Skip to content

Commit ad3ab30

Browse files
committed
Merge branch 'core-stackprotector-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull strong stackprotector support from Ingo Molnar: "This tree adds a CONFIG_CC_STACKPROTECTOR_STRONG=y, a new, stronger stack canary checking method supported by the newest GCC versions (4.9 and later). Here's the 'intensity comparison' between the various protection modes: - defconfig 11430641 kernel text size 36110 function bodies - defconfig + CONFIG_CC_STACKPROTECTOR_REGULAR 11468490 kernel text size (+0.33%) 1015 of 36110 functions are stack-protected (2.81%) - defconfig + CONFIG_CC_STACKPROTECTOR_STRONG via this patch 11692790 kernel text size (+2.24%) 7401 of 36110 functions are stack-protected (20.5%) the strong model comes with non-trivial costs, which is why we preserved the 'regular' and 'none' models as well" * 'core-stackprotector-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG stackprotector: Unify the HAVE_CC_STACKPROTECTOR logic between architectures
2 parents a693c46 + 8779657 commit ad3ab30

File tree

11 files changed

+105
-75
lines changed

11 files changed

+105
-75
lines changed

Makefile

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -595,10 +595,24 @@ ifneq ($(CONFIG_FRAME_WARN),0)
595595
KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
596596
endif
597597

598-
# Force gcc to behave correct even for buggy distributions
599-
ifndef CONFIG_CC_STACKPROTECTOR
600-
KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
598+
# Handle stack protector mode.
599+
ifdef CONFIG_CC_STACKPROTECTOR_REGULAR
600+
stackp-flag := -fstack-protector
601+
ifeq ($(call cc-option, $(stackp-flag)),)
602+
$(warning Cannot use CONFIG_CC_STACKPROTECTOR: \
603+
-fstack-protector not supported by compiler))
604+
endif
605+
else ifdef CONFIG_CC_STACKPROTECTOR_STRONG
606+
stackp-flag := -fstack-protector-strong
607+
ifeq ($(call cc-option, $(stackp-flag)),)
608+
$(warning Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: \
609+
-fstack-protector-strong not supported by compiler)
610+
endif
611+
else
612+
# Force off for distro compilers that enable stack protector by default.
613+
stackp-flag := $(call cc-option, -fno-stack-protector)
601614
endif
615+
KBUILD_CFLAGS += $(stackp-flag)
602616

603617
# This warning generated too much noise in a regular build.
604618
# Use make W=1 to enable this warning (see scripts/Makefile.build)

arch/Kconfig

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -336,6 +336,73 @@ config SECCOMP_FILTER
336336

337337
See Documentation/prctl/seccomp_filter.txt for details.
338338

339+
config HAVE_CC_STACKPROTECTOR
340+
bool
341+
help
342+
An arch should select this symbol if:
343+
- its compiler supports the -fstack-protector option
344+
- it has implemented a stack canary (e.g. __stack_chk_guard)
345+
346+
config CC_STACKPROTECTOR
347+
def_bool n
348+
help
349+
Set when a stack-protector mode is enabled, so that the build
350+
can enable kernel-side support for the GCC feature.
351+
352+
choice
353+
prompt "Stack Protector buffer overflow detection"
354+
depends on HAVE_CC_STACKPROTECTOR
355+
default CC_STACKPROTECTOR_NONE
356+
help
357+
This option turns on the "stack-protector" GCC feature. This
358+
feature puts, at the beginning of functions, a canary value on
359+
the stack just before the return address, and validates
360+
the value just before actually returning. Stack based buffer
361+
overflows (that need to overwrite this return address) now also
362+
overwrite the canary, which gets detected and the attack is then
363+
neutralized via a kernel panic.
364+
365+
config CC_STACKPROTECTOR_NONE
366+
bool "None"
367+
help
368+
Disable "stack-protector" GCC feature.
369+
370+
config CC_STACKPROTECTOR_REGULAR
371+
bool "Regular"
372+
select CC_STACKPROTECTOR
373+
help
374+
Functions will have the stack-protector canary logic added if they
375+
have an 8-byte or larger character array on the stack.
376+
377+
This feature requires gcc version 4.2 or above, or a distribution
378+
gcc with the feature backported ("-fstack-protector").
379+
380+
On an x86 "defconfig" build, this feature adds canary checks to
381+
about 3% of all kernel functions, which increases kernel code size
382+
by about 0.3%.
383+
384+
config CC_STACKPROTECTOR_STRONG
385+
bool "Strong"
386+
select CC_STACKPROTECTOR
387+
help
388+
Functions will have the stack-protector canary logic added in any
389+
of the following conditions:
390+
391+
- local variable's address used as part of the right hand side of an
392+
assignment or function argument
393+
- local variable is an array (or union containing an array),
394+
regardless of array type or length
395+
- uses register local variables
396+
397+
This feature requires gcc version 4.9 or above, or a distribution
398+
gcc with the feature backported ("-fstack-protector-strong").
399+
400+
On an x86 "defconfig" build, this feature adds canary checks to
401+
about 20% of all kernel functions, which increases the kernel code
402+
size by about 2%.
403+
404+
endchoice
405+
339406
config HAVE_CONTEXT_TRACKING
340407
bool
341408
help

