430641 kernel text size
36110 function bodies
- defconfig + CONFIG_CC_STACKPROTECTOR_REGULAR
11468490 kernel text size (+0.33%)
1015 of 36110 functions are stack-protected (2.81%)
- defconfig + CONFIG_CC_STACKPROTECTOR_STRONG via this patch
11692790 kernel text size (+2.24%)
7401 of 36110 functions are stack-protected (20.5%)
With -strong, ARM's compressed boot code now triggers stack
protection, so a static guard was added. Since this is only used
during decompression and was never used before, the exposure
here is very small. Once it switches to the full kernel, the
stack guard is back to normal.
Chrome OS has been using -fstack-protector-strong for its kernel
builds for the last 8 months with no problems.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-mips@linux-mips.org
Cc: linux-arch@vger.kernel.org
Link: http://lkml.kernel.org/r/1387481759-14535-3-git-send-email-keescook@chromium.org
[ Improved the changelog and descriptions some more. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ kamal: 3.13-stable: need these arch/arm/boot/compressed/misc.c __stack_chk
canary functions, even for just the old CONFIG_CC_STACKPROTECTOR ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
Makefile | 8 ++++++-
arch/Kconfig | 51 ++++++++++++++++++++++++++++++++++++++---
arch/arm/boot/compressed/misc.c | 14 +++++++++++
3 files changed, 69 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 58a799e..b43786f 100644
--- a/Makefile
+++ b/Makefile
@@ -598,12 +598,18 @@ KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif
# Handle stack protector mode.
-ifdef CONFIG_CC_STACKPROTECTOR
+ifdef CONFIG_CC_STACKPROTECTOR_REGULAR
stackp-flag := -fstack-protector
ifeq ($(call cc-option, $(stackp-flag)),)
$(warning Cannot use CONFIG_CC_STACKPROTECTOR: \
-fstack-protector not supported by compiler))
endif
+else ifdef CONFIG_CC_STACKPROTECTOR_STRONG
+ stackp-flag := -fstack-protector-strong
+ ifeq ($(call cc-option, $(stackp-flag)),)
+ $(warning Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: \
+ -fstack-protector-strong not supported by compiler)
+ endif
else
# Force off for distro compilers that enable stack protector by default.
stackp-flag := $(call cc-option, -fno-stack-protector)
diff --git a/arch/Kconfig b/arch/Kconfig
index 24e026d..80bbb8c 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -344,10 +344,17 @@ config HAVE_CC_STACKPROTECTOR
- it has implemented a stack canary (e.g. __stack_chk_guard)
config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection"
+ def_bool n
+ help
+ Set when a stack-protector mode is enabled, so that the build
+ can enable kernel-side support for the GCC feature.
+
+choice
+ prompt "Stack Protector buffer overflow detection"
depends on HAVE_CC_STACKPROTECTOR
+ default CC_STACKPROTECTOR_NONE
help
- This option turns on the -fstack-protector GCC feature. This
+ This option turns on the "stack-protector" GCC feature. This
feature puts, at the beginning of functions, a canary value on
the stack just before the return address, and validates
the value just before actually returning. Stack based buffer
@@ -355,8 +362,46 @@ config CC_STACKPROTECTOR
overwrite the canary, which gets detected and the attack is then
neutralized via a kernel panic.
+config CC_STACKPROTECTOR_NONE
+ bool "None"
+ help
+ Disable "stack-protector" GCC feature.
+
+config CC_STACKPROTECTOR_REGULAR
+ bool "Regular"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added if they
+ have an 8-byte or larger character array on the stack.
+
This feature requires gcc version 4.2 or above, or a distribution
- gcc with the feature backported.
+ gcc with the feature backported ("-fstack-protector").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 3% of all kernel functions, which increases kernel code size
+ by about 0.3%.
