user/sven/linux.git/scripts/gcc-plugins, branch v4.13.6Linux Kernel
https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.13.62017-06-22T23:21:43Zrandstruct: Whitelist NIU struct page overloading2017-06-22T23:21:43ZKees Cookkeescook@chromium.org2017-05-26T04:44:38Zurn:sha1:1854c19cae0d108637c40f90ee0bb9b7c1adbc0a
The NIU ethernet driver intentionally stores a page struct pointer on
top of the "mapping" field. Whitelist this case:
drivers/net/ethernet/sun/niu.c: In function ‘niu_rx_pkt_ignore’:
drivers/net/ethernet/sun/niu.c:3402:10: note: found mismatched ssa struct pointer types: ‘struct page’ and ‘struct address_space’
*link = (struct page *) page->mapping;
~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
randstruct: Whitelist big_key path struct overloading2017-06-22T23:21:42ZKees Cookkeescook@chromium.org2017-05-26T04:40:22Zurn:sha1:802762cdfff256b6bf3fdb624ac2c56ec043c4f0
The big_key payload structure intentionally stores a struct path in
two void pointers to avoid header soup. Whitelist this case:
security/keys/big_key.c: In function ‘big_key_read’:
security/keys/big_key.c:293:16: note: found mismatched rhs struct pointer types: ‘struct path’ and ‘void *’
struct path *path = (struct path *)&key->payload.data[big_key_path];
^~~~
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
randstruct: Whitelist UNIXCB cast2017-06-22T23:21:41ZKees Cookkeescook@chromium.org2017-04-05T04:35:22Zurn:sha1:b07b65846ba33a4deba03eb6e39043c8bc70903b
This is another false positive in bad cast detection:
net/unix/af_unix.c: In function ‘unix_skb_scm_eq’:
net/unix/af_unix.c:1621:31: note: found mismatched rhs struct pointer types: ‘struct unix_skb_parms’ and ‘char’
const struct unix_skb_parms *u = &UNIXCB(skb);
^
UNIXCB is:
#define UNIXCB(skb) (*(struct unix_skb_parms *)&((skb)->cb))
And ->cb is:
char cb[48] __aligned(8);
This is a rather crazy cast, but appears to be safe in the face of
randomization, so whitelist it in the plugin.
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
randstruct: Whitelist struct security_hook_heads cast2017-06-22T23:21:40ZKees Cookkeescook@chromium.org2017-04-04T23:50:45Zurn:sha1:fd466e068e5adef5922b76f24374c96ba01faaa2
The LSM initialization routines walk security_hook_heads as an array
of struct list_head instead of via names to avoid a ton of needless
source. Whitelist this to avoid the false positive warning from the
plugin:
security/security.c: In function ‘security_init’:
security/security.c:59:20: note: found mismatched op0 struct pointer types: ‘struct list_head’ and ‘struct security_hook_heads’
struct list_head *list = (struct list_head *) &security_hook_heads;
^
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
gcc-plugins: Add the randstruct plugin2017-06-22T23:15:45ZKees Cookkeescook@chromium.org2017-05-06T06:37:45Zurn:sha1:313dd1b629219db50cad532dba6a3b3b22ffe622
This randstruct plugin is modified from Brad Spengler/PaX Team's code
in the last public patch of grsecurity/PaX based on my understanding
of the code. Changes or omissions from the original code are mine and
don't reflect the original grsecurity/PaX code.
The randstruct GCC plugin randomizes the layout of selected structures
at compile time, as a probabilistic defense against attacks that need to
know the layout of structures within the kernel. This is most useful for
"in-house" kernel builds where neither the randomization seed nor other
build artifacts are made available to an attacker. While less useful for
distribution kernels (where the randomization seed must be exposed for
third party kernel module builds), it still has some value there since now
all kernel builds would need to be tracked by an attacker.
In more performance sensitive scenarios, GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
can be selected to make a best effort to restrict randomization to
cacheline-sized groups of elements, and will not randomize bitfields. This
comes at the cost of reduced randomization.
