Merge branch 'core-stackprotector-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull strong stackprotector support from Ingo Molnar: "This tree adds a CONFIG_CC_STACKPROTECTOR_STRONG=y, a new, stronger stack canary checking method supported by the newest GCC versions (4.9 and later). Here's the 'intensity comparison' between the various protection modes: - defconfig 11430641 kernel text size 36110 function bodies - defconfig + CONFIG_CC_STACKPROTECTOR_REGULAR 11468490 kernel text size (+0.33%) 1015 of 36110 functions are stack-protected (2.81%) - defconfig + CONFIG_CC_STACKPROTECTOR_STRONG via this patch 11692790 kernel text size (+2.24%) 7401 of 36110 functions are stack-protected (20.5%) the strong model comes with non-trivial costs, which is why we preserved the 'regular' and 'none' models as well" * 'core-stackprotector-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG stackprotector: Unify the HAVE_CC_STACKPROTECTOR logic between architectures
2014-01-20 10:26:31 -08:00 · 2014-01-20 10:26:31 -08:00 · ad3ab302fd
--- a/20
+++ b/20
@ -595,10 +595,24 @@ ifneq ($(CONFIG_FRAME_WARN),0)
 KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
 endif
-# Force gcc to behave correct even for buggy distributions
+# Handle stack protector mode.
-ifndef CONFIG_CC_STACKPROTECTOR
+ifdef CONFIG_CC_STACKPROTECTOR_REGULAR
-KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
+  stackp-flag := -fstack-protector
  ifeq ($(call cc-option, $(stackp-flag)),)
    $(warning Cannot use CONFIG_CC_STACKPROTECTOR: \
 	      -fstack-protector not supported by compiler))
  endif
 else ifdef CONFIG_CC_STACKPROTECTOR_STRONG
  stackp-flag := -fstack-protector-strong
  ifeq ($(call cc-option, $(stackp-flag)),)
    $(warning Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: \
 	      -fstack-protector-strong not supported by compiler)
  endif
 else
  # Force off for distro compilers that enable stack protector by default.
  stackp-flag := $(call cc-option, -fno-stack-protector)
 endif
 KBUILD_CFLAGS += $(stackp-flag)
 # This warning generated too much noise in a regular build.
 # Use make W=1 to enable this warning (see scripts/Makefile.build)
--- a/arch/Kconfig
+++ b/arch/Kconfig
@ -336,6 +336,73 @@ config SECCOMP_FILTER
 	  See Documentation/prctl/seccomp_filter.txt for details.
 config HAVE_CC_STACKPROTECTOR
 	bool
 	help
 	  An arch should select this symbol if:
 	  - its compiler supports the -fstack-protector option
 	  - it has implemented a stack canary (e.g. __stack_chk_guard)
 config CC_STACKPROTECTOR
 	def_bool n
 	help
 	  Set when a stack-protector mode is enabled, so that the build
 	  can enable kernel-side support for the GCC feature.
 choice
 	prompt "Stack Protector buffer overflow detection"
 	depends on HAVE_CC_STACKPROTECTOR
 	default CC_STACKPROTECTOR_NONE
 	help
 	  This option turns on the "stack-protector" GCC feature. This
 	  feature puts, at the beginning of functions, a canary value on
 	  the stack just before the return address, and validates
 	  the value just before actually returning.  Stack based buffer
 	  overflows (that need to overwrite this return address) now also
 	  overwrite the canary, which gets detected and the attack is then
 	  neutralized via a kernel panic.
 config CC_STACKPROTECTOR_NONE
 	bool "None"
 	help
 	  Disable "stack-protector" GCC feature.
 config CC_STACKPROTECTOR_REGULAR
 	bool "Regular"
 	select CC_STACKPROTECTOR
 	help
 	  Functions will have the stack-protector canary logic added if they
 	  have an 8-byte or larger character array on the stack.
 	  This feature requires gcc version 4.2 or above, or a distribution
 	  gcc with the feature backported ("-fstack-protector").