+
+config CC_STACKPROTECTOR_STRONG
+ bool "Strong"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added in any
+ of the following conditions:
+
+ - local variable's address used as part of the right hand side of an
+ assignment or function argument
+ - local variable is an array (or union containing an array),
+ regardless of array type or length
+ - uses register local variables
+
+ This feature requires gcc version 4.9 or above, or a distribution
+ gcc with the feature backported ("-fstack-protector-strong").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 20% of all kernel functions, which increases the kernel code
+ size by about 2%.
+
+endchoice
config HAVE_CONTEXT_TRACKING
bool
diff --git a/arch/arm/boot/compressed/misc.c b/arch/arm/boot/compressed/misc.c
index 31bd43b..d4f891f 100644
--- a/arch/arm/boot/compressed/misc.c
+++ b/arch/arm/boot/compressed/misc.c
@@ -127,6 +127,18 @@ asmlinkage void __div0(void)
error("Attempting division by 0!");
}
+unsigned long __stack_chk_guard;
+
+void __stack_chk_guard_setup(void)
+{
+ __stack_chk_guard = 0x000a0dff;
+}
+
+void __stack_chk_fail(void)
+{
+ error("stack-protector: Kernel stack is corrupted\n");
+}
+
extern int do_decompress(u8 *input, int len, u8 *output, void (*error)(char *x));
@@ -137,6 +149,8 @@ decompress_kernel(unsigned long output_start, unsigned long free_mem_ptr_p,
{
int ret;
+ __stack_chk_guard_setup();
+
output_data = (unsigned char *)output_start;
free_mem_ptr = free_mem_ptr_p;
free_mem_end_ptr = free_mem_ptr_end_p;
--
1.9.1
WARNING: multiple messages have this Message-ID (diff)
From: Kamal Mostafa <kamal@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
kernel-team@lists.ubuntu.com
Cc: Michal Marek <mmarek@suse.cz>,
Stephen Rothwell <sfr@canb.auug.org.au>,
James Hogan <james.hogan@imgtec.com>,
Russell King <linux@arm.linux.org.uk>,
Kees Cook <keescook@chromium.org>,
linux-mips@linux-mips.org, Peter Zijlstra <peterz@infradead.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Kamal Mostafa <kamal@canonical.com>,
Ralf Baechle <ralf@linux-mips.org>,
Paul Mundt <lethal@linux-sh.org>,
linux-arch@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Shawn Guo <shawn.guo@linaro.org>,
Arjan van de Ven <arjan@linux.intel.com>,
Ingo Molnar <mingo@kernel.org>,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH 3.13.y-ckt 03/78] stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG
Date: Wed, 16 Dec 2015 16:38:47 -0800 [thread overview]
Message-ID: <1450312802-4938-4-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1450312802-4938-1-git-send-email-kamal@canonical.com>
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 8779657d29c0ebcc0c94ede4df2f497baf1b563f upstream.
This changes the stack protector config option into a choice of
"None", "Regular", and "Strong":
CONFIG_CC_STACKPROTECTOR_NONE
CONFIG_CC_STACKPROTECTOR_REGULAR
CONFIG_CC_STACKPROTECTOR_STRONG
"Regular" means the old CONFIG_CC_STACKPROTECTOR=y option.
"Strong" is a new mode introduced by this patch. With "Strong" the
kernel is built with -fstack-protector-strong (available in
gcc 4.9 and later). This option increases the coverage of the stack
protector without the heavy performance hit of -fstack-protector-all.
For reference, the stack protector options available in gcc are:
-fstack-protector-all:
Adds the stack-canary saving prefix and stack-canary checking
suffix to _all_ function entry and exit. Results in substantial
use of stack space for saving the canary for deep stack users
(e.g. historically xfs), and measurable (though shockingly still
low) performance hit due to all the saving/checking. Really not
suitable for sane systems, and was entirely removed as an option
from the kernel many years ago.
-fstack-protector:
Adds the canary save/check to functions that define an 8
(--param=ssp-buffer-size=N, N=8 by default) or more byte local
char array. Traditionally, stack overflows happened with
string-based manipulations, so this was a way to find those
functions. Very few total functions actually get the canary; no
measurable performance or size overhead.
