* [PATCH] kbuild: Provide way to actually disable stack protector
@ 2020-06-22 19:02 Kees Cook
2020-06-23 2:33 ` Masahiro Yamada
0 siblings, 1 reply; 7+ messages in thread
From: Kees Cook @ 2020-06-22 19:02 UTC (permalink / raw)
To: Peter Zijlstra, Thomas Gleixner
Cc: Masahiro Yamada, x86, linux-kbuild, linux-arm-kernel, linux-kernel
Some builds of GCC enable stack protector by default. Simply removing
the arguments is not sufficient to disable stack protector, as the stack
protector for those GCC builds must be explicitly disabled. (Removing the
arguments is left as-is just to be sure there are no ordering problems. If
-fno-stack-protector ended up _before_ -fstack-protector, it would not
disable it: GCC uses whichever -f... comes last on the command line.)
Fixes: 20355e5f73a7 ("x86/entry: Exclude low level entry code from sanitizing")
Signed-off-by: Kees Cook <keescook@chromium.org>
---
Makefile | 4 +++-
arch/Kconfig | 3 ---
arch/arm/boot/compressed/Makefile | 4 ++--
arch/x86/entry/Makefile | 3 +++
4 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/Makefile b/Makefile
index ac2c61c37a73..b46e91bf0b0e 100644
--- a/Makefile
+++ b/Makefile
@@ -762,7 +762,9 @@ ifneq ($(CONFIG_FRAME_WARN),0)
KBUILD_CFLAGS += -Wframe-larger-than=$(CONFIG_FRAME_WARN)
endif
-stackp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
+DISABLE_STACKPROTECTOR := $(call cc-option,-fno-stack-protector)
+export DISABLE_STACKPROTECTOR
+stackp-flags-y := $(DISABLE_STACKPROTECTOR)
stackp-flags-$(CONFIG_STACKPROTECTOR) := -fstack-protector
stackp-flags-$(CONFIG_STACKPROTECTOR_STRONG) := -fstack-protector-strong
diff --git a/arch/Kconfig b/arch/Kconfig
index 8cc35dc556c7..1ea61290900a 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -478,9 +478,6 @@ config HAVE_STACKPROTECTOR
An arch should select this symbol if:
- it has implemented a stack canary (e.g. __stack_chk_guard)
-config CC_HAS_STACKPROTECTOR_NONE
- def_bool $(cc-option,-fno-stack-protector)
-
config STACKPROTECTOR
bool "Stack Protector buffer overflow detection"
depends on HAVE_STACKPROTECTOR
diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
index 00602a6fba04..3693bac525d2 100644
--- a/arch/arm/boot/compressed/Makefile
+++ b/arch/arm/boot/compressed/Makefile
@@ -84,9 +84,9 @@ endif
# -fstack-protector-strong triggers protection checks in this code,
# but it is being used too early to link to meaningful stack_chk logic.
-nossp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
$(foreach o, $(libfdt_objs) atags_to_fdt.o, \
- $(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt $(nossp-flags-y)))
+ $(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt \
+ $(DISABLE_STACKPROTECTOR)))
# These were previously generated C files. When you are building the kernel
# with O=, make sure to remove the stale files in the output tree. Otherwise,
diff --git a/arch/x86/entry/Makefile b/arch/x86/entry/Makefile
index b7a5790d8d63..79902decc3d1 100644
--- a/arch/x86/entry/Makefile
+++ b/arch/x86/entry/Makefile
@@ -10,6 +10,9 @@ KCOV_INSTRUMENT := n
CFLAGS_REMOVE_common.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
CFLAGS_REMOVE_syscall_32.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
CFLAGS_REMOVE_syscall_64.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
+CFLAGS_common.o += $(DISABLE_STACKPROTECTOR)
+CFLAGS_syscall_32.o += $(DISABLE_STACKPROTECTOR)
+CFLAGS_syscall_64.o += $(DISABLE_STACKPROTECTOR)
CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,)
CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,)
--
2.25.1
--
Kees Cook
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] kbuild: Provide way to actually disable stack protector
2020-06-22 19:02 [PATCH] kbuild: Provide way to actually disable stack protector Kees Cook
@ 2020-06-23 2:33 ` Masahiro Yamada
2020-06-23 5:37 ` Kees Cook
0 siblings, 1 reply; 7+ messages in thread
From: Masahiro Yamada @ 2020-06-23 2:33 UTC (permalink / raw)
To: Kees Cook
Cc: Peter Zijlstra, Thomas Gleixner, X86 ML,
Linux Kbuild mailing list, linux-arm-kernel,
Linux Kernel Mailing List
On Tue, Jun 23, 2020 at 4:02 AM Kees Cook <keescook@chromium.org> wrote:
>
> Some builds of GCC enable stack protector by default. Simply removing
> the arguments is not sufficient to disable stack protector, as the stack
> protector for those GCC builds must be explicitly disabled. (Removing the
> arguments is left as-is just to be sure there are no ordering problems. If
> -fno-stack-protector ended up _before_ -fstack-protector, it would not
> disable it: GCC uses whichever -f... comes last on the command line.)
