mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-13 22:14:20 +08:00
2bb995405f
- And scalar and array initialization coverage - Refactor Kconfig to make options more clear - Add self-test module for testing automatic initialization -----BEGIN PGP SIGNATURE----- Comment: Kees Cook <kees@outflux.net> iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAlx9YaIWHGtlZXNjb29r QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJuJ3D/93rm0lxwlokyZH7ik//G8ha6c/ eH2EelxybyHeK39syY6TG1KeSP1LhvvyHrhuJMnMHfvd7wHJrMyIWZWhbqLTk/+e CzrlFg0gbeLacmT5+mwSiyl+iZgpwREyHI96R6cW1AQC/gCh4d828uRKsDB2btGg 89h6F4vp2AmjbEJgdembPHk8RmdrhStbqxc53WON1217huC8f1fmLsTpPlBSJHV5 AZFjbmG5bSoWbRD/0NnsKbctO1XTE+WBvZPAWhCqhTjIVL2a/k0OybvlJw26mcmV zKOj35uzZ5S6ZBSd23EsAlJNzC9LO2sLQdT+iX9sBKeRqfdcoP7eoeM4KXsXzSHD gQ2zcSqYEyNSxJWxtdOX02Yx8rowHAcFB3ZIxK/dN91JAVhF22EAkeenT8Uus0SB NkIkp70bHaAscvJ18Ahdkd7GOCk06BWyb/K4Lejy9TBMGXFztZRIHg1YwLiYlSiW RNr0STU+vcK56v4sixcNeeLKFVIcne4RbBlaJMv5y5PygVuN3xZTGsg2lhvJNnHA EwsPV6D8fx5U8w0taX+U/5IpigIIxfLQU6VTnjydDk1EScpXLy4JCFqE4N9aksqy F9PfrP3XXuwULyNd/cRxhHVwyXoQA6xaMZ4Sf4Sp7YHfxMRIWlN/aYfZFanvxQMA HJaoHZfjLt/NKCI3JQ== =6iu3 -----END PGP SIGNATURE----- Merge tag 'gcc-plugins-v5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull gcc-plugins updates from Kees Cook: "This adds additional type coverage to the existing structleak plugin and adds a large set of selftests to help evaluate stack variable zero-initialization coverage. That can be used to test whatever instrumentation might be performing zero-initialization: either with the structleak plugin or with Clang's coming "-ftrivial-auto-var-init=zero" option. Summary: - Add scalar and array initialization coverage - Refactor Kconfig to make options more clear - Add self-test module for testing automatic initialization" * tag 'gcc-plugins-v5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: lib: Introduce test_stackinit module gcc-plugins: structleak: Generalize to all variable types
230 lines
8.3 KiB
Plaintext
230 lines
8.3 KiB
Plaintext
preferred-plugin-hostcc := $(if-success,[ $(gcc-version) -ge 40800 ],$(HOSTCXX),$(HOSTCC))
|
|
|
|
config PLUGIN_HOSTCC
|
|
string
|
|
default "$(shell,$(srctree)/scripts/gcc-plugin.sh "$(preferred-plugin-hostcc)" "$(HOSTCXX)" "$(CC)")" if CC_IS_GCC
|
|
help
|
|
Host compiler used to build GCC plugins. This can be $(HOSTCXX),
|
|
$(HOSTCC), or a null string if GCC plugin is unsupported.
|
|
|
|
config HAVE_GCC_PLUGINS
|
|
bool
|
|
help
|
|
An arch should select this symbol if it supports building with
|
|
GCC plugins.
|
|
|
|
menuconfig GCC_PLUGINS
|
|
bool "GCC plugins"
|
|
depends on HAVE_GCC_PLUGINS
|
|
depends on PLUGIN_HOSTCC != ""
|
|
help
|
|
GCC plugins are loadable modules that provide extra features to the
|
|
compiler. They are useful for runtime instrumentation and static analysis.
|
|
|
|
See Documentation/gcc-plugins.txt for details.
|
|
|
|
if GCC_PLUGINS
|
|
|
|
config GCC_PLUGIN_CYC_COMPLEXITY
|
|
bool "Compute the cyclomatic complexity of a function" if EXPERT
|
|
depends on !COMPILE_TEST # too noisy
|
|
help
|
|
The complexity M of a function's control flow graph is defined as:
|
|
M = E - N + 2P
|
|
where
|
|
|
|
E = the number of edges
|
|
N = the number of nodes
|
|
P = the number of connected components (exit nodes).