-fstack-protector-strong
Adds the canary for a wider set of functions, since it's not
just those with strings that have ultimately been vulnerable to
stack-busting. With this superset, more functions end up with a
canary, but it still remains small compared to all functions
with only a small change in performance. Based on the original
design document, a function gets the canary when it contains any
of:
- local variable's address used as part of the right hand side
of an assignment or function argument
- local variable is an array (or union containing an array),
regardless of array type or length
- uses register local variables
https://docs.google.com/a/google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU
Find below a comparison of "size" and "objdump" output when built with
gcc-4.9 in three configurations:
- defconfig
11430641 kernel text size
36110 function bodies
- defconfig + CONFIG_CC_STACKPROTECTOR_REGULAR
11468490 kernel text size (+0.33%)
1015 of 36110 functions are stack-protected (2.81%)
- defconfig + CONFIG_CC_STACKPROTECTOR_STRONG via this patch
11692790 kernel text size (+2.24%)
7401 of 36110 functions are stack-protected (20.5%)
With -strong, ARM's compressed boot code now triggers stack
protection, so a static guard was added. Since this is only used
during decompression and was never used before, the exposure
here is very small. Once it switches to the full kernel, the
stack guard is back to normal.
Chrome OS has been using -fstack-protector-strong for its kernel
builds for the last 8 months with no problems.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-mips@linux-mips.org
Cc: linux-arch@vger.kernel.org
Link: http://lkml.kernel.org/r/1387481759-14535-3-git-send-email-keescook@chromium.org
[ Improved the changelog and descriptions some more. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ kamal: 3.13-stable: need these arch/arm/boot/compressed/misc.c __stack_chk
canary functions, even for just the old CONFIG_CC_STACKPROTECTOR ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
Makefile | 8 ++++++-
arch/Kconfig | 51 ++++++++++++++++++++++++++++++++++++++---
arch/arm/boot/compressed/misc.c | 14 +++++++++++
3 files changed, 69 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 58a799e..b43786f 100644
--- a/Makefile
+++ b/Makefile
@@ -598,12 +598,18 @@ KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif
# Handle stack protector mode.
-ifdef CONFIG_CC_STACKPROTECTOR
+ifdef CONFIG_CC_STACKPROTECTOR_REGULAR
stackp-flag := -fstack-protector
ifeq ($(call cc-option, $(stackp-flag)),)
$(warning Cannot use CONFIG_CC_STACKPROTECTOR: \
-fstack-protector not supported by compiler))
endif
+else ifdef CONFIG_CC_STACKPROTECTOR_STRONG
+ stackp-flag := -fstack-protector-strong
+ ifeq ($(call cc-option, $(stackp-flag)),)
+ $(warning Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: \
+ -fstack-protector-strong not supported by compiler)
+ endif
else
# Force off for distro compilers that enable stack protector by default.
stackp-flag := $(call cc-option, -fno-stack-protector)
diff --git a/arch/Kconfig b/arch/Kconfig
index 24e026d..80bbb8c 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -344,10 +344,17 @@ config HAVE_CC_STACKPROTECTOR
- it has implemented a stack canary (e.g. __stack_chk_guard)
config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection"
+ def_bool n
+ help
+ Set when a stack-protector mode is enabled, so that the build
+ can enable kernel-side support for the GCC feature.
+
+choice
+ prompt "Stack Protector buffer overflow detection"
depends on HAVE_CC_STACKPROTECTOR
+ default CC_STACKPROTECTOR_NONE
help
- This option turns on the -fstack-protector GCC feature. This
+ This option turns on the "stack-protector" GCC feature. This
feature puts, at the beginning of functions, a canary value on
the stack just before the return address, and validates
the value just before actually returning. Stack based buffer
@@ -355,8 +362,46 @@ config CC_STACKPROTECTOR
overwrite the canary, which gets detected and the attack is then
neutralized via a kernel panic.
+config CC_STACKPROTECTOR_NONE
+ bool "None"
+ help
+ Disable "stack-protector" GCC feature.