>
> Fixes: 20355e5f73a7 ("x86/entry: Exclude low level entry code from sanitizing")
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> Makefile | 4 +++-
> arch/Kconfig | 3 ---
> arch/arm/boot/compressed/Makefile | 4 ++--
> arch/x86/entry/Makefile | 3 +++
> 4 files changed, 8 insertions(+), 6 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index ac2c61c37a73..b46e91bf0b0e 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -762,7 +762,9 @@ ifneq ($(CONFIG_FRAME_WARN),0)
> KBUILD_CFLAGS += -Wframe-larger-than=$(CONFIG_FRAME_WARN)
> endif
>
> -stackp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
> +DISABLE_STACKPROTECTOR := $(call cc-option,-fno-stack-protector)
> +export DISABLE_STACKPROTECTOR
> +stackp-flags-y := $(DISABLE_STACKPROTECTOR)
> stackp-flags-$(CONFIG_STACKPROTECTOR) := -fstack-protector
> stackp-flags-$(CONFIG_STACKPROTECTOR_STRONG) := -fstack-protector-strong
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 8cc35dc556c7..1ea61290900a 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -478,9 +478,6 @@ config HAVE_STACKPROTECTOR
> An arch should select this symbol if:
> - it has implemented a stack canary (e.g. __stack_chk_guard)
>
> -config CC_HAS_STACKPROTECTOR_NONE
> - def_bool $(cc-option,-fno-stack-protector)
> -
> config STACKPROTECTOR
> bool "Stack Protector buffer overflow detection"
> depends on HAVE_STACKPROTECTOR
> diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
> index 00602a6fba04..3693bac525d2 100644
> --- a/arch/arm/boot/compressed/Makefile
> +++ b/arch/arm/boot/compressed/Makefile
> @@ -84,9 +84,9 @@ endif
>
> # -fstack-protector-strong triggers protection checks in this code,
> # but it is being used too early to link to meaningful stack_chk logic.
> -nossp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
> $(foreach o, $(libfdt_objs) atags_to_fdt.o, \
> - $(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt $(nossp-flags-y)))
> + $(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt \
> + $(DISABLE_STACKPROTECTOR)))
>
> # These were previously generated C files. When you are building the kernel
> # with O=, make sure to remove the stale files in the output tree. Otherwise,
> diff --git a/arch/x86/entry/Makefile b/arch/x86/entry/Makefile
> index b7a5790d8d63..79902decc3d1 100644
> --- a/arch/x86/entry/Makefile
> +++ b/arch/x86/entry/Makefile
> @@ -10,6 +10,9 @@ KCOV_INSTRUMENT := n
> CFLAGS_REMOVE_common.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> CFLAGS_REMOVE_syscall_32.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> CFLAGS_REMOVE_syscall_64.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> +CFLAGS_common.o += $(DISABLE_STACKPROTECTOR)
> +CFLAGS_syscall_32.o += $(DISABLE_STACKPROTECTOR)
> +CFLAGS_syscall_64.o += $(DISABLE_STACKPROTECTOR)
There is one more c file in this directory.
