From: Kees Cook <kees@kernel.org>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Kees Cook <kees@kernel.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nicolas Schier <nicolas.schier@linux.dev>,
Marco Elver <elver@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>,
Ard Biesheuvel <ardb@kernel.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-kbuild@vger.kernel.org, kasan-dev@googlegroups.com,
linux-hardening@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>,
linux-kernel@vger.kernel.org, x86@kernel.org,
linux-doc@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
kvmarm@lists.linux.dev, linux-riscv@lists.infradead.org,
linux-s390@vger.kernel.org, linux-efi@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kselftest@vger.kernel.org, sparclinux@vger.kernel.org,
llvm@lists.linux.dev
Subject: [PATCH 6/8] stackleak: Support Clang stack depth tracking
Date: Wed, 7 May 2025 11:16:12 -0700 [thread overview]
Message-ID: <20250507181615.1947159-6-kees@kernel.org> (raw)
In-Reply-To: <20250507180852.work.231-kees@kernel.org>
Wire up CONFIG_STACKLEAK to Clang 21's new stack depth tracking
callback[1] option.
Link: https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-stack-depth [1]
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nicolas Schier <nicolas.schier@linux.dev>
Cc: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: <linux-kbuild@vger.kernel.org>
Cc: <kasan-dev@googlegroups.com>
Cc: <linux-hardening@vger.kernel.org>
---
security/Kconfig.hardening | 5 ++++-
scripts/Makefile.stackleak | 6 ++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 2be6aed71c92..94aa8612c4e4 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -158,10 +158,13 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE
initialized. Since not all existing initializers are detected
by the plugin, this can produce false positive warnings.
+config CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
+ def_bool $(cc-option,-fsanitize-coverage-stack-depth-callback-min=1)
+
config STACKLEAK
bool "Poison kernel stack before returning from syscalls"
depends on HAVE_ARCH_STACKLEAK
- depends on GCC_PLUGINS
+ depends on GCC_PLUGINS || CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
help
This option makes the kernel erase the kernel stack before
returning from system calls. This has the effect of leaving
diff --git a/scripts/Makefile.stackleak b/scripts/Makefile.stackleak
index 1db0835b29d4..639cc32bcd1d 100644
--- a/scripts/Makefile.stackleak
+++ b/scripts/Makefile.stackleak
@@ -8,6 +8,12 @@ stackleak-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE) += -fplugin-arg-stacklea
DISABLE_STACKLEAK := -fplugin-arg-stackleak_plugin-disable
endif
+ifdef CONFIG_CC_IS_CLANG
+stackleak-cflags-y += -fsanitize-coverage=stack-depth
+stackleak-cflags-y += -fsanitize-coverage-stack-depth-callback-min=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE)
+DISABLE_STACKLEAK := -fno-sanitize-coverage=stack-depth
+endif
+
STACKLEAK_CFLAGS := $(stackleak-cflags-y)
export STACKLEAK_CFLAGS DISABLE_STACKLEAK
--
2.34.1
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <kees@kernel.org>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Kees Cook <kees@kernel.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nicolas Schier <nicolas.schier@linux.dev>,
Marco Elver <elver@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>,
Ard Biesheuvel <ardb@kernel.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-kbuild@vger.kernel.org, kasan-dev@googlegroups.com,
linux-hardening@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>,
linux-kernel@vger.kernel.org, x86@kernel.org,
linux-doc@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
kvmarm@lists.linux.dev, linux-riscv@lists.infradead.org,
linux-s390@vger.kernel.org, linux-efi@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kselftest@vger.kernel.org, sparclinux@vger.kernel.org,
llvm@lists.linux.dev
Subject: [PATCH 6/8] stackleak: Support Clang stack depth tracking
Date: Wed, 7 May 2025 11:16:12 -0700 [thread overview]
Message-ID: <20250507181615.1947159-6-kees@kernel.org> (raw)
In-Reply-To: <20250507180852.work.231-kees@kernel.org>
Wire up CONFIG_STACKLEAK to Clang 21's new stack depth tracking
callback[1] option.