|
|
|
|
Enabling this plugin reports the complexity to stderr during the
|
|
build. It mainly serves as a simple example of how to create a
|
|
gcc plugin for the kernel.
|
|
|
|
config GCC_PLUGIN_SANCOV
|
|
bool
|
|
help
|
|
This plugin inserts a __sanitizer_cov_trace_pc() call at the start of
|
|
basic blocks. It supports all gcc versions with plugin support (from
|
|
gcc-4.5 on). It is based on the commit "Add fuzzing coverage support"
|
|
by Dmitry Vyukov <dvyukov@google.com>.
|
|
|
|
config GCC_PLUGIN_LATENT_ENTROPY
|
|
bool "Generate some entropy during boot and runtime"
|
|
help
|
|
By saying Y here the kernel will instrument some kernel code to
|
|
extract some entropy from both original and artificially created
|
|
program state. This will help especially embedded systems where
|
|
there is little 'natural' source of entropy normally. The cost
|
|
is some slowdown of the boot process (about 0.5%) and fork and
|
|
irq processing.
|
|
|
|
Note that entropy extracted this way is not cryptographically
|
|
secure!
|
|
|
|
This plugin was ported from grsecurity/PaX. More information at:
|
|
* https://grsecurity.net/
|
|
* https://pax.grsecurity.net/
|
|
|
|
config GCC_PLUGIN_STRUCTLEAK
|
|
bool "Zero initialize stack variables"
|
|
help
|
|
While the kernel is built with warnings enabled for any missed
|
|
stack variable initializations, this warning is silenced for
|
|
anything passed by reference to another function, under the
|
|
occasionally misguided assumption that the function will do
|
|
the initialization. As this regularly leads to exploitable
|
|
flaws, this plugin is available to identify and zero-initialize
|
|
such variables, depending on the chosen level of coverage.
|
|
|
|
This plugin was originally ported from grsecurity/PaX. More
|
|
information at:
|
|
* https://grsecurity.net/
|
|
* https://pax.grsecurity.net/
|
|
|
|
choice
|
|
prompt "Coverage"
|
|
depends on GCC_PLUGIN_STRUCTLEAK
|
|
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
|
|
help
|
|
This chooses the level of coverage over classes of potentially
|
|
uninitialized variables. The selected class will be
|
|
zero-initialized before use.
|
|
|
|
config GCC_PLUGIN_STRUCTLEAK_USER
|
|
bool "structs marked for userspace"
|
|
help
|
|
Zero-initialize any structures on the stack containing
|
|
a __user attribute. This can prevent some classes of
|
|
uninitialized stack variable exploits and information
|
|
exposures, like CVE-2013-2141:
|
|
https://git.kernel.org/linus/b9e146d8eb3b9eca
|
|
|
|
config GCC_PLUGIN_STRUCTLEAK_BYREF
|
|
bool "structs passed by reference"
|
|
help
|
|
Zero-initialize any structures on the stack that may
|
|
be passed by reference and had not already been
|
|
explicitly initialized. This can prevent most classes
|
|
of uninitialized stack variable exploits and information
|
|
exposures, like CVE-2017-1000410:
|
|
https://git.kernel.org/linus/06e7e776ca4d3654
|
|
|
|
config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
|
|
bool "anything passed by reference"
|
|
help
|
|
Zero-initialize any stack variables that may be passed
|
|
by reference and had not already been explicitly
|
|
initialized. This is intended to eliminate all classes
|
|
of uninitialized stack variable exploits and information
|
|
exposures.
|
|
|
|
endchoice
|
|
|
|
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
|
|
bool "Report forcefully initialized variables"
|
|
depends on GCC_PLUGIN_STRUCTLEAK
|
|
depends on !COMPILE_TEST # too noisy
|
|
help
|
|
This option will cause a warning to be printed each time the
|
|
structleak plugin finds a variable it thinks needs to be
|
|
initialized. Since not all existing initializers are detected
|
|
by the plugin, this can produce false positive warnings.