+
+config CC_STACKPROTECTOR_REGULAR
+ bool "Regular"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added if they
+ have an 8-byte or larger character array on the stack.
+
This feature requires gcc version 4.2 or above, or a distribution
- gcc with the feature backported.
+ gcc with the feature backported ("-fstack-protector").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 3% of all kernel functions, which increases kernel code size
+ by about 0.3%.
+
+config CC_STACKPROTECTOR_STRONG
+ bool "Strong"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added in any
+ of the following conditions:
+
+ - local variable's address used as part of the right hand side of an
+ assignment or function argument
+ - local variable is an array (or union containing an array),
+ regardless of array type or length
+ - uses register local variables
+
+ This feature requires gcc version 4.9 or above, or a distribution
+ gcc with the feature backported ("-fstack-protector-strong").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 20% of all kernel functions, which increases the kernel code
+ size by about 2%.
+
+endchoice
config HAVE_CONTEXT_TRACKING
bool
diff --git a/arch/arm/boot/compressed/misc.c b/arch/arm/boot/compressed/misc.c
index 31bd43b..d4f891f 100644
--- a/arch/arm/boot/compressed/misc.c
+++ b/arch/arm/boot/compressed/misc.c
@@ -127,6 +127,18 @@ asmlinkage void __div0(void)
error("Attempting division by 0!");
}
+unsigned long __stack_chk_guard;
+
+void __stack_chk_guard_setup(void)
+{
+ __stack_chk_guard = 0x000a0dff;
+}
+
+void __stack_chk_fail(void)
+{
+ error("stack-protector: Kernel stack is corrupted\n");
+}
+
extern int do_decompress(u8 *input, int len, u8 *output, void (*error)(char *x));
@@ -137,6 +149,8 @@ decompress_kernel(unsigned long output_start, unsigned long free_mem_ptr_p,
{
int ret;
+ __stack_chk_guard_setup();
+
output_data = (unsigned char *)output_start;
free_mem_ptr = free_mem_ptr_p;
free_mem_end_ptr = free_mem_ptr_end_p;
--
1.9.1
WARNING: multiple messages have this Message-ID (diff)
From: kamal@canonical.com (Kamal Mostafa)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 3.13.y-ckt 03/78] stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG
Date: Wed, 16 Dec 2015 16:38:47 -0800 [thread overview]
Message-ID: <1450312802-4938-4-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1450312802-4938-1-git-send-email-kamal@canonical.com>
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 8779657d29c0ebcc0c94ede4df2f497baf1b563f upstream.
This changes the stack protector config option into a choice of
"None", "Regular", and "Strong":
CONFIG_CC_STACKPROTECTOR_NONE
CONFIG_CC_STACKPROTECTOR_REGULAR
CONFIG_CC_STACKPROTECTOR_STRONG
"Regular" means the old CONFIG_CC_STACKPROTECTOR=y option.
"Strong" is a new mode introduced by this patch. With "Strong" the
kernel is built with -fstack-protector-strong (available in
gcc 4.9 and later). This option increases the coverage of the stack
protector without the heavy performance hit of -fstack-protector-all.
For reference, the stack protector options available in gcc are:
-fstack-protector-all:
Adds the stack-canary saving prefix and stack-canary checking
suffix to _all_ function entry and exit. Results in substantial
use of stack space for saving the canary for deep stack users
(e.g. historically xfs), and measurable (though shockingly still
low) performance hit due to all the saving/checking. Really not
suitable for sane systems, and was entirely removed as an option
from the kernel many years ago.
-fstack-protector:
Adds the canary save/check to functions that define an 8
(--param=ssp-buffer-size=N, N=8 by default) or more byte local
char array. Traditionally, stack overflows happened with
string-based manipulations, so this was a way to find those
functions. Very few total functions actually get the canary; no
measurable performance or size overhead.
