Wire up stackleak to Clang's proposed[1] stack depth tracking callback option. While __noinstr already contained __no_sanitize_coverage, it was still needed for __init and __head section markings. This is needed to make sure the callback is not executed in unsupported contexts.
Link: https://github.com/llvm/llvm-project/pull/138323 [1] Signed-off-by: Kees Cook <k...@kernel.org> --- Cc: Arnd Bergmann <a...@arndb.de> Cc: Thomas Gleixner <t...@linutronix.de> Cc: Ingo Molnar <mi...@redhat.com> Cc: Borislav Petkov <b...@alien8.de> Cc: Dave Hansen <dave.han...@linux.intel.com> Cc: <x...@kernel.org> Cc: "H. Peter Anvin" <h...@zytor.com> Cc: Masahiro Yamada <masahi...@kernel.org> Cc: Nathan Chancellor <nat...@kernel.org> Cc: Nicolas Schier <nicolas.sch...@linux.dev> Cc: Marco Elver <el...@google.com> Cc: Andrey Konovalov <andreyk...@gmail.com> Cc: Andrey Ryabinin <ryabinin....@gmail.com> Cc: Ard Biesheuvel <a...@kernel.org> Cc: "Gustavo A. R. Silva" <gustavo...@kernel.org> Cc: Paul Moore <p...@paul-moore.com> Cc: James Morris <jmor...@namei.org> Cc: "Serge E. Hallyn" <se...@hallyn.com> Cc: Kai Huang <kai.hu...@intel.com> Cc: Hou Wenlong <houwenlong....@antgroup.com> Cc: "Kirill A. Shutemov" <kirill.shute...@linux.intel.com> Cc: Andrew Morton <a...@linux-foundation.org> Cc: "Peter Zijlstra (Intel)" <pet...@infradead.org> Cc: Sami Tolvanen <samitolva...@google.com> Cc: Christophe Leroy <christophe.le...@csgroup.eu> Cc: <linux-kbu...@vger.kernel.org> Cc: <kasan-...@googlegroups.com> Cc: <linux-harden...@vger.kernel.org> Cc: <linux-security-mod...@vger.kernel.org> --- arch/x86/include/asm/init.h | 2 +- include/linux/init.h | 4 +++- scripts/Makefile.ubsan | 12 ++++++++++++ security/Kconfig.hardening | 5 ++++- 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/arch/x86/include/asm/init.h b/arch/x86/include/asm/init.h index 8b1b1abcef15..6bfdaeddbae8 100644 --- a/arch/x86/include/asm/init.h +++ b/arch/x86/include/asm/init.h @@ -5,7 +5,7 @@ #if defined(CONFIG_CC_IS_CLANG) && CONFIG_CLANG_VERSION < 170000 #define __head __section(".head.text") __no_sanitize_undefined __no_stack_protector #else -#define __head __section(".head.text") __no_sanitize_undefined +#define __head __section(".head.text") __no_sanitize_undefined __no_sanitize_coverage #endif struct x86_mapping_info { diff --git a/include/linux/init.h b/include/linux/init.h index ee1309473bc6..c65a050d52a7 100644 --- a/include/linux/init.h +++ b/include/linux/init.h @@ -49,7 +49,9 @@ /* These are for everybody (although not all archs will actually discard it in modules) */ -#define __init __section(".init.text") __cold __latent_entropy __noinitretpoline +#define __init __section(".init.text") __cold __latent_entropy \ + __noinitretpoline \ + __no_sanitize_coverage #define __initdata __section(".init.data") #define __initconst __section(".init.rodata") #define __exitdata __section(".exit.data") diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 9e35198edbf0..cfb3ecde07dd 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -22,3 +22,15 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ -fsanitize=implicit-unsigned-integer-truncation \ -fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y) + +ifdef CONFIG_CC_IS_CLANG +stackleak-cflags-$(CONFIG_STACKLEAK) += \ + -fsanitize-coverage=stack-depth \ + -fsanitize-coverage-stack-depth-callback-min=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE) +export STACKLEAK_CFLAGS := $(stackleak-cflags-y) +ifdef CONFIG_STACKLEAK + DISABLE_STACKLEAK := -fno-sanitize-coverage=stack-depth +endif +export DISABLE_STACKLEAK +KBUILD_CFLAGS += $(STACKLEAK_CFLAGS) +endif diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index edcc489a6805..e86b61e44b33 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -158,10 +158,13 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE initialized. Since not all existing initializers are detected by the plugin, this can produce false positive warnings. +config CC_HAS_SANCOV_STACK_DEPTH_CALLBACK + def_bool $(cc-option,-fsanitize-coverage-stack-depth-callback-min=1) + config STACKLEAK bool "Poison kernel stack before returning from syscalls" depends on HAVE_ARCH_STACKLEAK - depends on GCC_PLUGINS + depends on GCC_PLUGINS || CC_HAS_SANCOV_STACK_DEPTH_CALLBACK help This option makes the kernel erase the kernel stack before returning from system calls. This has the effect of leaving -- 2.34.1
