CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

[Jann Horn]

I noticed that CONFIG_DEBUG_INFO_BTF seems to partly defeat the point
of CONFIG_GCC_PLUGIN_RANDSTRUCT.

CONFIG_GCC_PLUGIN_RANDSTRUCT randomizes the layout of (some)
kernel-internal structs, which AFAIK is intended to make exploitation
harder in two ways:
1) by ensuring that an attacker can't use a single exploit relying on
specific structure offsets against every target
2) by keeping structure offsets secret from the attacker, so that the
attacker can't rely on knowledge of structure offsets even when trying
to exploit a specific target - only relevant for the few people who
build their kernel themselves (since nobody was crazy enough to
implement generating relocations for structure offsets so far).

When CONFIG_DEBUG_INFO_BTF is on, the kernel exposes the layouts of
kernel structures via the mode-0444 file /sys/kernel/btf/vmlinux, so a
local attacker can easily see structure offsets, defeating part 2.

I wonder whether these kconfig knobs should be mutually exclusive, or
whether /sys/kernel/btf/vmlinux should have a different mode, or
something like that.

Re: CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

[Alexei Starovoitov]

On Mon, Mar 30, 2020 at 8:14 AM Jann Horn <jannh@google.com> wrote:
>
> I noticed that CONFIG_DEBUG_INFO_BTF seems to partly defeat the point
> of CONFIG_GCC_PLUGIN_RANDSTRUCT.

Is it a theoretical stmt or you have data?
I think it's the other way around.
gcc-plugin breaks dwarf and breaks btf.
But I only looked at gcc patches without applying them.

Re: CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

[Jann Horn]

On Mon, Mar 30, 2020 at 5:59 PM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
> On Mon, Mar 30, 2020 at 8:14 AM Jann Horn <jannh@google.com> wrote:
> >
> > I noticed that CONFIG_DEBUG_INFO_BTF seems to partly defeat the point
> > of CONFIG_GCC_PLUGIN_RANDSTRUCT.
>
> Is it a theoretical stmt or you have data?
> I think it's the other way around.
> gcc-plugin breaks dwarf and breaks btf.
> But I only looked at gcc patches without applying them.

Ah, interesting - I haven't actually tested it, I just assumed
(perhaps incorrectly) that the GCC plugin would deal with DWARF info
properly.

Re: CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

[Kees Cook]

On Mon, Mar 30, 2020 at 06:17:32PM +0200, Jann Horn wrote:
> On Mon, Mar 30, 2020 at 5:59 PM Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
> > On Mon, Mar 30, 2020 at 8:14 AM Jann Horn <jannh@google.com> wrote:
> > >
> > > I noticed that CONFIG_DEBUG_INFO_BTF seems to partly defeat the point
> > > of CONFIG_GCC_PLUGIN_RANDSTRUCT.
> >
> > Is it a theoretical stmt or you have data?
> > I think it's the other way around.
> > gcc-plugin breaks dwarf and breaks btf.
> > But I only looked at gcc patches without applying them.
> 
> Ah, interesting - I haven't actually tested it, I just assumed
> (perhaps incorrectly) that the GCC plugin would deal with DWARF info
> properly.

Yeah, GCC appears to create DWARF before the plugin does the
randomization[1], so it's not an exposure, but yes, struct randomization
is pretty completely incompatible with a bunch of things in the kernel
(by design). I'm happy to add negative "depends" in the Kconfig if it
helps clarify anything.