-fstack-protector-strong
Adds the canary for a wider set of functions, since it's not
just those with strings that have ultimately been vulnerable to
stack-busting. With this superset, more functions end up with a
canary, but it still remains small compared to all functions
with only a small change in performance. Based on the original
design document, a function gets the canary when it contains any
of:
- local variable's address used as part of the right hand side
of an assignment or function argument
- local variable is an array (or union containing an array),
regardless of array type or length
- uses register local variables
https://docs.google.com/a/google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU
Find below a comparison of "size" and "objdump" output when built with
gcc-4.9 in three configurations:
- defconfig
11430641 kernel text size
36110 function bodies
- defconfig + CONFIG_CC_STACKPROTECTOR_REGULAR
11468490 kernel text size (+0.33%)
1015 of 36110 functions are stack-protected (2.81%)
- defconfig + CONFIG_CC_STACKPROTECTOR_STRONG via this patch
11692790 kernel text size (+2.24%)
7401 of 36110 functions are stack-protected (20.5%)
With -strong, ARM's compressed boot code now triggers stack
protection, so a static guard was added. Since this is only used
during decompression and was never used before, the exposure
here is very small. Once it switches to the full kernel, the
stack guard is back to normal.
Chrome OS has been using -fstack-protector-strong for its kernel
builds for the last 8 months with no problems.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-arm-kernel at lists.infradead.org
Cc: linux-mips at linux-mips.org
Cc: linux-arch at vger.kernel.org
Link: http://lkml.kernel.org/r/1387481759-14535-3-git-send-email-keescook at chromium.org
[ Improved the changelog and descriptions some more. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ kamal: 3.13-stable: need these arch/arm/boot/compressed/misc.c __stack_chk
canary functions, even for just the old CONFIG_CC_STACKPROTECTOR ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
Makefile | 8 ++++++-
arch/Kconfig | 51 ++++++++++++++++++++++++++++++++++++++---
arch/arm/boot/compressed/misc.c | 14 +++++++++++
3 files changed, 69 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 58a799e..b43786f 100644
--- a/Makefile
+++ b/Makefile
@@ -598,12 +598,18 @@ KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif
# Handle stack protector mode.
-ifdef CONFIG_CC_STACKPROTECTOR
+ifdef CONFIG_CC_STACKPROTECTOR_REGULAR
stackp-flag := -fstack-protector
ifeq ($(call cc-option, $(stackp-flag)),)
$(warning Cannot use CONFIG_CC_STACKPROTECTOR: \
-fstack-protector not supported by compiler))
endif
+else ifdef CONFIG_CC_STACKPROTECTOR_STRONG
+ stackp-flag := -fstack-protector-strong
+ ifeq ($(call cc-option, $(stackp-flag)),)
+ $(warning Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: \
+ -fstack-protector-strong not supported by compiler)
+ endif
else
# Force off for distro compilers that enable stack protector by default.
stackp-flag := $(call cc-option, -fno-stack-protector)
diff --git a/arch/Kconfig b/arch/Kconfig
index 24e026d..80bbb8c 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -344,10 +344,17 @@ config HAVE_CC_STACKPROTECTOR
- it has implemented a stack canary (e.g. __stack_chk_guard)
config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection"
+ def_bool n
+ help
+ Set when a stack-protector mode is enabled, so that the build
+ can enable kernel-side support for the GCC feature.
+
+choice
+ prompt "Stack Protector buffer overflow detection"
depends on HAVE_CC_STACKPROTECTOR
+ default CC_STACKPROTECTOR_NONE
help
- This option turns on the -fstack-protector GCC feature. This
+ This option turns on the "stack-protector" GCC feature. This
feature puts, at the beginning of functions, a canary value on
the stack just before the return address, and validates
the value just before actually returning. Stack based buffer
@@ -355,8 +362,46 @@ config CC_STACKPROTECTOR
overwrite the canary, which gets detected and the attack is then
neutralized via a kernel panic.
+config CC_STACKPROTECTOR_NONE
+ bool "None"
+ help
+ Disable "stack-protector" GCC feature.