Link: https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-stack-depth [1]
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nicolas Schier <nicolas.schier@linux.dev>
Cc: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: <linux-kbuild@vger.kernel.org>
Cc: <kasan-dev@googlegroups.com>
Cc: <linux-hardening@vger.kernel.org>
---
security/Kconfig.hardening | 5 ++++-
scripts/Makefile.stackleak | 6 ++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 2be6aed71c92..94aa8612c4e4 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -158,10 +158,13 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE
initialized. Since not all existing initializers are detected
by the plugin, this can produce false positive warnings.
+config CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
+ def_bool $(cc-option,-fsanitize-coverage-stack-depth-callback-min=1)
+
config STACKLEAK
bool "Poison kernel stack before returning from syscalls"
depends on HAVE_ARCH_STACKLEAK
- depends on GCC_PLUGINS
+ depends on GCC_PLUGINS || CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
help
This option makes the kernel erase the kernel stack before
returning from system calls. This has the effect of leaving
diff --git a/scripts/Makefile.stackleak b/scripts/Makefile.stackleak
index 1db0835b29d4..639cc32bcd1d 100644
--- a/scripts/Makefile.stackleak
+++ b/scripts/Makefile.stackleak
@@ -8,6 +8,12 @@ stackleak-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE) += -fplugin-arg-stacklea
DISABLE_STACKLEAK := -fplugin-arg-stackleak_plugin-disable
endif
+ifdef CONFIG_CC_IS_CLANG
+stackleak-cflags-y += -fsanitize-coverage=stack-depth
+stackleak-cflags-y += -fsanitize-coverage-stack-depth-callback-min=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE)
+DISABLE_STACKLEAK := -fno-sanitize-coverage=stack-depth
+endif
+
STACKLEAK_CFLAGS := $(stackleak-cflags-y)
export STACKLEAK_CFLAGS DISABLE_STACKLEAK
--
2.34.1
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2025-05-07 18:16 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-07 18:16 [PATCH 0/8] stackleak: Support Clang stack depth tracking Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:16 ` [PATCH 1/8] nvme-pci: Make nvme_pci_npages_prp() __always_inline Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:22 ` Keith Busch
2025-05-07 18:22 ` Keith Busch
2025-05-07 18:16 ` [PATCH 2/8] init.h: Disable sanitizer coverage for __init and __head Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-08 12:22 ` Marco Elver
2025-05-08 12:22 ` Marco Elver
2025-05-08 12:25 ` Dmitry Vyukov
2025-05-08 12:25 ` Dmitry Vyukov
2025-05-14 0:55 ` kernel test robot
2025-05-07 18:16 ` [PATCH 3/8] stackleak: Rename CONFIG_GCC_PLUGIN_STACKLEAK to CONFIG_STACKLEAK Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:45 ` Ingo Molnar
2025-05-07 18:45 ` Ingo Molnar
2025-05-07 19:36 ` Kees Cook
2025-05-07 19:36 ` Kees Cook
2025-05-07 19:39 ` Ingo Molnar
2025-05-07 19:39 ` Ingo Molnar
2025-05-07 18:16 ` [PATCH 4/8] stackleak: Rename stackleak_track_stack to __sanitizer_cov_stack_depth Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:16 ` [PATCH 5/8] stackleak: Split STACKLEAK_CFLAGS from GCC_PLUGINS_CFLAGS Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:16 ` Kees Cook [this message]
2025-05-07 18:16 ` [PATCH 6/8] stackleak: Support Clang stack depth tracking Kees Cook
2025-05-07 18:16 ` [PATCH 7/8] configs/hardening: Enable CONFIG_STACKLEAK Kees Cook
2025-05-07 18:16 ` Kees Cook
2025-05-07 18:16 ` [PATCH 8/8] configs/hardening: Enable CONFIG_INIT_ON_FREE_DEFAULT_ON Kees Cook
2025-05-07 18:16 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250507181615.1947159-6-kees@kernel.org \
--to=kees@kernel.org \
--cc=andreyknvl@gmail.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=elver@google.com \
--cc=gustavoars@kernel.org \
--cc=hch@lst.de \
--cc=justinstitt@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nicolas.schier@linux.dev \
--cc=ryabinin.a.a@gmail.com \
--cc=sparclinux@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.