-Kees

[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84052

-- 
Kees Cook

Re: CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

[Daniel Borkmann]

On 3/30/20 7:20 PM, Kees Cook wrote:
> On Mon, Mar 30, 2020 at 06:17:32PM +0200, Jann Horn wrote:
>> On Mon, Mar 30, 2020 at 5:59 PM Alexei Starovoitov
>> <alexei.starovoitov@gmail.com> wrote:
>>> On Mon, Mar 30, 2020 at 8:14 AM Jann Horn <jannh@google.com> wrote:
>>>>
>>>> I noticed that CONFIG_DEBUG_INFO_BTF seems to partly defeat the point
>>>> of CONFIG_GCC_PLUGIN_RANDSTRUCT.
>>>
>>> Is it a theoretical stmt or you have data?
>>> I think it's the other way around.
>>> gcc-plugin breaks dwarf and breaks btf.
>>> But I only looked at gcc patches without applying them.
>>
>> Ah, interesting - I haven't actually tested it, I just assumed
>> (perhaps incorrectly) that the GCC plugin would deal with DWARF info
>> properly.
> 
> Yeah, GCC appears to create DWARF before the plugin does the
> randomization[1], so it's not an exposure, but yes, struct randomization
> is pretty completely incompatible with a bunch of things in the kernel
> (by design). I'm happy to add negative "depends" in the Kconfig if it
> helps clarify anything.

Is this expected to get fixed at some point wrt DWARF? Perhaps would make
sense then to add a negative "depends" for both DWARF and BTF if the option
GCC_PLUGIN_RANDSTRUCT is set given both would be incompatible/broken.

Thanks,
Daniel

> -Kees
> 
> [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84052
> 

Re: CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

[Kees Cook]

On Tue, Mar 31, 2020 at 12:41:04AM +0200, Daniel Borkmann wrote:
> On 3/30/20 7:20 PM, Kees Cook wrote:
> > On Mon, Mar 30, 2020 at 06:17:32PM +0200, Jann Horn wrote:
> > > On Mon, Mar 30, 2020 at 5:59 PM Alexei Starovoitov
> > > <alexei.starovoitov@gmail.com> wrote:
> > > > On Mon, Mar 30, 2020 at 8:14 AM Jann Horn <jannh@google.com> wrote:
> > > > > 
> > > > > I noticed that CONFIG_DEBUG_INFO_BTF seems to partly defeat the point
> > > > > of CONFIG_GCC_PLUGIN_RANDSTRUCT.
> > > > 
> > > > Is it a theoretical stmt or you have data?
> > > > I think it's the other way around.
> > > > gcc-plugin breaks dwarf and breaks btf.
> > > > But I only looked at gcc patches without applying them.
> > > 
> > > Ah, interesting - I haven't actually tested it, I just assumed
> > > (perhaps incorrectly) that the GCC plugin would deal with DWARF info
> > > properly.
> > 
> > Yeah, GCC appears to create DWARF before the plugin does the
> > randomization[1], so it's not an exposure, but yes, struct randomization
> > is pretty completely incompatible with a bunch of things in the kernel
> > (by design). I'm happy to add negative "depends" in the Kconfig if it
> > helps clarify anything.
> 
> Is this expected to get fixed at some point wrt DWARF? Perhaps would make

No, gcc closed the issue as "won't fix".

> sense then to add a negative "depends" for both DWARF and BTF if the option
> GCC_PLUGIN_RANDSTRUCT is set given both would be incompatible/broken.

I hadn't just to keep wider randconfig build test coverage. That said, I
could make it be: depends COMPILE_TEST || !DWARF ...

I can certainly do that.

-Kees

[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84052

-- 
Kees Cook

Re: CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

[Andrii Nakryiko]