Is it OK to not patch syscall_x32.c ?
>
> CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,)
> CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,)
This patch is ugly.
I'd rather want to fix this by one-liner.
diff --git a/arch/x86/entry/Makefile b/arch/x86/entry/Makefile
index b7a5790d8d63..0d41eb91aaea 100644
--- a/arch/x86/entry/Makefile
+++ b/arch/x86/entry/Makefile
@@ -11,6 +11,8 @@ CFLAGS_REMOVE_common.o = $(CC_FLAGS_FTRACE)
-fstack-protector -fstack-protector-
CFLAGS_REMOVE_syscall_32.o = $(CC_FLAGS_FTRACE) -fstack-protector
-fstack-protector-strong
CFLAGS_REMOVE_syscall_64.o = $(CC_FLAGS_FTRACE) -fstack-protector
-fstack-protector-strong
+ccflags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) += -fno-stack-protector
+
CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,)
CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,)
obj-y := entry_$(BITS).o thunk_$(BITS).o
syscall_$(BITS).o
--
Best Regards
Masahiro Yamada
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] kbuild: Provide way to actually disable stack protector
2020-06-23 2:33 ` Masahiro Yamada
@ 2020-06-23 5:37 ` Kees Cook
2020-06-26 19:04 ` Masahiro Yamada
0 siblings, 1 reply; 7+ messages in thread
From: Kees Cook @ 2020-06-23 5:37 UTC (permalink / raw)
To: Masahiro Yamada
Cc: Peter Zijlstra, Thomas Gleixner, X86 ML,
Linux Kbuild mailing list, linux-arm-kernel,
Linux Kernel Mailing List
On Tue, Jun 23, 2020 at 11:33:53AM +0900, Masahiro Yamada wrote:
> On Tue, Jun 23, 2020 at 4:02 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Some builds of GCC enable stack protector by default. Simply removing
> > the arguments is not sufficient to disable stack protector, as the stack
> > protector for those GCC builds must be explicitly disabled. (Removing the
> > arguments is left as-is just to be sure there are no ordering problems. If
> > -fno-stack-protector ended up _before_ -fstack-protector, it would not
> > disable it: GCC uses whichever -f... comes last on the command line.)
> >
> > Fixes: 20355e5f73a7 ("x86/entry: Exclude low level entry code from sanitizing")
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > Makefile | 4 +++-
> > arch/Kconfig | 3 ---
> > arch/arm/boot/compressed/Makefile | 4 ++--
> > arch/x86/entry/Makefile | 3 +++
> > 4 files changed, 8 insertions(+), 6 deletions(-)
> >
> > diff --git a/Makefile b/Makefile
> > index ac2c61c37a73..b46e91bf0b0e 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -762,7 +762,9 @@ ifneq ($(CONFIG_FRAME_WARN),0)
> > KBUILD_CFLAGS += -Wframe-larger-than=$(CONFIG_FRAME_WARN)
> > endif
> >
> > -stackp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
> > +DISABLE_STACKPROTECTOR := $(call cc-option,-fno-stack-protector)
> > +export DISABLE_STACKPROTECTOR
> > +stackp-flags-y := $(DISABLE_STACKPROTECTOR)
> > stackp-flags-$(CONFIG_STACKPROTECTOR) := -fstack-protector
> > stackp-flags-$(CONFIG_STACKPROTECTOR_STRONG) := -fstack-protector-strong
> >
> > diff --git a/arch/Kconfig b/arch/Kconfig
> > index 8cc35dc556c7..1ea61290900a 100644
> > --- a/arch/Kconfig
> > +++ b/arch/Kconfig
> > @@ -478,9 +478,6 @@ config HAVE_STACKPROTECTOR
> > An arch should select this symbol if:
> > - it has implemented a stack canary (e.g. __stack_chk_guard)
> >
> > -config CC_HAS_STACKPROTECTOR_NONE
> > - def_bool $(cc-option,-fno-stack-protector)
> > -
> > config STACKPROTECTOR
> > bool "Stack Protector buffer overflow detection"
> > depends on HAVE_STACKPROTECTOR
> > diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
> > index 00602a6fba04..3693bac525d2 100644
> > --- a/arch/arm/boot/compressed/Makefile
> > +++ b/arch/arm/boot/compressed/Makefile
> > @@ -84,9 +84,9 @@ endif
> >
> > # -fstack-protector-strong triggers protection checks in this code,
> > # but it is being used too early to link to meaningful stack_chk logic.
