From: Kees Cook <kees@kernel.org>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Kees Cook <kees@kernel.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Christoph Hellwig <hch@lst.de>, Marco Elver <elver@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>,
Ard Biesheuvel <ardb@kernel.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nicolas Schier <nicolas.schier@linux.dev>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>,
linux-kernel@vger.kernel.org, x86@kernel.org,
kasan-dev@googlegroups.com, linux-doc@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org,
linux-efi@vger.kernel.org, linux-hardening@vger.kernel.org,
linux-kbuild@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kselftest@vger.kernel.org, sparclinux@vger.kernel.org,
llvm@lists.linux.dev
Subject: [PATCH 0/8] stackleak: Support Clang stack depth tracking
Date: Wed, 7 May 2025 11:16:06 -0700 [thread overview]
Message-ID: <20250507180852.work.231-kees@kernel.org> (raw)
Hi,
As part of looking at what GCC plugins could be replaced with Clang
implementations, this series uses the recently landed stack depth tracking
callback in Clang[1] to implement the stackleak feature. Since the Clang
feature is now landed, I'm moving this out of RFC to a v1.
Since this touches a lot of arch-specific Makefiles, I tried to trim
the CC list down to just mailing lists in those cases, otherwise the CC
was giant.
Thanks!
-Kees
[1] https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-stack-depth
v1:
- Finalize Clang URLs for landed feature
- Perform CFLAGS enabling more sanely, as done for randstruct
- Split __no_sanitize_coverage into separate patch
- Update hardening.config and MAINTAINERS
- Fix bug found with nvme tree
RFC: https://lore.kernel.org/lkml/20250502185834.work.560-kees@kernel.org/
Kees Cook (8):
nvme-pci: Make nvme_pci_npages_prp() __always_inline
init.h: Disable sanitizer coverage for __init and __head
stackleak: Rename CONFIG_GCC_PLUGIN_STACKLEAK to CONFIG_STACKLEAK
stackleak: Rename stackleak_track_stack to __sanitizer_cov_stack_depth
stackleak: Split STACKLEAK_CFLAGS from GCC_PLUGINS_CFLAGS
stackleak: Support Clang stack depth tracking
configs/hardening: Enable CONFIG_STACKLEAK
configs/hardening: Enable CONFIG_INIT_ON_FREE_DEFAULT_ON
security/Kconfig.hardening | 25 ++++++----
Makefile | 1 +
arch/arm/boot/compressed/Makefile | 2 +-
arch/arm/vdso/Makefile | 2 +-
arch/arm64/kernel/pi/Makefile | 2 +-
arch/arm64/kernel/vdso/Makefile | 3 +-
arch/arm64/kvm/hyp/nvhe/Makefile | 2 +-
arch/riscv/kernel/pi/Makefile | 2 +-
arch/riscv/purgatory/Makefile | 2 +-
arch/sparc/vdso/Makefile | 3 +-
arch/x86/entry/vdso/Makefile | 3 +-
arch/x86/purgatory/Makefile | 2 +-
drivers/firmware/efi/libstub/Makefile | 6 +--
kernel/Makefile | 4 +-
lib/Makefile | 2 +-
scripts/Makefile.gcc-plugins | 16 +------
scripts/Makefile.stackleak | 21 +++++++++
scripts/gcc-plugins/stackleak_plugin.c | 52 ++++++++++-----------
Documentation/admin-guide/sysctl/kernel.rst | 2 +-
Documentation/security/self-protection.rst | 2 +-
arch/x86/entry/calling.h | 4 +-
arch/x86/include/asm/init.h | 2 +-
include/linux/init.h | 4 +-
include/linux/sched.h | 4 +-
include/linux/stackleak.h | 6 +--
arch/arm/kernel/entry-common.S | 2 +-
arch/arm64/kernel/entry.S | 2 +-
arch/riscv/kernel/entry.S | 2 +-
arch/s390/kernel/entry.S | 2 +-
drivers/misc/lkdtm/stackleak.c | 8 ++--
drivers/nvme/host/pci.c | 2 +-
kernel/stackleak.c | 4 +-
tools/objtool/check.c | 2 +-
tools/testing/selftests/lkdtm/config | 2 +-
MAINTAINERS | 6 ++-
kernel/configs/hardening.config | 6 +++
36 files changed, 122 insertions(+), 90 deletions(-)
create mode 100644 scripts/Makefile.stackleak
--
2.34.1
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <kees@kernel.org>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Kees Cook <kees@kernel.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Christoph Hellwig <hch@lst.de>, Marco Elver <elver@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>,
Ard Biesheuvel <ardb@kernel.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nicolas Schier <nicolas.schier@linux.dev>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>,
linux-kernel@vger.kernel.org, x86@kernel.org,
kasan-dev@googlegroups.com, linux-doc@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org,
linux-efi@vger.kernel.org, linux-hardening@vger.kernel.org,
linux-kbuild@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kselftest@vger.kernel.org, sparclinux@vger.kernel.org,
llvm@lists.linux.dev
Subject: [PATCH 0/8] stackleak: Support Clang stack depth tracking
Date: Wed, 7 May 2025 11:16:06 -0700 [thread overview]
Message-ID: <20250507180852.work.231-kees@kernel.org> (raw)
Hi,
As part of looking at what GCC plugins could be replaced with Clang
implementations, this series uses the recently landed stack depth tracking
callback in Clang[1] to implement the stackleak feature. Since the Clang
feature is now landed, I'm moving this out of RFC to a v1.