On Tue, Mar 31, 2020 at 11:12 AM Kees Cook <keescook@chromium.org> wrote:
>
> On Tue, Mar 31, 2020 at 12:41:04AM +0200, Daniel Borkmann wrote:
> > On 3/30/20 7:20 PM, Kees Cook wrote:
> > > On Mon, Mar 30, 2020 at 06:17:32PM +0200, Jann Horn wrote:
> > > > On Mon, Mar 30, 2020 at 5:59 PM Alexei Starovoitov
> > > > <alexei.starovoitov@gmail.com> wrote:
> > > > > On Mon, Mar 30, 2020 at 8:14 AM Jann Horn <jannh@google.com> wrote:
> > > > > >
> > > > > > I noticed that CONFIG_DEBUG_INFO_BTF seems to partly defeat the point
> > > > > > of CONFIG_GCC_PLUGIN_RANDSTRUCT.
> > > > >
> > > > > Is it a theoretical stmt or you have data?
> > > > > I think it's the other way around.
> > > > > gcc-plugin breaks dwarf and breaks btf.
> > > > > But I only looked at gcc patches without applying them.
> > > >
> > > > Ah, interesting - I haven't actually tested it, I just assumed
> > > > (perhaps incorrectly) that the GCC plugin would deal with DWARF info
> > > > properly.
> > >
> > > Yeah, GCC appears to create DWARF before the plugin does the
> > > randomization[1], so it's not an exposure, but yes, struct randomization
> > > is pretty completely incompatible with a bunch of things in the kernel
> > > (by design). I'm happy to add negative "depends" in the Kconfig if it
> > > helps clarify anything.
> >
> > Is this expected to get fixed at some point wrt DWARF? Perhaps would make
>
> No, gcc closed the issue as "won't fix".
>
> > sense then to add a negative "depends" for both DWARF and BTF if the option
> > GCC_PLUGIN_RANDSTRUCT is set given both would be incompatible/broken.
>
> I hadn't just to keep wider randconfig build test coverage. That said, I
> could make it be: depends COMPILE_TEST || !DWARF ...
>
> I can certainly do that.

I've asked Slava in [0] to disable all three known configs that break
DWARF and subsequently BTF, I hope it's ok to just do it in one patch.
Currently all these appear to result in invalid BTF due to various
DWARF modifications:

  - DEBUG_INFO_REDUCED (see [1])
  - DEBUG_INFO_SPLIT (see [0]
  - GCC_PLUGIN_RANDSTRUCT (this discussion).

  [0] https://lore.kernel.org/bpf/CAEf4BzadnfAwfa1D0jZb=01Ou783GpK_U7PAYeEJca-L9kdnVA@mail.gmail.com/
  [1] https://lore.kernel.org/bpf/CAEf4BzZri8KpwLcoPgjiVx_=QmJ2W9UzBkDqSO2rUWMzWogkKg@mail.gmail.com/


>
> -Kees
>
> [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84052
>
> --
> Kees Cook

Re: CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

[Kees Cook]

On Tue, Mar 31, 2020 at 12:50:07PM -0700, Andrii Nakryiko wrote:
> On Tue, Mar 31, 2020 at 11:12 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > On Tue, Mar 31, 2020 at 12:41:04AM +0200, Daniel Borkmann wrote:
> > > On 3/30/20 7:20 PM, Kees Cook wrote:
> > > > On Mon, Mar 30, 2020 at 06:17:32PM +0200, Jann Horn wrote:
> > > > > On Mon, Mar 30, 2020 at 5:59 PM Alexei Starovoitov
> > > > > <alexei.starovoitov@gmail.com> wrote:
> > > > > > On Mon, Mar 30, 2020 at 8:14 AM Jann Horn <jannh@google.com> wrote:
> > > > > > >
> > > > > > > I noticed that CONFIG_DEBUG_INFO_BTF seems to partly defeat the point
> > > > > > > of CONFIG_GCC_PLUGIN_RANDSTRUCT.
> > > > > >
> > > > > > Is it a theoretical stmt or you have data?
> > > > > > I think it's the other way around.
> > > > > > gcc-plugin breaks dwarf and breaks btf.
> > > > > > But I only looked at gcc patches without applying them.
> > > > >
> > > > > Ah, interesting - I haven't actually tested it, I just assumed
> > > > > (perhaps incorrectly) that the GCC plugin would deal with DWARF info
> > > > > properly.
> > > >
> > > > Yeah, GCC appears to create DWARF before the plugin does the
> > > > randomization[1], so it's not an exposure, but yes, struct randomization
> > > > is pretty completely incompatible with a bunch of things in the kernel
> > > > (by design). I'm happy to add negative "depends" in the Kconfig if it
> > > > helps clarify anything.
> > >
> > > Is this expected to get fixed at some point wrt DWARF? Perhaps would make
> >
> > No, gcc closed the issue as "won't fix".
> >
> > > sense then to add a negative "depends" for both DWARF and BTF if the option
> > > GCC_PLUGIN_RANDSTRUCT is set given both would be incompatible/broken.
> >
> > I hadn't just to keep wider randconfig build test coverage. That said, I
> > could make it be: depends COMPILE_TEST || !DWARF ...
> >
> > I can certainly do that.
> 
> I've asked Slava in [0] to disable all three known configs that break
> DWARF and subsequently BTF, I hope it's ok to just do it in one patch.
> Currently all these appear to result in invalid BTF due to various
> DWARF modifications:
> 
>   - DEBUG_INFO_REDUCED (see [1])
>   - DEBUG_INFO_SPLIT (see [0]
>   - GCC_PLUGIN_RANDSTRUCT (this discussion).
> 
>   [0] https://lore.kernel.org/bpf/CAEf4BzadnfAwfa1D0jZb=01Ou783GpK_U7PAYeEJca-L9kdnVA@mail.gmail.com/
>   [1] https://lore.kernel.org/bpf/CAEf4BzZri8KpwLcoPgjiVx_=QmJ2W9UzBkDqSO2rUWMzWogkKg@mail.gmail.com/