+
+config CC_STACKPROTECTOR_REGULAR
+ bool "Regular"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added if they
+ have an 8-byte or larger character array on the stack.
+
This feature requires gcc version 4.2 or above, or a distribution
- gcc with the feature backported.
+ gcc with the feature backported ("-fstack-protector").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 3% of all kernel functions, which increases kernel code size
+ by about 0.3%.
+
+config CC_STACKPROTECTOR_STRONG
+ bool "Strong"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added in any
+ of the following conditions:
+
+ - local variable's address used as part of the right hand side of an
+ assignment or function argument
+ - local variable is an array (or union containing an array),
+ regardless of array type or length
+ - uses register local variables
+
+ This feature requires gcc version 4.9 or above, or a distribution
+ gcc with the feature backported ("-fstack-protector-strong").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 20% of all kernel functions, which increases the kernel code
+ size by about 2%.
+
+endchoice
config HAVE_CONTEXT_TRACKING
bool
diff --git a/arch/arm/boot/compressed/misc.c b/arch/arm/boot/compressed/misc.c
index 31bd43b..d4f891f 100644
--- a/arch/arm/boot/compressed/misc.c
+++ b/arch/arm/boot/compressed/misc.c
@@ -127,6 +127,18 @@ asmlinkage void __div0(void)
error("Attempting division by 0!");
}
+unsigned long __stack_chk_guard;
+
+void __stack_chk_guard_setup(void)
+{
+ __stack_chk_guard = 0x000a0dff;
+}
+
+void __stack_chk_fail(void)
+{
+ error("stack-protector: Kernel stack is corrupted\n");
+}
+
extern int do_decompress(u8 *input, int len, u8 *output, void (*error)(char *x));
@@ -137,6 +149,8 @@ decompress_kernel(unsigned long output_start, unsigned long free_mem_ptr_p,
{
int ret;
+ __stack_chk_guard_setup();
+
output_data = (unsigned char *)output_start;
free_mem_ptr = free_mem_ptr_p;
free_mem_end_ptr = free_mem_ptr_end_p;
--
1.9.1
next prev parent reply other threads:[~2015-12-17 0:53 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 01/78] tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 02/78] stackprotector: Unify the HAVE_CC_STACKPROTECTOR logic between architectures Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa [this message]
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 03/78] stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 04/78] iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 05/78] iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 06/78] iio: ad5064: Fix ad5629/ad5669 shift Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 07/78] iio:ad7793: Fix ad7785 product ID Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 08/78] x86/fpu: Fix 32-bit signal frame handling Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 09/78] ALSA: usb-audio: add packet size quirk for the Medeli DD305 Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 10/78] ALSA: usb-audio: prevent CH345 multiport output SysEx corruption Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 11/78] ALSA: usb-audio: work around CH345 input " Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 12/78] USB: serial: option: add support for Novatel MiFi USB620L Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 13/78] USB: ti_usb_3410_5052: Add Honeywell HGI80 ID Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 14/78] ASoC: wm8962: correct addresses for HPF_C_0/1 Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 15/78] mac80211: mesh: fix call_rcu() usage Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 16/78] usb: dwc3: gadget: let us set lower max_speed Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 17/78] dm: fix ioctl retry termination with signal Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 18/78] usb: chipidea: debug: disable usb irq while role switch Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 19/78] MIPS: KVM: Fix ASID restoration logic Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 20/78] MIPS: KVM: Fix CACHE immediate offset sign extension Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 21/78] MIPS: KVM: Uninit VCPU in vcpu_create error path Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 22/78] xhci: Workaround to get Intel xHCI reset working more reliably Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 23/78] xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 24/78] x86/cpu: Fix SMAP check in PVOPS environments Kamal Mostafa
2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 25/78] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14 Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 26/78] arm64: restore bogomips information in /proc/cpuinfo Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 27/78] USB: option: add XS Stick W100-2 from 4G Systems Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 28/78] usblp: do not set TASK_INTERRUPTIBLE before lock Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 29/78] mac: validate mac_partition is within sector Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 30/78] ALSA: hda - Apply HP headphone fixups more generically Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 31/78] fat: fix fake_offset handling on error path Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 32/78] kernel/signal.c: unexport sigsuspend() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 33/78] parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 34/78] can: sja1000: clear interrupts on start Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 