* [PATCH] kstack_erase: Disable kstack_erase for all of arm compressed boot code
@ 2025-07-26 21:29 Kees Cook
2025-07-27 15:51 ` Nathan Chancellor
0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2025-07-26 21:29 UTC (permalink / raw)
To: Nathan Chancellor
Cc: Kees Cook, Linux Kernel Functional Testing, Russell King,
Arnd Bergmann, Ard Biesheuvel, Ingo Molnar, linux-kernel,
linux-arm-kernel, linux-hardening
When building with CONFIG_KSTACK_ERASE=y and CONFIG_ARM_ATAG_DTB_COMPAT=y,
the compressed boot environment encounters an undefined symbol error:
ld.lld: error: undefined symbol: __sanitizer_cov_stack_depth
>>> referenced by atags_to_fdt.c:135
This occurs because the compiler instruments the atags_to_fdt() function
with sanitizer coverage calls, but the minimal compressed boot environment
lacks access to sanitizer runtime support.
The compressed boot environment already disables stack protector with
-fno-stack-protector. Similarly disable sanitizer coverage by adding
$(DISABLE_KSTACK_ERASE) to the general compiler flags (and remove it
from the one place it was noticed before), which contains the appropriate
flags to prevent sanitizer instrumentation.
This follows the same pattern used in other early boot contexts where
sanitizer runtime support is unavailable.
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Closes: https://lore.kernel.org/all/CA+G9fYtBk8qnpWvoaFwymCx5s5i-5KXtPGpmf=_+UKJddCOnLA@mail.gmail.com
Reported-by: Nathan Chancellor <nathan@kernel.org>
Closes: https://lore.kernel.org/all/20250726004313.GA3650901@ax162
Suggested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Kees Cook <kees@kernel.org>
---
arch/arm/boot/compressed/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
index f9075edfd773..a159120d1e42 100644
--- a/arch/arm/boot/compressed/Makefile
+++ b/arch/arm/boot/compressed/Makefile
@@ -9,7 +9,6 @@ OBJS =
HEAD = head.o
OBJS += misc.o decompress.o
-CFLAGS_decompress.o += $(DISABLE_KSTACK_ERASE)
ifeq ($(CONFIG_DEBUG_UNCOMPRESS),y)
OBJS += debug.o
AFLAGS_head.o += -DDEBUG
@@ -96,6 +95,7 @@ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
ccflags-y := -fpic $(call cc-option,-mno-single-pic-base,) -fno-builtin \
-I$(srctree)/scripts/dtc/libfdt -fno-stack-protector \
+ $(DISABLE_KSTACK_ERASE) \
-I$(obj)
ccflags-remove-$(CONFIG_FUNCTION_TRACER) += -pg
asflags-y := -DZIMAGE
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] kstack_erase: Disable kstack_erase for all of arm compressed boot code
2025-07-26 21:29 [PATCH] kstack_erase: Disable kstack_erase for all of arm compressed boot code Kees Cook
@ 2025-07-27 15:51 ` Nathan Chancellor
0 siblings, 0 replies; 2+ messages in thread
From: Nathan Chancellor @ 2025-07-27 15:51 UTC (permalink / raw)
To: Kees Cook
Cc: Linux Kernel Functional Testing, Russell King, Arnd Bergmann,
Ard Biesheuvel, Ingo Molnar, linux-kernel, linux-arm-kernel,
linux-hardening
On Sat, Jul 26, 2025 at 02:29:45PM -0700, Kees Cook wrote:
> When building with CONFIG_KSTACK_ERASE=y and CONFIG_ARM_ATAG_DTB_COMPAT=y,
> the compressed boot environment encounters an undefined symbol error:
>
> ld.lld: error: undefined symbol: __sanitizer_cov_stack_depth
> >>> referenced by atags_to_fdt.c:135
>
> This occurs because the compiler instruments the atags_to_fdt() function
> with sanitizer coverage calls, but the minimal compressed boot environment
> lacks access to sanitizer runtime support.
>
> The compressed boot environment already disables stack protector with
> -fno-stack-protector. Similarly disable sanitizer coverage by adding
> $(DISABLE_KSTACK_ERASE) to the general compiler flags (and remove it
> from the one place it was noticed before), which contains the appropriate
> flags to prevent sanitizer instrumentation.
>
> This follows the same pattern used in other early boot contexts where
> sanitizer runtime support is unavailable.
>
> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
> Closes: https://lore.kernel.org/all/CA+G9fYtBk8qnpWvoaFwymCx5s5i-5KXtPGpmf=_+UKJddCOnLA@mail.gmail.com
> Reported-by: Nathan Chancellor <nathan@kernel.org>
> Closes: https://lore.kernel.org/all/20250726004313.GA3650901@ax162
> Suggested-by: Nathan Chancellor <nathan@kernel.org>
> Signed-off-by: Kees Cook <kees@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
> ---
> arch/arm/boot/compressed/Makefile | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
> index f9075edfd773..a159120d1e42 100644
> --- a/arch/arm/boot/compressed/Makefile
> +++ b/arch/arm/boot/compressed/Makefile
> @@ -9,7 +9,6 @@ OBJS =
>
> HEAD = head.o
> OBJS += misc.o decompress.o
> -CFLAGS_decompress.o += $(DISABLE_KSTACK_ERASE)
> ifeq ($(CONFIG_DEBUG_UNCOMPRESS),y)
> OBJS += debug.o
> AFLAGS_head.o += -DDEBUG
> @@ -96,6 +95,7 @@ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
>
> ccflags-y := -fpic $(call cc-option,-mno-single-pic-base,) -fno-builtin \
> -I$(srctree)/scripts/dtc/libfdt -fno-stack-protector \
> + $(DISABLE_KSTACK_ERASE) \
> -I$(obj)
> ccflags-remove-$(CONFIG_FUNCTION_TRACER) += -pg
> asflags-y := -DZIMAGE
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-07-27 15:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-26 21:29 [PATCH] kstack_erase: Disable kstack_erase for all of arm compressed boot code Kees Cook
2025-07-27 15:51 ` Nathan Chancellor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).