Sure! That'd by fine by me. I'd just like it to be a "|| COMPILE_TEST"
for GCC_PLUGIN_RANDSTRUCT. Feel free to CC me for an Ack. :)

-Kees

> 
> 
> >
> > -Kees
> >
> > [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84052
> >
> > --
> > Kees Cook

-- 
Kees Cook

Re: CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

[Andrii Nakryiko]

On Tue, Mar 31, 2020 at 12:58 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Tue, Mar 31, 2020 at 12:50:07PM -0700, Andrii Nakryiko wrote:
> > On Tue, Mar 31, 2020 at 11:12 AM Kees Cook <keescook@chromium.org> wrote:
> > >
> > > On Tue, Mar 31, 2020 at 12:41:04AM +0200, Daniel Borkmann wrote:
> > > > On 3/30/20 7:20 PM, Kees Cook wrote:
> > > > > On Mon, Mar 30, 2020 at 06:17:32PM +0200, Jann Horn wrote:
> > > > > > On Mon, Mar 30, 2020 at 5:59 PM Alexei Starovoitov
> > > > > > <alexei.starovoitov@gmail.com> wrote:
> > > > > > > On Mon, Mar 30, 2020 at 8:14 AM Jann Horn <jannh@google.com> wrote:
> > > > > > > >
> > > > > > > > I noticed that CONFIG_DEBUG_INFO_BTF seems to partly defeat the point
> > > > > > > > of CONFIG_GCC_PLUGIN_RANDSTRUCT.
> > > > > > >
> > > > > > > Is it a theoretical stmt or you have data?
> > > > > > > I think it's the other way around.
> > > > > > > gcc-plugin breaks dwarf and breaks btf.
> > > > > > > But I only looked at gcc patches without applying them.
> > > > > >
> > > > > > Ah, interesting - I haven't actually tested it, I just assumed
> > > > > > (perhaps incorrectly) that the GCC plugin would deal with DWARF info
> > > > > > properly.
> > > > >
> > > > > Yeah, GCC appears to create DWARF before the plugin does the
> > > > > randomization[1], so it's not an exposure, but yes, struct randomization
> > > > > is pretty completely incompatible with a bunch of things in the kernel
> > > > > (by design). I'm happy to add negative "depends" in the Kconfig if it
> > > > > helps clarify anything.
> > > >
> > > > Is this expected to get fixed at some point wrt DWARF? Perhaps would make
> > >
> > > No, gcc closed the issue as "won't fix".
> > >
> > > > sense then to add a negative "depends" for both DWARF and BTF if the option
> > > > GCC_PLUGIN_RANDSTRUCT is set given both would be incompatible/broken.
> > >
> > > I hadn't just to keep wider randconfig build test coverage. That said, I
> > > could make it be: depends COMPILE_TEST || !DWARF ...
> > >
> > > I can certainly do that.
> >
> > I've asked Slava in [0] to disable all three known configs that break
> > DWARF and subsequently BTF, I hope it's ok to just do it in one patch.
> > Currently all these appear to result in invalid BTF due to various
> > DWARF modifications:
> >
> >   - DEBUG_INFO_REDUCED (see [1])
> >   - DEBUG_INFO_SPLIT (see [0]
> >   - GCC_PLUGIN_RANDSTRUCT (this discussion).
> >
> >   [0] https://lore.kernel.org/bpf/CAEf4BzadnfAwfa1D0jZb=01Ou783GpK_U7PAYeEJca-L9kdnVA@mail.gmail.com/
> >   [1] https://lore.kernel.org/bpf/CAEf4BzZri8KpwLcoPgjiVx_=QmJ2W9UzBkDqSO2rUWMzWogkKg@mail.gmail.com/
>
> Sure! That'd by fine by me. I'd just like it to be a "|| COMPILE_TEST"
> for GCC_PLUGIN_RANDSTRUCT. Feel free to CC me for an Ack. :)
>

