From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A7781C3ABAC for ; Fri, 2 May 2025 19:10:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=4aT90APvm42za4PJdvMx7655NJADlHO2KlbR2iqUG/c=; b=Q2sy5SxUVf0Et2 J4t0FzcEU5+n6vrQFY6DHF7BM2VVWdR/ba8znUyX2DzlASRcJJStBG9tA/WKDVpWsy7MGR32ClCol swSnKOGwCIt3cEyW5aZjI48+hbjUtGN7g139Hpp0DDzrS1BbJYk4wEc+lPt+rNGTbwY8c+lnIKERx 9dH5LPEUOHjEz31+zcYcEZYGd5L8GU2ebOx/nuBaDmDxyuP3RRxhw3oplsUmfAvdVy/Q0K9AAzunZ AbtzegN9hnxTFjIiO+2EjRezryFiG8z0NgnctRgAj0P3tcT76kr1M5D9ZjbibU7n/ayTPQddOFkVS 37IlsJqH8bq0SEcqjgBw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1uAvmW-00000002qdo-2ZS7; Fri, 02 May 2025 19:10:44 +0000 Received: from sea.source.kernel.org ([172.234.252.31]) by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1uAvdf-00000002p5Q-20Ne; Fri, 02 May 2025 19:01:36 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id D2296443EE; Fri, 2 May 2025 19:01:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9FA19C4CEED; Fri, 2 May 2025 19:01:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746212492; bh=OArrhviC9XaQ7OlcTfKqQMGsnz4armduOY/WBMGcbsA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jB1YOX/WblarlM1ru+chkUcRI7n9ViNaZEATHHCcZU9HKHkXtQaiFa1ADnnNSHEfn pxV/EexqPW/iO2BUs8r2oHGwy/9Wh+oNp1A5atSmV+xAncgPjqT8RJGnFSSHtmQkzE UPmqFqbQ6KKii/W31CNxWg7FeU4snGvlYrWtTP21uUUHLpcqwPtQxofl5x4yxEQWCa HwLSZcaV963TrPrvt3cOAxbzFvO38HxPRoaEke92VS2avjAcALnb+UJqHMA74Tz/D8 JUZIkKnmwrX/2Jemco5btqwU2P3ADx4coHH+136JT/FvbSfjWd+ts9cd4ecXPSUgg3 HONZP1ma8mZfQ== From: Kees Cook To: Arnd Bergmann Cc: Kees Cook , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Masahiro Yamada , Nathan Chancellor , Nicolas Schier , Marco Elver , Andrey Konovalov , Andrey Ryabinin , Ard Biesheuvel , "Gustavo A. R. Silva" , Paul Moore , James Morris , "Serge E. Hallyn" , Kai Huang , Hou Wenlong , "Kirill A. Shutemov" , Andrew Morton , "Peter Zijlstra (Intel)" , Sami Tolvanen , Christophe Leroy , linux-kbuild@vger.kernel.org, kasan-dev@googlegroups.com, linux-hardening@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org, linux-efi@vger.kernel.org, linux-kselftest@vger.kernel.org, sparclinux@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH RFC 4/4] stackleak: Support Clang stack depth tracking Date: Fri, 2 May 2025 12:01:27 -0700 Message-Id: <20250502190129.246328-4-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250502185834.work.560-kees@kernel.org> References: <20250502185834.work.560-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4716; i=kees@kernel.org; h=from:subject; bh=OArrhviC9XaQ7OlcTfKqQMGsnz4armduOY/WBMGcbsA=; b=owGbwMvMwCVmps19z/KJym7G02pJDBmiYm0eHYd/KD+/YrfhHLPdHAslHi9Fd//IiqqD/4I25 j38J1nZUcrCIMbFICumyBJk5x7n4vG2Pdx9riLMHFYmkCEMXJwCMBGBJYwMGxO93eMPrlt+5Jzt Oot7p+4nLPDlKnhnYFtxdhXvk+VS/Ax/Bd/vvaSguOh3WEFqRfyd1+x1/pxfFHj2REh++SY+fVI 9DwA= X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250502_120135_556740_167C2873 X-CRM114-Status: GOOD ( 16.36 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Wire up stackleak to Clang's proposed[1] stack depth tracking callback option. While __noinstr already contained __no_sanitize_coverage, it was still needed for __init and __head section markings. This is needed to make sure the callback is not executed in unsupported contexts. Link: https://github.com/llvm/llvm-project/pull/138323 [1] Signed-off-by: Kees Cook --- Cc: Arnd