35/78] powerpc/tm: Block signal return setting invalid MSR state Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 36/78] ARC: dw2 unwind: Remove falllback linear search thru FDE entries Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 37/78] fix sysvfs symlinks Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 38/78] vfs: Make sendfile(2) killable even better Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 39/78] vfs: Avoid softlockups with sendfile(2) Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 40/78] nfs4: start callback_ident at idr 1 Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 41/78] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back from S3 Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 42/78] ring-buffer: Update read stamp with first real commit on page Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 43/78] arm64: KVM: Fix AArch32 to AArch64 register mapping Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 44/78] drm/radeon: make rv770_set_sw_state failures non-fatal Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 45/78] RDS: fix race condition when sending a message on unbound socket Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 46/78] btrfs: fix signed overflows in btrfs_sync_file Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 47/78] drm/radeon: make some dpm errors debug only Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 48/78] nfs: if we have no valid attrs, then don't declare the attribute cache valid Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 49/78] xen/gntdev: Grant maps should not be subject to NUMA balancing Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 50/78] iscsi-target: Fix rx_login_comp hang after login failure Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 51/78] target: Fix race for SCF_COMPARE_AND_WRITE_POST checking Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 52/78] target: fix COMPARE_AND_WRITE non zero SGL offset data corruption Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 53/78] block: Always check queue limits for cloned requests Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 54/78] Fix a memory leak in scsi_host_dev_release() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 55/78] wan/x25: Fix use-after-free in x25_asy_open_tty() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 56/78] sched/core: Clear the root_domain cpumasks in init_rootdomain() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 57/78] x86/signal: Fix restart_syscall number for x32 tasks Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 58/78] mmc: remove bondage between REQ_META and reliable write Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 59/78] sctp: translate host order to network order when setting a hmacid Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 60/78] usb: musb: core: fix order of arguments to ulpi write callback Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 61/78] FS-Cache: Add missing initialization of ret in cachefiles_write_page() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 62/78] tcp: md5: fix lockdep annotation Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 63/78] ARM: dts: Kirkwood: Fix QNAP TS219 power-off Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 64/78] isdn: Partially revert debug format string usage clean up Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 65/78] remoteproc: avoid stack overflow in debugfs file Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 66/78] net: mvneta: add configuration for MBUS windows access protection Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 67/78] net: mvneta: fix bit assignment in MVNETA_RXQ_CONFIG_REG Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 68/78] net: mvneta: fix bit assignment for RX packet irq enable Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 69/78] sched/core: Remove false-positive warning from wake_up_process() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 70/78] packet: allow to transmit +4 byte in TX_RING slot for VLAN case Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 71/78] packet: tpacket_snd(): fix signed/unsigned comparison Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 72/78] packet: only allow extra vlan len on ethernet devices Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 73/78] packet: fix tpacket_snd max frame len Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 74/78] net/mlx4_core: Avoid returning success in case of an error flow Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 75/78] net: ip6mr: fix static mfc/dev leaks on table destruction Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 76/78] unix: avoid use-after-free in ep_remove_wait_queue Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 77/78] broadcom: fix PHY_ID_BCM5481 entry in the id table Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 78/78] net/neighbour: fix crash at dumping device-agnostic proxy entries Kamal Mostafa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1450312802-4938-4-git-send-email-kamal@canonical.com \
--to=kamal@canonical.com \
--cc=akpm@linux-foundation.org \
--cc=arjan@linux.intel.com \
--cc=james.hogan@imgtec.com \
--cc=keescook@chromium.org \
--cc=kernel-team@lists.ubuntu.com \
--cc=lethal@linux-sh.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linux@arm.linux.org.uk \
--cc=mingo@kernel.org \
--cc=mmarek@suse.cz \
--cc=peterz@infradead.org \
--cc=ralf@linux-mips.org \
--cc=sfr@canb.auug.org.au \
--cc=shawn.guo@linaro.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.