Since this touches a lot of arch-specific Makefiles, I tried to trim
the CC list down to just mailing lists in those cases, otherwise the CC
was giant.
Thanks!
-Kees
[1] https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-stack-depth
v1:
- Finalize Clang URLs for landed feature
- Perform CFLAGS enabling more sanely, as done for randstruct
- Split __no_sanitize_coverage into separate patch
- Update hardening.config and MAINTAINERS
- Fix bug found with nvme tree
RFC: https://lore.kernel.org/lkml/20250502185834.work.560-kees@kernel.org/
Kees Cook (8):
nvme-pci: Make nvme_pci_npages_prp() __always_inline
init.h: Disable sanitizer coverage for __init and __head
stackleak: Rename CONFIG_GCC_PLUGIN_STACKLEAK to CONFIG_STACKLEAK
stackleak: Rename stackleak_track_stack to __sanitizer_cov_stack_depth
stackleak: Split STACKLEAK_CFLAGS from GCC_PLUGINS_CFLAGS
stackleak: Support Clang stack depth tracking
configs/hardening: Enable CONFIG_STACKLEAK
configs/hardening: Enable CONFIG_INIT_ON_FREE_DEFAULT_ON
security/Kconfig.hardening | 25 ++++++----
Makefile | 1 +
arch/arm/boot/compressed/Makefile | 2 +-
arch/arm/vdso/Makefile | 2 +-
arch/arm64/kernel/pi/Makefile | 2 +-
arch/arm64/kernel/vdso/Makefile | 3 +-
arch/arm64/kvm/hyp/nvhe/Makefile | 2 +-
arch/riscv/kernel/pi/Makefile | 2 +-
arch/riscv/purgatory/Makefile | 2 +-
arch/sparc/vdso/Makefile | 3 +-
arch/x86/entry/vdso/Makefile | 3 +-
arch/x86/purgatory/Makefile | 2 +-
drivers/firmware/efi/libstub/Makefile | 6 +--
kernel/Makefile | 4 +-
lib/Makefile | 2 +-
scripts/Makefile.gcc-plugins | 16 +------
scripts/Makefile.stackleak | 21 +++++++++
scripts/gcc-plugins/stackleak_plugin.c | 52 ++++++++++-----------
Documentation/admin-guide/sysctl/kernel.rst | 2 +-
Documentation/security/self-protection.rst | 2 +-
arch/x86/entry/calling.h | 4 +-
arch/x86/include/asm/init.h | 2 +-
include/linux/init.h | 4 +-
include/linux/sched.h | 4 +-
include/linux/stackleak.h | 6 +--
arch/arm/kernel/entry-common.S | 2 +-
arch/arm64/kernel/entry.S | 2 +-
arch/riscv/kernel/entry.S | 2 +-
arch/s390/kernel/entry.S | 2 +-
drivers/misc/lkdtm/stackleak.c | 8 ++--
drivers/nvme/host/pci.c | 2 +-
kernel/stackleak.c | 4 +-
tools/objtool/check.c | 2 +-
tools/testing/selftests/lkdtm/config | 2 +-
MAINTAINERS | 6 ++-
kernel/configs/hardening.config | 6 +++
36 files changed, 122 insertions(+), 90 deletions(-)
create mode 100644 scripts/Makefile.stackleak
--
2.34.1
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next reply other threads:[~2025-05-07 18:16 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-07 18:16 Kees Cook [this message]
2025-05-07 18:16 ` [PATCH 0/8] stackleak: Support Clang stack depth tracking Kees Cook
2025-05-07 18:16 ` [PATCH 1/8] nvme-pci: Make nvme_pci_npages_prp() __always_inline Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:22 ` Keith Busch
2025-05-07 18:22 ` Keith Busch
2025-05-07 18:16 ` [PATCH 2/8] init.h: Disable sanitizer coverage for __init and __head Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-08 12:22 ` Marco Elver
2025-05-08 12:22 ` Marco Elver
2025-05-08 12:25 ` Dmitry Vyukov
2025-05-08 12:25 ` Dmitry Vyukov
2025-05-14 0:55 ` kernel test robot
2025-05-07 18:16 ` [PATCH 3/8] stackleak: Rename CONFIG_GCC_PLUGIN_STACKLEAK to CONFIG_STACKLEAK Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:45 ` Ingo Molnar
2025-05-07 18:45 ` Ingo Molnar
2025-05-07 19:36 ` Kees Cook
2025-05-07 19:36 ` Kees Cook
2025-05-07 19:39 ` Ingo Molnar
2025-05-07 19:39 ` Ingo Molnar
2025-05-07 18:16 ` [PATCH 4/8] stackleak: Rename stackleak_track_stack to __sanitizer_cov_stack_depth Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:16 ` [PATCH 5/8] stackleak: Split STACKLEAK_CFLAGS from GCC_PLUGINS_CFLAGS Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:16 ` [PATCH 6/8] stackleak: Support Clang stack depth tracking Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:16 ` [PATCH 7/8] configs/hardening: Enable CONFIG_STACKLEAK Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:16 ` [PATCH 8/8] configs/hardening: Enable CONFIG_INIT_ON_FREE_DEFAULT_ON Kees Cook
2025-05-07 18:16 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250507180852.work.231-kees@kernel.org \
--to=kees@kernel.org \
--cc=andreyknvl@gmail.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=elver@google.com \
--cc=gustavoars@kernel.org \
--cc=hch@lst.de \
--cc=justinstitt@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nicolas.schier@linux.dev \
--cc=ryabinin.a.a@gmail.com \
--cc=sparclinux@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.