Bergmann Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Dave Hansen Cc: Cc: "H. Peter Anvin" Cc: Masahiro Yamada Cc: Nathan Chancellor Cc: Nicolas Schier Cc: Marco Elver Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Ard Biesheuvel Cc: "Gustavo A. R. Silva" Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Kai Huang Cc: Hou Wenlong Cc: "Kirill A. Shutemov" Cc: Andrew Morton Cc: "Peter Zijlstra (Intel)" Cc: Sami Tolvanen Cc: Christophe Leroy Cc: Cc: Cc: Cc: --- arch/x86/include/asm/init.h | 2 +- include/linux/init.h | 4 +++- scripts/Makefile.ubsan | 12 ++++++++++++ security/Kconfig.hardening | 5 ++++- 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/arch/x86/include/asm/init.h b/arch/x86/include/asm/init.h index 8b1b1abcef15..6bfdaeddbae8 100644 --- a/arch/x86/include/asm/init.h +++ b/arch/x86/include/asm/init.h @@ -5,7 +5,7 @@ #if defined(CONFIG_CC_IS_CLANG) && CONFIG_CLANG_VERSION < 170000 #define __head __section(".head.text") __no_sanitize_undefined __no_stack_protector #else -#define __head __section(".head.text") __no_sanitize_undefined +#define __head __section(".head.text") __no_sanitize_undefined __no_sanitize_coverage #endif struct x86_mapping_info { diff --git a/include/linux/init.h b/include/linux/init.h index ee1309473bc6..c65a050d52a7 100644 --- a/include/linux/init.h +++ b/include/linux/init.h @@ -49,7 +49,9 @@ /* These are for everybody (although not all archs will actually discard it in modules) */ -#define __init __section(".init.text") __cold __latent_entropy __noinitretpoline +#define __init __section(".init.text") __cold __latent_entropy \ + __noinitretpoline \ + __no_sanitize_coverage #define __initdata __section(".init.data") #define __initconst __section(".init.rodata") #define __exitdata __section(".exit.data") diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 9e35198edbf0..cfb3ecde07dd 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -22,3 +22,15 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ -fsanitize=implicit-unsigned-integer-truncation \ -fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y) + +ifdef CONFIG_CC_IS_CLANG +stackleak-cflags-$(CONFIG_STACKLEAK) += \ + -fsanitize-coverage=stack-depth \ + -fsanitize-coverage-stack-depth-callback-min=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE) +export STACKLEAK_CFLAGS := $(stackleak-cflags-y) +ifdef CONFIG_STACKLEAK + DISABLE_STACKLEAK := -fno-sanitize-coverage=stack-depth +endif +export DISABLE_STACKLEAK +KBUILD_CFLAGS += $(STACKLEAK_CFLAGS) +endif diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index edcc489a6805..e86b61e44b33 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -158,10 +158,13 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE initialized. Since not all existing initializers are detected by the plugin, this can produce false positive warnings. +config CC_HAS_SANCOV_STACK_DEPTH_CALLBACK + def_bool $(cc-option,-fsanitize-coverage-stack-depth-callback-min=1) + config STACKLEAK bool "Poison kernel stack before returning from syscalls" depends on HAVE_ARCH_STACKLEAK - depends on GCC_PLUGINS + depends on GCC_PLUGINS || CC_HAS_SANCOV_STACK_DEPTH_CALLBACK help This option makes the kernel erase the kernel stack before returning from system calls. This has the effect of leaving -- 2.34.1 _______________________________________________ linux-riscv mailing list linux-riscv@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-riscv