> > -nossp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
> > $(foreach o, $(libfdt_objs) atags_to_fdt.o, \
> > - $(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt $(nossp-flags-y)))
> > + $(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt \
> > + $(DISABLE_STACKPROTECTOR)))
> >
> > # These were previously generated C files. When you are building the kernel
> > # with O=, make sure to remove the stale files in the output tree. Otherwise,
> > diff --git a/arch/x86/entry/Makefile b/arch/x86/entry/Makefile
> > index b7a5790d8d63..79902decc3d1 100644
> > --- a/arch/x86/entry/Makefile
> > +++ b/arch/x86/entry/Makefile
> > @@ -10,6 +10,9 @@ KCOV_INSTRUMENT := n
> > CFLAGS_REMOVE_common.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> > CFLAGS_REMOVE_syscall_32.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> > CFLAGS_REMOVE_syscall_64.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> > +CFLAGS_common.o += $(DISABLE_STACKPROTECTOR)
> > +CFLAGS_syscall_32.o += $(DISABLE_STACKPROTECTOR)
> > +CFLAGS_syscall_64.o += $(DISABLE_STACKPROTECTOR)
>
> There is one more c file in this directory.
>
> Is it OK to not patch syscall_x32.c ?
Good question. Peter? (It seems all the syscall_*.c files are just a
table, not code -- why do they need any instrumentation changes?)
>
>
> >
> > CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,)
> > CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,)
>
>
>
>
> This patch is ugly.
>
> I'd rather want to fix this by one-liner.
Why not a global export to assist? This isn't the only place it's needed
(see the arm64 chunk...)
>
>
>
>
> diff --git a/arch/x86/entry/Makefile b/arch/x86/entry/Makefile
> index b7a5790d8d63..0d41eb91aaea 100644
> --- a/arch/x86/entry/Makefile
> +++ b/arch/x86/entry/Makefile
> @@ -11,6 +11,8 @@ CFLAGS_REMOVE_common.o = $(CC_FLAGS_FTRACE)
> -fstack-protector -fstack-protector-
> CFLAGS_REMOVE_syscall_32.o = $(CC_FLAGS_FTRACE) -fstack-protector
> -fstack-protector-strong
> CFLAGS_REMOVE_syscall_64.o = $(CC_FLAGS_FTRACE) -fstack-protector
> -fstack-protector-strong
>
> +ccflags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) += -fno-stack-protector
> +
Order matters here -- when is ccflags-y applied?
> CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,)
> CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,)
> obj-y := entry_$(BITS).o thunk_$(BITS).o
> syscall_$(BITS).o
>
>
>
>
> --
> Best Regards
> Masahiro Yamada
--
Kees Cook
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] kbuild: Provide way to actually disable stack protector
2020-06-23 5:37 ` Kees Cook
@ 2020-06-26 19:04 ` Masahiro Yamada
0 siblings, 0 replies; 7+ messages in thread
From: Masahiro Yamada @ 2020-06-26 19:04 UTC (permalink / raw)
To: Kees Cook
Cc: Peter Zijlstra, Thomas Gleixner, X86 ML,
Linux Kbuild mailing list, linux-arm-kernel,
Linux Kernel Mailing List
On Tue, Jun 23, 2020 at 2:37 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Tue, Jun 23, 2020 at 11:33:53AM +0900, Masahiro Yamada wrote:
> > On Tue, Jun 23, 2020 at 4:02 AM Kees Cook <keescook@chromium.org> wrote:
> > >
> > > Some builds of GCC enable stack protector by default. Simply removing
> > > the arguments is not sufficient to disable stack protector, as the stack
> > > protector for those GCC builds must be explicitly disabled. (Removing the
> > > arguments is left as-is just to be sure there are no ordering problems. If
> > > -fno-stack-protector ended up _before_ -fstack-protector, it would not
> > > disable it: GCC uses whichever -f... comes last on the command line.)