|
|
|
|
config GCC_PLUGIN_RANDSTRUCT
|
|
bool "Randomize layout of sensitive kernel structures"
|
|
select MODVERSIONS if MODULES
|
|
help
|
|
If you say Y here, the layouts of structures that are entirely
|
|
function pointers (and have not been manually annotated with
|
|
__no_randomize_layout), or structures that have been explicitly
|
|
marked with __randomize_layout, will be randomized at compile-time.
|
|
This can introduce the requirement of an additional information
|
|
exposure vulnerability for exploits targeting these structure
|
|
types.
|
|
|
|
Enabling this feature will introduce some performance impact,
|
|
slightly increase memory usage, and prevent the use of forensic
|
|
tools like Volatility against the system (unless the kernel
|
|
source tree isn't cleaned after kernel installation).
|
|
|
|
The seed used for compilation is located at
|
|
scripts/gcc-plgins/randomize_layout_seed.h. It remains after
|
|
a make clean to allow for external modules to be compiled with
|
|
the existing seed and will be removed by a make mrproper or
|
|
make distclean.
|
|
|
|
Note that the implementation requires gcc 4.7 or newer.
|
|
|
|
This plugin was ported from grsecurity/PaX. More information at:
|
|
* https://grsecurity.net/
|
|
* https://pax.grsecurity.net/
|
|
|
|
config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
|
|
bool "Use cacheline-aware structure randomization"
|
|
depends on GCC_PLUGIN_RANDSTRUCT
|
|
depends on !COMPILE_TEST # do not reduce test coverage
|
|
help
|
|
If you say Y here, the RANDSTRUCT randomization will make a
|
|
best effort at restricting randomization to cacheline-sized
|
|
groups of elements. It will further not randomize bitfields
|
|
in structures. This reduces the performance hit of RANDSTRUCT
|
|
at the cost of weakened randomization.
|
|
|
|
config GCC_PLUGIN_STACKLEAK
|
|
bool "Erase the kernel stack before returning from syscalls"
|
|
depends on GCC_PLUGINS
|
|
depends on HAVE_ARCH_STACKLEAK
|
|
help
|
|
This option makes the kernel erase the kernel stack before
|
|
returning from system calls. That reduces the information which
|
|
kernel stack leak bugs can reveal and blocks some uninitialized
|
|
stack variable attacks.
|
|
|
|
The tradeoff is the performance impact: on a single CPU system kernel
|
|
compilation sees a 1% slowdown, other systems and workloads may vary
|
|
and you are advised to test this feature on your expected workload
|
|
before deploying it.
|
|
|
|
This plugin was ported from grsecurity/PaX. More information at:
|
|
* https://grsecurity.net/
|
|
* https://pax.grsecurity.net/
|
|
|
|
config STACKLEAK_TRACK_MIN_SIZE
|
|
int "Minimum stack frame size of functions tracked by STACKLEAK"
|
|
default 100
|
|
range 0 4096
|
|
depends on GCC_PLUGIN_STACKLEAK
|
|
help
|
|
The STACKLEAK gcc plugin instruments the kernel code for tracking
|
|
the lowest border of the kernel stack (and for some other purposes).
|
|
It inserts the stackleak_track_stack() call for the functions with
|
|
a stack frame size greater than or equal to this parameter.
|
|
If unsure, leave the default value 100.
|
|
|
|
config STACKLEAK_METRICS
|
|
bool "Show STACKLEAK metrics in the /proc file system"
|
|
depends on GCC_PLUGIN_STACKLEAK
|
|
depends on PROC_FS
|
|
help
|
|
If this is set, STACKLEAK metrics for every task are available in
|
|
the /proc file system. In particular, /proc/<pid>/stack_depth
|
|
shows the maximum kernel stack consumption for the current and
|
|
previous syscalls. Although this information is not precise, it
|
|
can be useful for estimating the STACKLEAK performance impact for
|
|
your workloads.
|
|
|
|
config STACKLEAK_RUNTIME_DISABLE
|
|
bool "Allow runtime disabling of kernel stack erasing"
|
|
depends on GCC_PLUGIN_STACKLEAK
|
|
help
|
|
This option provides 'stack_erasing' sysctl, which can be used in
|
|
runtime to control kernel stack erasing for kernels built with
|
|
CONFIG_GCC_PLUGIN_STACKLEAK.
|
|
|
|
config GCC_PLUGIN_ARM_SSP_PER_TASK
|
|
bool
|
|
depends on GCC_PLUGINS && ARM
|
|
|
|
endif
|