arch/arm/Kconfig

Lines changed: 1 addition & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ config ARM
3030
select HAVE_BPF_JIT
3131
select HAVE_CONTEXT_TRACKING
3232
select HAVE_C_RECORDMCOUNT
33+
select HAVE_CC_STACKPROTECTOR
3334
select HAVE_DEBUG_KMEMLEAK
3435
select HAVE_DMA_API_DEBUG
3536
select HAVE_DMA_ATTRS
@@ -1856,18 +1857,6 @@ config SECCOMP
18561857
and the task is only allowed to execute a few safe syscalls
18571858
defined by each seccomp mode.
18581859

1859-
config CC_STACKPROTECTOR
1860-
bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
1861-
help
1862-
This option turns on the -fstack-protector GCC feature. This
1863-
feature puts, at the beginning of functions, a canary value on
1864-
the stack just before the return address, and validates
1865-
the value just before actually returning. Stack based buffer
1866-
overflows (that need to overwrite this return address) now also
1867-
overwrite the canary, which gets detected and the attack is then
1868-
neutralized via a kernel panic.
1869-
This feature requires gcc version 4.2 or above.
1870-
18711860
config SWIOTLB
18721861
def_bool y
18731862

arch/arm/Makefile

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -40,10 +40,6 @@ ifeq ($(CONFIG_FRAME_POINTER),y)
4040
KBUILD_CFLAGS +=-fno-omit-frame-pointer -mapcs -mno-sched-prolog
4141
endif
4242

43-
ifeq ($(CONFIG_CC_STACKPROTECTOR),y)
44-
KBUILD_CFLAGS +=-fstack-protector
45-
endif
46-
4743
ifeq ($(CONFIG_CPU_BIG_ENDIAN),y)
4844
KBUILD_CPPFLAGS += -mbig-endian
4945
AS += -EB

arch/arm/boot/compressed/misc.c

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,18 @@ asmlinkage void __div0(void)
127127
error("Attempting division by 0!");
128128
}
129129

130+
unsigned long __stack_chk_guard;
131+
132+
void __stack_chk_guard_setup(void)
133+
{
134+
__stack_chk_guard = 0x000a0dff;
135+
}
136+
137+
void __stack_chk_fail(void)
138+
{
139+
error("stack-protector: Kernel stack is corrupted\n");
140+
}
141+
130142
extern int do_decompress(u8 *input, int len, u8 *output, void (*error)(char *x));
131143

132144

@@ -137,6 +149,8 @@ decompress_kernel(unsigned long output_start, unsigned long free_mem_ptr_p,
137149
{
138150
int ret;
139151

152+
__stack_chk_guard_setup();
153+
140154
output_data = (unsigned char *)output_start;
141155
free_mem_ptr = free_mem_ptr_p;
142156
free_mem_end_ptr = free_mem_ptr_end_p;

arch/mips/Kconfig

Lines changed: 1 addition & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@ config MIPS
4747
select MODULES_USE_ELF_RELA if MODULES && 64BIT
4848
select CLONE_BACKWARDS
4949
select HAVE_DEBUG_STACKOVERFLOW
50+
select HAVE_CC_STACKPROTECTOR
5051

5152
menu "Machine selection"
5253

@@ -2322,19 +2323,6 @@ config SECCOMP
23222323

23232324
If unsure, say Y. Only embedded should say N here.
23242325

2325-
config CC_STACKPROTECTOR
2326-
bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
2327-
help
2328-
This option turns on the -fstack-protector GCC feature. This
2329-
feature puts, at the beginning of functions, a canary value on
2330-
the stack just before the return address, and validates
2331-
the value just before actually returning. Stack based buffer
2332-
overflows (that need to overwrite this return address) now also
2333-
overwrite the canary, which gets detected and the attack is then
2334-
neutralized via a kernel panic.
2335-
2336-
This feature requires gcc version 4.2 or above.
2337-
23382326
config USE_OF
23392327
bool
23402328
select OF

arch/mips/Makefile

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -232,10 +232,6 @@ bootvars-y = VMLINUX_LOAD_ADDRESS=$(load-y) \
232232