 	  On an x86 "defconfig" build, this feature adds canary checks to
 	  about 3% of all kernel functions, which increases kernel code size
 	  by about 0.3%.
 config CC_STACKPROTECTOR_STRONG
 	bool "Strong"
 	select CC_STACKPROTECTOR
 	help
 	  Functions will have the stack-protector canary logic added in any
 	  of the following conditions:
 	  - local variable's address used as part of the right hand side of an
 	    assignment or function argument
 	  - local variable is an array (or union containing an array),
 	    regardless of array type or length
 	  - uses register local variables
 	  This feature requires gcc version 4.9 or above, or a distribution
 	  gcc with the feature backported ("-fstack-protector-strong").
 	  On an x86 "defconfig" build, this feature adds canary checks to
 	  about 20% of all kernel functions, which increases the kernel code
 	  size by about 2%.
 endchoice
 config HAVE_CONTEXT_TRACKING
 	bool
 	help
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@ -30,6 +30,7 @@ config ARM
 	select HAVE_BPF_JIT
 	select HAVE_CONTEXT_TRACKING
 	select HAVE_C_RECORDMCOUNT
 	select HAVE_CC_STACKPROTECTOR
 	select HAVE_DEBUG_KMEMLEAK
 	select HAVE_DMA_API_DEBUG
 	select HAVE_DMA_ATTRS
@ -1856,18 +1857,6 @@ config SECCOMP
 	  and the task is only allowed to execute a few safe syscalls
 	  defined by each seccomp mode.
 config CC_STACKPROTECTOR
 	bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
 	help
 	  This option turns on the -fstack-protector GCC feature. This
 	  feature puts, at the beginning of functions, a canary value on
 	  the stack just before the return address, and validates
 	  the value just before actually returning.  Stack based buffer
 	  overflows (that need to overwrite this return address) now also
 	  overwrite the canary, which gets detected and the attack is then
 	  neutralized via a kernel panic.
 	  This feature requires gcc version 4.2 or above.
 config SWIOTLB
 	def_bool y
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@ -40,10 +40,6 @@ ifeq ($(CONFIG_FRAME_POINTER),y)
 KBUILD_CFLAGS	+=-fno-omit-frame-pointer -mapcs -mno-sched-prolog
 endif
 ifeq ($(CONFIG_CC_STACKPROTECTOR),y)
 KBUILD_CFLAGS	+=-fstack-protector
 endif
 ifeq ($(CONFIG_CPU_BIG_ENDIAN),y)
 KBUILD_CPPFLAGS	+= -mbig-endian
 AS		+= -EB
--- a/arch/arm/boot/compressed/misc.c
+++ b/arch/arm/boot/compressed/misc.c
@ -127,6 +127,18 @@ asmlinkage void __div0(void)
 	error("Attempting division by 0!");
 }
 unsigned long __stack_chk_guard;
 void __stack_chk_guard_setup(void)
 {
 	__stack_chk_guard = 0x000a0dff;
 }
 void __stack_chk_fail(void)
 {
 	error("stack-protector: Kernel stack is corrupted\n");
 }
 extern int do_decompress(u8 *input, int len, u8 *output, void (*error)(char *x));
@ -137,6 +149,8 @@ decompress_kernel(unsigned long output_start, unsigned long free_mem_ptr_p,
 {
 	int ret;
 	__stack_chk_guard_setup();
 	output_data		= (unsigned char *)output_start;
 	free_mem_ptr		= free_mem_ptr_p;
 	free_mem_end_ptr	= free_mem_ptr_end_p;
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@ -47,6 +47,7 @@ config MIPS
 	select MODULES_USE_ELF_RELA if MODULES && 64BIT
 	select CLONE_BACKWARDS
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_CC_STACKPROTECTOR
 menu "Machine selection"
@ -2322,19 +2323,6 @@ config SECCOMP
 	  If unsure, say Y. Only embedded should say N here.
 config CC_STACKPROTECTOR
 	bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
 	help
 	  This option turns on the -fstack-protector GCC feature. This
 	  feature puts, at the beginning of functions, a canary value on
 	  the stack just before the return address, and validates
 	  the value just before actually returning.  Stack based buffer
 	  overflows (that need to overwrite this return address) now also
 	  overwrite the canary, which gets detected and the attack is then
 	  neutralized via a kernel panic.
