[PATCH v2 3/3] security: Implement Clang's stack initialization
Alexander Potapenko
glider at google.com
Fri Apr 12 11:36:12 UTC 2019
On Thu, Apr 11, 2019 at 8:01 PM Kees Cook <keescook at chromium.org> wrote:
>
> CONFIG_INIT_STACK_ALL turns on stack initialization based on
> -ftrivial-auto-var-init in Clang builds, which has greater coverage
> than CONFIG_GCC_PLUGINS_STRUCTLEAK_BYREF_ALL.
>
> -ftrivial-auto-var-init Clang option provides trivial initializers for
> uninitialized local variables, variable fields and padding.
>
> It has three possible values:
> pattern - uninitialized locals are filled with a fixed pattern
> (mostly 0xAA on 64-bit platforms, see https://reviews.llvm.org/D54604
> for more details, but 0x000000AA for 32-bit pointers) likely to cause
> crashes when uninitialized value is used;
> zero (it's still debated whether this flag makes it to the official
> Clang release) - uninitialized locals are filled with zeroes;
> uninitialized (default) - uninitialized locals are left intact.
>
> This patch uses only the "pattern" mode when CONFIG_INIT_STACK_ALL is
> enabled.
>
> Developers have the possibility to opt-out of this feature on a
> per-variable basis by using __attribute__((uninitialized)), but such
> use should be well justified in comments.
>
> Co-developed-by: Alexander Potapenko <glider at google.com>
> Signed-off-by: Alexander Potapenko <glider at google.com>
> Signed-off-by: Kees Cook <keescook at chromium.org>
Tested-by: Alexander Potapenko <glider at google.com>
> ---
> Makefile | 5 +++++
> security/Kconfig.hardening | 15 ++++++++++++++-
> 2 files changed, 19 insertions(+), 1 deletion(-)
>
> diff --git a/Makefile b/Makefile
> index c0a34064c574..a7d9c6cd0267 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -745,6 +745,11 @@ KBUILD_CFLAGS += -fomit-frame-pointer
> endif
> endif
>
> +# Initialize all stack variables with a pattern, if desired.
> +ifdef CONFIG_INIT_STACK_ALL
> +KBUILD_CFLAGS += -ftrivial-auto-var-init=pattern
> +endif
> +
> DEBUG_CFLAGS := $(call cc-option, -fno-var-tracking-assignments)
>
> ifdef CONFIG_DEBUG_INFO
> diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
> index 3dd7a28c3822..5dd61770d3f0 100644
> --- a/security/Kconfig.hardening
> +++ b/security/Kconfig.hardening
> @@ -18,9 +18,12 @@ config GCC_PLUGIN_STRUCTLEAK
>
> menu "Memory initialization"
>
> +config CC_HAS_AUTO_VAR_INIT
> + def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
> +
> choice
> prompt "Initialize kernel stack variables at function entry"
> - depends on GCC_PLUGINS
> + depends on CC_HAS_AUTO_VAR_INIT || GCC_PLUGINS
> default INIT_STACK_NONE
> help
> This option enables initialization of stack variables at
> @@ -76,6 +79,16 @@ choice
> of uninitialized stack variable exploits and information
> exposures.
>
> + config INIT_STACK_ALL
> + bool "0xAA-init everything on the stack (strongest)"
> + depends on CC_HAS_AUTO_VAR_INIT
> + help
> + Initializes everything on the stack with a 0xAA
> + pattern. This is intended to eliminate all classes
> + of uninitialized stack variable exploits and information
> + exposures, even variables that were warned to have been
> + left uninitialized.
> +
> endchoice
>
> config GCC_PLUGIN_STRUCTLEAK_VERBOSE
> --
> 2.17.1
>
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
More information about the Linux-security-module-archive
mailing list