+cc Slava

I'm unsure what COMPILE_TEST dependency (or is it anti-dependency?)
has to do with BTF generation and reading description in Kconfig
didn't clarify it for me. Can you please elaborate just a bit? Thanks!

> -Kees
>
> >
> >
> > >
> > > -Kees
> > >
> > > [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84052
> > >
> > > --
> > > Kees Cook
>
> --
> Kees Cook

Re: CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

[Slava Bacherikov]

31.03.2020 23:23, Andrii Nakryiko пишет:
> On Tue, Mar 31, 2020 at 12:58 PM Kees Cook <keescook@chromium.org> wrote:
>>
>> On Tue, Mar 31, 2020 at 12:50:07PM -0700, Andrii Nakryiko wrote:
>>> On Tue, Mar 31, 2020 at 11:12 AM Kees Cook <keescook@chromium.org> wrote:
>>>>
>>>> On Tue, Mar 31, 2020 at 12:41:04AM +0200, Daniel Borkmann wrote:
>>>>> On 3/30/20 7:20 PM, Kees Cook wrote:
>>>>>> On Mon, Mar 30, 2020 at 06:17:32PM +0200, Jann Horn wrote:
>>>>>>> On Mon, Mar 30, 2020 at 5:59 PM Alexei Starovoitov
>>>>>>> <alexei.starovoitov@gmail.com> wrote:
>>>>>>>> On Mon, Mar 30, 2020 at 8:14 AM Jann Horn <jannh@google.com> wrote:
>>>>>>>>>
>>>>>>>>> I noticed that CONFIG_DEBUG_INFO_BTF seems to partly defeat the point
>>>>>>>>> of CONFIG_GCC_PLUGIN_RANDSTRUCT.
>>>>>>>>
>>>>>>>> Is it a theoretical stmt or you have data?
>>>>>>>> I think it's the other way around.
>>>>>>>> gcc-plugin breaks dwarf and breaks btf.
>>>>>>>> But I only looked at gcc patches without applying them.
>>>>>>>
>>>>>>> Ah, interesting - I haven't actually tested it, I just assumed
>>>>>>> (perhaps incorrectly) that the GCC plugin would deal with DWARF info
>>>>>>> properly.
>>>>>>
>>>>>> Yeah, GCC appears to create DWARF before the plugin does the
>>>>>> randomization[1], so it's not an exposure, but yes, struct randomization
>>>>>> is pretty completely incompatible with a bunch of things in the kernel
>>>>>> (by design). I'm happy to add negative "depends" in the Kconfig if it
>>>>>> helps clarify anything.
>>>>>
>>>>> Is this expected to get fixed at some point wrt DWARF? Perhaps would make
>>>>
>>>> No, gcc closed the issue as "won't fix".
>>>>
>>>>> sense then to add a negative "depends" for both DWARF and BTF if the option
>>>>> GCC_PLUGIN_RANDSTRUCT is set given both would be incompatible/broken.
>>>>
>>>> I hadn't just to keep wider randconfig build test coverage. That said, I
>>>> could make it be: depends COMPILE_TEST || !DWARF ...
>>>>
>>>> I can certainly do that.
>>>
>>> I've asked Slava in [0] to disable all three known configs that break
>>> DWARF and subsequently BTF, I hope it's ok to just do it in one patch.
>>> Currently all these appear to result in invalid BTF due to various
>>> DWARF modifications:
>>>
>>>   - DEBUG_INFO_REDUCED (see [1])
>>>   - DEBUG_INFO_SPLIT (see [0]
>>>   - GCC_PLUGIN_RANDSTRUCT (this discussion).
>>>
>>>   [0] https://lore.kernel.org/bpf/CAEf4BzadnfAwfa1D0jZb=01Ou783GpK_U7PAYeEJca-L9kdnVA@mail.gmail.com/
>>>   [1] https://lore.kernel.org/bpf/CAEf4BzZri8KpwLcoPgjiVx_=QmJ2W9UzBkDqSO2rUWMzWogkKg@mail.gmail.com/
>>
>> Sure! That'd by fine by me. I'd just like it to be a "|| COMPILE_TEST"
>> for GCC_PLUGIN_RANDSTRUCT. Feel free to CC me for an Ack. :)
>>
> 
> +cc Slava
> 
> I'm unsure what COMPILE_TEST dependency (or is it anti-dependency?)
> has to do with BTF generation and reading description in Kconfig
> didn't clarify it for me. Can you please elaborate just a bit? Thanks!
> 
>> -Kees