> > >
> > > Fixes: 20355e5f73a7 ("x86/entry: Exclude low level entry code from sanitizing")
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > > Makefile | 4 +++-
> > > arch/Kconfig | 3 ---
> > > arch/arm/boot/compressed/Makefile | 4 ++--
> > > arch/x86/entry/Makefile | 3 +++
> > > 4 files changed, 8 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/Makefile b/Makefile
> > > index ac2c61c37a73..b46e91bf0b0e 100644
> > > --- a/Makefile
> > > +++ b/Makefile
> > > @@ -762,7 +762,9 @@ ifneq ($(CONFIG_FRAME_WARN),0)
> > > KBUILD_CFLAGS += -Wframe-larger-than=$(CONFIG_FRAME_WARN)
> > > endif
> > >
> > > -stackp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
> > > +DISABLE_STACKPROTECTOR := $(call cc-option,-fno-stack-protector)
> > > +export DISABLE_STACKPROTECTOR
> > > +stackp-flags-y := $(DISABLE_STACKPROTECTOR)
> > > stackp-flags-$(CONFIG_STACKPROTECTOR) := -fstack-protector
> > > stackp-flags-$(CONFIG_STACKPROTECTOR_STRONG) := -fstack-protector-strong
> > >
> > > diff --git a/arch/Kconfig b/arch/Kconfig
> > > index 8cc35dc556c7..1ea61290900a 100644
> > > --- a/arch/Kconfig
> > > +++ b/arch/Kconfig
> > > @@ -478,9 +478,6 @@ config HAVE_STACKPROTECTOR
> > > An arch should select this symbol if:
> > > - it has implemented a stack canary (e.g. __stack_chk_guard)
> > >
> > > -config CC_HAS_STACKPROTECTOR_NONE
> > > - def_bool $(cc-option,-fno-stack-protector)
> > > -
> > > config STACKPROTECTOR
> > > bool "Stack Protector buffer overflow detection"
> > > depends on HAVE_STACKPROTECTOR
> > > diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
> > > index 00602a6fba04..3693bac525d2 100644
> > > --- a/arch/arm/boot/compressed/Makefile
> > > +++ b/arch/arm/boot/compressed/Makefile
> > > @@ -84,9 +84,9 @@ endif
> > >
> > > # -fstack-protector-strong triggers protection checks in this code,
> > > # but it is being used too early to link to meaningful stack_chk logic.
> > > -nossp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
> > > $(foreach o, $(libfdt_objs) atags_to_fdt.o, \
> > > - $(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt $(nossp-flags-y)))
> > > + $(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt \
> > > + $(DISABLE_STACKPROTECTOR)))
> > >
> > > # These were previously generated C files. When you are building the kernel
> > > # with O=, make sure to remove the stale files in the output tree. Otherwise,
> > > diff --git a/arch/x86/entry/Makefile b/arch/x86/entry/Makefile
> > > index b7a5790d8d63..79902decc3d1 100644
> > > --- a/arch/x86/entry/Makefile
> > > +++ b/arch/x86/entry/Makefile
> > > @@ -10,6 +10,9 @@ KCOV_INSTRUMENT := n
> > > CFLAGS_REMOVE_common.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> > > CFLAGS_REMOVE_syscall_32.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> > > CFLAGS_REMOVE_syscall_64.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> > > +CFLAGS_common.o += $(DISABLE_STACKPROTECTOR)
> > > +CFLAGS_syscall_32.o += $(DISABLE_STACKPROTECTOR)
> > > +CFLAGS_syscall_64.o += $(DISABLE_STACKPROTECTOR)
> >
> > There is one more c file in this directory.
> >
> > Is it OK to not patch syscall_x32.c ?
>
> Good question. Peter? (It seems all the syscall_*.c files are just a
> table, not code -- why do they need any instrumentation changes?)
>
> >
> >
> > >
> > > CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,)
> > > CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,)
> >
> >
> >
> >
> > This patch is ugly.