 	  This feature requires gcc version 4.2 or above.
 config USE_OF
 	bool
 	select OF
--- a/arch/mips/Makefile
+++ b/arch/mips/Makefile
@ -232,10 +232,6 @@ bootvars-y	= VMLINUX_LOAD_ADDRESS=$(load-y) \
 LDFLAGS			+= -m $(ld-emul)
 ifdef CONFIG_CC_STACKPROTECTOR
  KBUILD_CFLAGS += -fstack-protector
 endif
 ifdef CONFIG_MIPS
 CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \
 	egrep -vw '__GNUC_(|MINOR_|PATCHLEVEL_)_' | \
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@ -66,6 +66,7 @@ config SUPERH32
 	select PERF_EVENTS
 	select ARCH_HIBERNATION_POSSIBLE if MMU
 	select SPARSE_IRQ
 	select HAVE_CC_STACKPROTECTOR
 config SUPERH64
 	def_bool ARCH = "sh64"
@ -695,20 +696,6 @@ config SECCOMP
 	  If unsure, say N.
 config CC_STACKPROTECTOR
 	bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
 	depends on SUPERH32
 	help
 	  This option turns on the -fstack-protector GCC feature. This
 	  feature puts, at the beginning of functions, a canary value on
 	  the stack just before the return address, and validates
 	  the value just before actually returning.  Stack based buffer
 	  overflows (that need to overwrite this return address) now also
 	  overwrite the canary, which gets detected and the attack is then
 	  neutralized via a kernel panic.
 	  This feature requires gcc version 4.2 or above.
 config SMP
 	bool "Symmetric multi-processing support"
 	depends on SYS_SUPPORTS_SMP
--- a/arch/sh/Makefile
+++ b/arch/sh/Makefile
@ -199,10 +199,6 @@ ifeq ($(CONFIG_DWARF_UNWINDER),y)
  KBUILD_CFLAGS += -fasynchronous-unwind-tables
 endif
 ifeq ($(CONFIG_CC_STACKPROTECTOR),y)
  KBUILD_CFLAGS += -fstack-protector
 endif
 libs-$(CONFIG_SUPERH32)		:= arch/sh/lib/	$(libs-y)
 libs-$(CONFIG_SUPERH64)		:= arch/sh/lib64/ $(libs-y)
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@ -125,6 +125,7 @@ config X86
 	select RTC_LIB
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
 	select HAVE_CC_STACKPROTECTOR
 config INSTRUCTION_DECODER
 	def_bool y
@ -1617,22 +1618,6 @@ config SECCOMP
 	  If unsure, say Y. Only embedded should say N here.
 config CC_STACKPROTECTOR
 	bool "Enable -fstack-protector buffer overflow detection"
 	---help---
 	  This option turns on the -fstack-protector GCC feature. This
 	  feature puts, at the beginning of functions, a canary value on
 	  the stack just before the return address, and validates
 	  the value just before actually returning.  Stack based buffer
 	  overflows (that need to overwrite this return address) now also
 	  overwrite the canary, which gets detected and the attack is then
 	  neutralized via a kernel panic.
 	  This feature requires gcc version 4.2 or above, or a distribution
 	  gcc with the feature backported. Older versions are automatically
 	  detected and for those versions, this configuration option is
 	  ignored. (and a warning is printed during bootup)
 source kernel/Kconfig.hz
 config KEXEC
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@ -89,13 +89,11 @@ else
        KBUILD_CFLAGS += -maccumulate-outgoing-args
 endif
 # Make sure compiler does not have buggy stack-protector support.
 ifdef CONFIG_CC_STACKPROTECTOR
 	cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
-        ifeq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
+        ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
-                stackp-y := -fstack-protector
+                $(warning stack-protector enabled but compiler support broken)
                KBUILD_CFLAGS += $(stackp-y)
        else
                $(warning stack protector enabled but no compiler support)
        endif
 endif