Hi,

Regarding COMPILE_TEST, DEBUG_INFO has dependency on:

DEBUG_KERNEL && !COMPILE_TEST

And DEBUG_INFO_BTF depends on DEBUG_INFO, so enabling COMPILE_TEST
would block DEBUG_INFO and so DEBUG_INFO_BTF as well. Unless I don't
understand something and there is some other reason to add it.

--
Slava

>>
>>>
>>>
>>>>
>>>> -Kees
>>>>
>>>> [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84052
>>>>
>>>> --
>>>> Kees Cook
>>
>> --
>> Kees Cook

Re: CONFIG_DEBUG_INFO_BTF and CONFIG_GCC_PLUGIN_RANDSTRUCT

[Kees Cook]

On Wed, Apr 01, 2020 at 12:24:46AM +0300, Slava Bacherikov wrote:
> 31.03.2020 23:23, Andrii Nakryiko пишет:
> > On Tue, Mar 31, 2020 at 12:58 PM Kees Cook <keescook@chromium.org> wrote:
> >> Sure! That'd by fine by me. I'd just like it to be a "|| COMPILE_TEST"
> >> for GCC_PLUGIN_RANDSTRUCT. Feel free to CC me for an Ack. :)
> >>
> > 
> > +cc Slava
> > 
> > I'm unsure what COMPILE_TEST dependency (or is it anti-dependency?)
> > has to do with BTF generation and reading description in Kconfig
> > didn't clarify it for me. Can you please elaborate just a bit? Thanks!
> > 
> >> -Kees
> 
> Hi,
> 
> Regarding COMPILE_TEST, DEBUG_INFO has dependency on:
> 
> DEBUG_KERNEL && !COMPILE_TEST
> 
> And DEBUG_INFO_BTF depends on DEBUG_INFO, so enabling COMPILE_TEST
> would block DEBUG_INFO and so DEBUG_INFO_BTF as well. Unless I don't
> understand something and there is some other reason to add it.

I meant that if you're adjusting the depends for GCC_PLUGIN_RANDSTRUCT,
I'd like it to be:

	depends on COMPILE_TEST || !DEBUG_INFO

That way randconfig, all*config, etc, will still select
GCC_PLUGIN_RANDSTRUCT with everything else, regardless of DEBUG_INFO.

-- 
Kees Cook