> >
> > I'd rather want to fix this by one-liner.
>
> Why not a global export to assist? This isn't the only place it's needed
> (see the arm64 chunk...)
Is it useful when we know
DISABLE_STACKPROTECTOR = -fno-stack-protector ?
I'd rather want to apply this patch
https://patchwork.kernel.org/patch/11628493/
and hard-code -fno-stack-protector where necessary.
>
> >
> >
> >
> >
> > diff --git a/arch/x86/entry/Makefile b/arch/x86/entry/Makefile
> > index b7a5790d8d63..0d41eb91aaea 100644
> > --- a/arch/x86/entry/Makefile
> > +++ b/arch/x86/entry/Makefile
> > @@ -11,6 +11,8 @@ CFLAGS_REMOVE_common.o = $(CC_FLAGS_FTRACE)
> > -fstack-protector -fstack-protector-
> > CFLAGS_REMOVE_syscall_32.o = $(CC_FLAGS_FTRACE) -fstack-protector
> > -fstack-protector-strong
> > CFLAGS_REMOVE_syscall_64.o = $(CC_FLAGS_FTRACE) -fstack-protector
> > -fstack-protector-strong
> >
> > +ccflags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) += -fno-stack-protector
> > +
>
> Order matters here -- when is ccflags-y applied?
cc-flags-y comes after KBUILD_CFLAGS
so that -fno-stack-protector can negate -fstack-protector(-strong)
>
> > CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,)
> > CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,)
> > obj-y := entry_$(BITS).o thunk_$(BITS).o
> > syscall_$(BITS).o
> >
> >
> >
> >
> > --
> > Best Regards
> > Masahiro Yamada
>
> --
> Kees Cook
--
Best Regards
Masahiro Yamada
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] kbuild: Provide way to actually disable stack protector
@ 2020-06-26 19:04 ` Masahiro Yamada
0 siblings, 0 replies; 7+ messages in thread
From: Masahiro Yamada @ 2020-06-26 19:04 UTC (permalink / raw)
To: Kees Cook
Cc: Linux Kbuild mailing list, Peter Zijlstra, X86 ML,
Linux Kernel Mailing List, Thomas Gleixner, linux-arm-kernel
On Tue, Jun 23, 2020 at 2:37 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Tue, Jun 23, 2020 at 11:33:53AM +0900, Masahiro Yamada wrote:
> > On Tue, Jun 23, 2020 at 4:02 AM Kees Cook <keescook@chromium.org> wrote:
> > >
> > > Some builds of GCC enable stack protector by default. Simply removing
> > > the arguments is not sufficient to disable stack protector, as the stack
> > > protector for those GCC builds must be explicitly disabled. (Removing the
> > > arguments is left as-is just to be sure there are no ordering problems. If
> > > -fno-stack-protector ended up _before_ -fstack-protector, it would not
> > > disable it: GCC uses whichever -f... comes last on the command line.)
