Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.20.11 2018-12-06T17:10:23Z 2018-12-06T17:10:23Z Alexander Popov alex.popov@linux.com 2018-12-06T15:13:07Z urn:sha1:8fb2dfb228df785bbeb4d055a74402ef4b07fc25 Currently the 'stackleak_cleanup' pass deleting a CALL insn is executed after the 'reload' pass. That allows gcc to do some weird optimization in function prologues and epilogues, which are generated later [1]. Let's avoid that by registering the 'stackleak_cleanup' pass before the '*free_cfg' pass. It's the moment when the stack frame size is already final, function prologues and epilogues are generated, and the machine-dependent code transformations are not done. [1] https://www.openwall.com/lists/kernel-hardening/2018/11/23/2 Reported-by: kbuild test robot <lkp@intel.com> Signed-off-by: Alexander Popov <alex.popov@linux.com> Signed-off-by: Kees Cook <keescook@chromium.org> 2018-09-04T17:35:48Z Alexander Popov alex.popov@linux.com 2018-08-16T22:17:03Z urn:sha1:964c9dff0091893a9a74a88edf984c6da0b779f7 Introduce CONFIG_STACKLEAK_RUNTIME_DISABLE option, which provides 'stack_erasing' sysctl. It can be used in runtime to control kernel stack erasing for kernels built with CONFIG_GCC_PLUGIN_STACKLEAK. Suggested-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Alexander Popov <alex.popov@linux.com> Tested-by: Laura Abbott <labbott@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> 2018-09-04T17:35:48Z Alexander Popov alex.popov@linux.com 2018-08-16T22:17:01Z urn:sha1:c8d126275a5fa59394fe17109bdb9812fed296b8 Introduce CONFIG_STACKLEAK_METRICS providing STACKLEAK information about tasks via the /proc file system. In particular, /proc/<pid>/stack_depth shows the maximum kernel stack consumption for the current and previous syscalls. Although this information is not precise, it can be useful for estimating the STACKLEAK performance impact for your workloads. Suggested-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Alexander Popov <alex.popov@linux.com> Tested-by: Laura Abbott <labbott@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> 2018-09-04T17:35:47Z Alexander Popov alex.popov@linux.com 2018-08-16T22:16:59Z urn:sha1:10e9ae9fabaf96c8e5227c1cd4827d58b3aa406d The STACKLEAK feature erases the kernel stack before returning from syscalls. That reduces the information which kernel stack leak bugs can reveal and blocks some uninitialized stack variable attacks. This commit introduces the STACKLEAK gcc plugin. It is needed for tracking the lowest border of the kernel stack, which is important for the code erasing the used part of the kernel stack at the end of syscalls (comes in a separate commit). The STACKLEAK feature is ported from grsecurity/PaX. More information at: https://grsecurity.net/ https://pax.grsecurity.net/ This code is modified from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on our understanding of the code. Changes or omissions from the original code are ours and don't reflect the original grsecurity/PaX code. Signed-off-by: Alexander Popov <alex.popov@linux.com> Tested-by: Laura Abbott <labbott@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> 2018-09-04T17:35:47Z Alexander Popov alex.popov@linux.com 2018-08-16T22:16:58Z urn:sha1:afaef01c001537fa97a25092d7f54d764dc7d8c1 The STACKLEAK feature (initially developed by PaX Team) has the following benefits: 1. Reduces the information that can be revealed through kernel stack leak bugs. The idea of erasing the thread stack at the end of syscalls is similar to CONFIG_PAGE_POISONING and memzero_explicit() in kernel crypto, which all comply with FDP_RIP.2 (Full Residual Information Protection) of the Common Criteria standard. 2. Blocks some uninitialized stack variable attacks (e.g. CVE-2017-17712, CVE-2010-2963). That kind of bugs should be killed by improving C compilers in future, which might take a long time. This commit introduces the code filling the used part of the kernel stack with a poison value before returning to userspace. Full STACKLEAK feature also contains the gcc plugin which comes in a separate commit. The STACKLEAK feature is ported from grsecurity/PaX. More information at: https://grsecurity.net/ https://pax.grsecurity.net/ This code is modified from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on our understanding of the code. Changes or omissions from the original code are ours and don't reflect the original grsecurity/PaX code. Performance impact: Hardware: Intel Core i7-4770, 16 GB RAM Test #1: building the Linux kernel on a single core 0.91% slowdown Test #2: hackbench -s 4096 -l 2000 -g 15 -f 25 -P 4.2% slowdown So the STACKLEAK description in Kconfig includes: "The tradeoff is the performance impact: on a single CPU system kernel compilation sees a 1% slowdown, other systems and workloads may vary and you are advised to test this feature on your expected workload before deploying it". Signed-off-by: Alexander Popov <alex.popov@linux.com> Acked-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com> Acked-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> 2018-08-26T18:41:08Z Linus Torvalds torvalds@linux-foundation.org 2018-08-26T18:41:08Z urn:sha1:c4726e774ed27680c418e138234dfd2b8e1e89ac Pull gcc plugin fix from Kees Cook: "Lift gcc test into Kconfig. This is for better behavior when the kernel is built with Clang, reported by Stefan Agner" * tag 'gcc-plugins-v4.19-rc1-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: gcc-plugins: Disable when building under Clang 2018-08-23T17:06:12Z Kees Cook keescook@chromium.org 2018-08-23T06:02:31Z urn:sha1:b04413330c773c808c4c6a6cdd278f8ee0f8b613 Prior to doing compiler feature detection in Kconfig, attempts to build GCC plugins with Clang would fail the build, much in the same way missing GCC plugin headers would fail the build. However, now that this logic has been lifted into Kconfig, add an explicit test for GCC (instead of duplicating it in the feature-test script). Reported-by: Stefan Agner <stefan@agner.ch> Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Masahiro Yamada <yamada.masahiro@socionext.com> 2018-07-24T23:14:06Z Alexander Popov alex.popov@linux.com 2018-07-11T20:36:35Z urn:sha1:45d9a1e3cc45efee6c0ef82b77269d6944d9d8a5 Drop useless redefinitions of cgraph_create_edge* macros. Drop the unused nest argument. Also support gcc-8, which doesn't have freq argument. Signed-off-by: Alexander Popov <alex.popov@linux.com> Signed-off-by: Kees Cook <keescook@chromium.org> 2018-07-24T23:11:07Z Masahiro Yamada yamada.masahiro@socionext.com 2018-07-05T06:24:12Z urn:sha1:45332b1bdfdc8d63ae4a9d32cbb10e11bc20baab Collect relevant code into the scripts/gcc-plugins directory. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> Signed-off-by: Kees Cook <keescook@chromium.org> 2018-07-03T02:27:00Z Masahiro Yamada yamada.masahiro@socionext.com 2018-07-03T00:39:12Z urn:sha1:c17d6179ad5aec2a6ef85f8555454e9cefd4b9fb GCC_PLUGIN_SUBDIR has never been used. If you really need this in the future, please re-add it then. For now, the code is unused. Remove. 'export HOSTLIBS' is not necessary either. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> Signed-off-by: Kees Cook <keescook@chromium.org>