Two annotations are defined,__randomize_layout and __no_randomize_layout,
which respectively tell the plugin to either randomize or not to
randomize instances of the struct in question. Follow-on patches enable
the auto-detection logic for selecting structures for randomization
that contain only function pointers. It is disabled here to assist with
bisection.
Since any randomized structs must be initialized using designated
initializers, __randomize_layout includes the __designated_init annotation
even when the plugin is disabled so that all builds will require
the needed initialization. (With the plugin enabled, annotations for
automatically chosen structures are marked as well.)
The main differences between this implemenation and grsecurity are:
- disable automatic struct selection (to be enabled in follow-up patch)
- add designated_init attribute at runtime and for manual marking
- clarify debugging output to differentiate bad cast warnings
- add whitelisting infrastructure
- support gcc 7's DECL_ALIGN and DECL_MODE changes (Laura Abbott)
- raise minimum required GCC version to 4.7
Earlier versions of this patch series were ported by Michael Leibowitz.
Signed-off-by: Kees Cook <keescook@chromium.org>
gcc-plugins: Detail c-common.h location for GCC 4.62017-05-28T17:23:02ZKees Cookkeescook@chromium.org2017-04-15T18:45:20Zurn:sha1:1132e1e448ce51e3b51fc7afdf661633abc4f202
The c-common.h file moved in stock gcc 4.7, not gcc 4.6. However, most
people building plugins with gcc 4.6 are using the Debian or Ubuntu
version, which includes a patch to move the headers to the 4.7 location.
In case anyone trips over this with a stock gcc 4.6, add a pointer to the
patch used by Debian/Ubuntu.
Signed-off-by: Kees Cook <keescook@chromium.org>
Merge tag 'gcc-plugins-v4.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux2017-03-10T02:05:41ZLinus Torvaldstorvalds@linux-foundation.org2017-03-10T02:05:41Zurn:sha1:794fe7891d77fb9ee095313c60805a8ed609e2a7
Pull gcc-plugins fix from Kees Cook:
"Fixes a typo in sancov plugin, exposed in earlier compiler versions"
* tag 'gcc-plugins-v4.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
gcc-plugins: fix sancov_plugin for gcc-5
gcc-plugins: fix sancov_plugin for gcc-52017-02-27T22:10:10ZArnd Bergmannarnd@arndb.de2017-02-27T20:29:03Zurn:sha1:dcc235279a52d49023d4f1af7c3ed468a97015ae
The name of the local variable was inadvertantly changed from
sancov_plugin_pass_info to sancov_pass_info:
scripts/gcc-plugins/sancov_plugin.c: In function ‘int plugin_init(plugin_name_args*, plugin_gcc_version*)’:
scripts/gcc-plugins/sancov_plugin.c:136:67: error: ‘sancov_plugin_pass_info’ was not declared in this scope
This changes the conditional reference to this variable as well.
Fixes: 5a45a4c5c3f5 ("gcc-plugins: consolidate on PASS_INFO macro")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Kees Cook <keescook@chromium.org>
Merge branch 'for-next/gcc-plugin/structleak' into for-linus/gcc-plugins2017-02-22T05:12:57ZKees Cookkeescook@chromium.org2017-02-22T05:12:57Zurn:sha1:c054ee3bbf69ebcabb1f3218b7faf4b1b37a8eb6gcc-plugins: Add structleak for more stack initialization2017-01-18T20:02:35ZKees Cookkeescook@chromium.org2017-01-13T19:14:39Zurn:sha1:c61f13eaa1ee17728c41370100d2d45c254ce76f
This plugin detects any structures that contain __user attributes and
makes sure it is being fully initialized so that a specific class of
information exposure is eliminated. (This plugin was originally designed
to block the exposure of siginfo in CVE-2013-2141.)
Ported from grsecurity/PaX. This version adds a verbose option to the
plugin and the Kconfig.
Signed-off-by: Kees Cook <keescook@chromium.org>