> > >
> > > Fixes: 20355e5f73a7 ("x86/entry: Exclude low level entry code from sanitizing")
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > > Makefile | 4 +++-
> > > arch/Kconfig | 3 ---
> > > arch/arm/boot/compressed/Makefile | 4 ++--
> > > arch/x86/entry/Makefile | 3 +++
> > > 4 files changed, 8 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/Makefile b/Makefile
> > > index ac2c61c37a73..b46e91bf0b0e 100644
> > > --- a/Makefile
> > > +++ b/Makefile
> > > @@ -762,7 +762,9 @@ ifneq ($(CONFIG_FRAME_WARN),0)
> > > KBUILD_CFLAGS += -Wframe-larger-than=$(CONFIG_FRAME_WARN)
> > > endif
> > >
> > > -stackp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
> > > +DISABLE_STACKPROTECTOR := $(call cc-option,-fno-stack-protector)
> > > +export DISABLE_STACKPROTECTOR
> > > +stackp-flags-y := $(DISABLE_STACKPROTECTOR)
> > > stackp-flags-$(CONFIG_STACKPROTECTOR) := -fstack-protector
> > > stackp-flags-$(CONFIG_STACKPROTECTOR_STRONG) := -fstack-protector-strong
> > >
> > > diff --git a/arch/Kconfig b/arch/Kconfig
> > > index 8cc35dc556c7..1ea61290900a 100644
> > > --- a/arch/Kconfig
> > > +++ b/arch/Kconfig
> > > @@ -478,9 +478,6 @@ config HAVE_STACKPROTECTOR
> > > An arch should select this symbol if:
> > > - it has implemented a stack canary (e.g. __stack_chk_guard)
> > >
> > > -config CC_HAS_STACKPROTECTOR_NONE
> > > - def_bool $(cc-option,-fno-stack-protector)
> > > -
> > > config STACKPROTECTOR
> > > bool "Stack Protector buffer overflow detection"
> > > depends on HAVE_STACKPROTECTOR
> > > diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
> > > index 00602a6fba04..3693bac525d2 100644
> > > --- a/arch/arm/boot/compressed/Makefile
> > > +++ b/arch/arm/boot/compressed/Makefile
> > > @@ -84,9 +84,9 @@ endif
> > >
> > > # -fstack-protector-strong triggers protection checks in this code,
> > > # but it is being used too early to link to meaningful stack_chk logic.
> > > -nossp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
> > > $(foreach o, $(libfdt_objs) atags_to_fdt.o, \
> > > - $(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt $(nossp-flags-y)))
> > > + $(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt \
> > > + $(DISABLE_STACKPROTECTOR)))
> > >
> > > # These were previously generated C files. When you are building the kernel
> > > # with O=, make sure to remove the stale files in the output tree. Otherwise,
> > > diff --git a/arch/x86/entry/Makefile b/arch/x86/entry/Makefile
> > > index b7a5790d8d63..79902decc3d1 100644
> > > --- a/arch/x86/entry/Makefile
> > > +++ b/arch/x86/entry/Makefile
> > > @@ -10,6 +10,9 @@ KCOV_INSTRUMENT := n
> > > CFLAGS_REMOVE_common.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> > > CFLAGS_REMOVE_syscall_32.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> > > CFLAGS_REMOVE_syscall_64.o = $(CC_FLAGS_FTRACE) -fstack-protector -fstack-protector-strong
> > > +CFLAGS_common.o += $(DISABLE_STACKPROTECTOR)
> > > +CFLAGS_syscall_32.o += $(DISABLE_STACKPROTECTOR)
> > > +CFLAGS_syscall_64.o += $(DISABLE_STACKPROTECTOR)
> >
> > There is one more c file in this directory.
> >
> > Is it OK to not patch syscall_x32.c ?
>
> Good question. Peter? (It seems all the syscall_*.c files are just a
> table, not code -- why do they need any instrumentation changes?)
>
> >
> >
> > >
> > > CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,)
> > > CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,)
> >
> >
> >
> >
> > This patch is ugly.
> >
> > I'd rather want to fix this by one-liner.
>
> Why not a global export to assist? This isn't the only place it's needed
> (see the arm64 chunk...)
Is it useful when we know
DISABLE_STACKPROTECTOR = -fno-stack-protector ?
I'd rather want to apply this patch
https://patchwork.kernel.org/patch/11628493/
and hard-code -fno-stack-protector where necessary.
>
> >
> >
> >
> >
> > diff --git a/arch/x86/entry/Makefile b/arch/x86/entry/Makefile
> > index b7a5790d8d63..0d41eb91aaea 100644
> > --- a/arch/x86/entry/Makefile
> > +++ b/arch/x86/entry/Makefile
> > @@ -11,6 +11,8 @@ CFLAGS_REMOVE_common.o = $(CC_FLAGS_FTRACE)
> > -fstack-protector -fstack-protector-
> > CFLAGS_REMOVE_syscall_32.o = $(CC_FLAGS_FTRACE) -fstack-protector
> > -fstack-protector-strong
> > CFLAGS_REMOVE_syscall_64.o = $(CC_FLAGS_FTRACE) -fstack-protector
> > -fstack-protector-strong
> >
> > +ccflags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) += -fno-stack-protector
> > +
>
> Order matters here -- when is ccflags-y applied?