233233
LDFLAGS += -m $(ld-emul)
234234

235-
ifdef CONFIG_CC_STACKPROTECTOR
236-
KBUILD_CFLAGS += -fstack-protector
237-
endif
238-
239235
ifdef CONFIG_MIPS
240236
CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \
241237
egrep -vw '__GNUC_(|MINOR_|PATCHLEVEL_)_' | \

arch/sh/Kconfig

Lines changed: 1 addition & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ config SUPERH32
6666
select PERF_EVENTS
6767
select ARCH_HIBERNATION_POSSIBLE if MMU
6868
select SPARSE_IRQ
69+
select HAVE_CC_STACKPROTECTOR
6970

7071
config SUPERH64
7172
def_bool ARCH = "sh64"
@@ -695,20 +696,6 @@ config SECCOMP
695696

696697
If unsure, say N.
697698

698-
config CC_STACKPROTECTOR
699-
bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
700-
depends on SUPERH32
701-
help
702-
This option turns on the -fstack-protector GCC feature. This
703-
feature puts, at the beginning of functions, a canary value on
704-
the stack just before the return address, and validates
705-
the value just before actually returning. Stack based buffer
706-
overflows (that need to overwrite this return address) now also
707-
overwrite the canary, which gets detected and the attack is then
708-
neutralized via a kernel panic.
709-
710-
This feature requires gcc version 4.2 or above.
711-
712699
config SMP
713700
bool "Symmetric multi-processing support"
714701
depends on SYS_SUPPORTS_SMP

arch/sh/Makefile

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -199,10 +199,6 @@ ifeq ($(CONFIG_DWARF_UNWINDER),y)
199199
KBUILD_CFLAGS += -fasynchronous-unwind-tables
200200
endif
201201

202-
ifeq ($(CONFIG_CC_STACKPROTECTOR),y)
203-
KBUILD_CFLAGS += -fstack-protector
204-
endif
205-
206202
libs-$(CONFIG_SUPERH32) := arch/sh/lib/ $(libs-y)
207203
libs-$(CONFIG_SUPERH64) := arch/sh/lib64/ $(libs-y)
208204

arch/x86/Kconfig

Lines changed: 1 addition & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,7 @@ config X86
125125
select RTC_LIB
126126
select HAVE_DEBUG_STACKOVERFLOW
127127
select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
128+
select HAVE_CC_STACKPROTECTOR
128129

129130
config INSTRUCTION_DECODER
130131
def_bool y
@@ -1617,22 +1618,6 @@ config SECCOMP
16171618

16181619
If unsure, say Y. Only embedded should say N here.
16191620

1620-
config CC_STACKPROTECTOR
1621-
bool "Enable -fstack-protector buffer overflow detection"
1622-
---help---
1623-
This option turns on the -fstack-protector GCC feature. This
1624-
feature puts, at the beginning of functions, a canary value on
1625-
the stack just before the return address, and validates
1626-
the value just before actually returning. Stack based buffer
1627-
overflows (that need to overwrite this return address) now also
1628-
overwrite the canary, which gets detected and the attack is then
1629-
neutralized via a kernel panic.
1630-
1631-
This feature requires gcc version 4.2 or above, or a distribution
1632-
gcc with the feature backported. Older versions are automatically
1633-
detected and for those versions, this configuration option is
1634-
ignored. (and a warning is printed during bootup)
1635-
16361621
source kernel/Kconfig.hz
16371622

16381623
config KEXEC

arch/x86/Makefile

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -89,13 +89,11 @@ else
8989
KBUILD_CFLAGS += -maccumulate-outgoing-args
9090
endif
9191

92+
# Make sure compiler does not have buggy stack-protector support.
9293
ifdef CONFIG_CC_STACKPROTECTOR
9394
cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
94-
ifeq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
95-
stackp-y := -fstack-protector
96-
KBUILD_CFLAGS += $(stackp-y)
97-
else
98-
$(warning stack protector enabled but no compiler support)
95+
ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
96+
$(warning stack-protector enabled but compiler support broken)
9997
endif
10098
endif
10199

0 commit comments

Comments
 (0)