cc-flags-y comes after KBUILD_CFLAGS
so that -fno-stack-protector can negate -fstack-protector(-strong)
>
> > CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,)
> > CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,)
> > obj-y := entry_$(BITS).o thunk_$(BITS).o
> > syscall_$(BITS).o
> >
> >
> >
> >
> > --
> > Best Regards
> > Masahiro Yamada
>
> --
> Kees Cook
--
Best Regards
Masahiro Yamada
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] kbuild: Provide way to actually disable stack protector
2020-06-26 19:04 ` Masahiro Yamada
@ 2020-06-26 20:18 ` Kees Cook
-1 siblings, 0 replies; 7+ messages in thread
From: Kees Cook @ 2020-06-26 20:18 UTC (permalink / raw)
To: Masahiro Yamada
Cc: Peter Zijlstra, Thomas Gleixner, X86 ML,
Linux Kbuild mailing list, linux-arm-kernel,
Linux Kernel Mailing List
On Sat, Jun 27, 2020 at 04:04:33AM +0900, Masahiro Yamada wrote:
> On Tue, Jun 23, 2020 at 2:37 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > On Tue, Jun 23, 2020 at 11:33:53AM +0900, Masahiro Yamada wrote:
> > > Is it OK to not patch syscall_x32.c ?
> >
> > Good question. Peter? (It seems all the syscall_*.c files are just a
> > table, not code -- why do they need any instrumentation changes?)
I'd still like to know the answer to this one...
> Is it useful when we know
> DISABLE_STACKPROTECTOR = -fno-stack-protector ?
I'm fine with that. My point was the using _REMOVE isn't going to work
for some compiler builds.
> I'd rather want to apply this patch
> https://patchwork.kernel.org/patch/11628493/
> and hard-code -fno-stack-protector where necessary.
That's fine. I will send a separate fix for arch/x86/entry/Makefile.
> cc-flags-y comes after KBUILD_CFLAGS
> so that -fno-stack-protector can negate -fstack-protector(-strong)
Okay, good.
--
Kees Cook
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] kbuild: Provide way to actually disable stack protector
@ 2020-06-26 20:18 ` Kees Cook
0 siblings, 0 replies; 7+ messages in thread
From: Kees Cook @ 2020-06-26 20:18 UTC (permalink / raw)
To: Masahiro Yamada
Cc: Linux Kbuild mailing list, Peter Zijlstra, X86 ML,
Linux Kernel Mailing List, Thomas Gleixner, linux-arm-kernel
On Sat, Jun 27, 2020 at 04:04:33AM +0900, Masahiro Yamada wrote:
> On Tue, Jun 23, 2020 at 2:37 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > On Tue, Jun 23, 2020 at 11:33:53AM +0900, Masahiro Yamada wrote:
> > > Is it OK to not patch syscall_x32.c ?
> >
> > Good question. Peter? (It seems all the syscall_*.c files are just a
> > table, not code -- why do they need any instrumentation changes?)
I'd still like to know the answer to this one...
> Is it useful when we know
> DISABLE_STACKPROTECTOR = -fno-stack-protector ?
I'm fine with that. My point was the using _REMOVE isn't going to work
for some compiler builds.
> I'd rather want to apply this patch
> https://patchwork.kernel.org/patch/11628493/
> and hard-code -fno-stack-protector where necessary.
That's fine. I will send a separate fix for arch/x86/entry/Makefile.
> cc-flags-y comes after KBUILD_CFLAGS
> so that -fno-stack-protector can negate -fstack-protector(-strong)
Okay, good.
--
Kees Cook
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-06-26 20:20 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-22 19:02 [PATCH] kbuild: Provide way to actually disable stack protector Kees Cook
2020-06-23 2:33 ` Masahiro Yamada
2020-06-23 5:37 ` Kees Cook
2020-06-26 19:04 ` Masahiro Yamada
2020-06-26 19:04 ` Masahiro Yamada
2020-06-26 20:18 ` Kees Cook
2020-06-26 20:18 ` Kees Cook
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.