[PATCH RFC 4/4] stackleak: Support Clang stack depth tracking

Kees Cook kees at kernel.org
Fri May 2 19:01:27 UTC 2025 

Wire up stackleak to Clang's proposed[1] stack depth tracking callback
option. While __noinstr already contained __no_sanitize_coverage, it was
still needed for __init and __head section markings. This is needed to
make sure the callback is not executed in unsupported contexts.

Link: https://github.com/llvm/llvm-project/pull/138323 [1]
Signed-off-by: Kees Cook <kees at kernel.org>
---
Cc: Arnd Bergmann <arnd at arndb.de>
Cc: Thomas Gleixner <tglx at linutronix.de>
Cc: Ingo Molnar <mingo at redhat.com>
Cc: Borislav Petkov <bp at alien8.de>
Cc: Dave Hansen <dave.hansen at linux.intel.com>
Cc: <x86 at kernel.org>
Cc: "H. Peter Anvin" <hpa at zytor.com>
Cc: Masahiro Yamada <masahiroy at kernel.org>
Cc: Nathan Chancellor <nathan at kernel.org>
Cc: Nicolas Schier <nicolas.schier at linux.dev>
Cc: Marco Elver <elver at google.com>
Cc: Andrey Konovalov <andreyknvl at gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a at gmail.com>
Cc: Ard Biesheuvel <ardb at kernel.org>
Cc: "Gustavo A. R. Silva" <gustavoars at kernel.org>
Cc: Paul Moore <paul at paul-moore.com>
Cc: James Morris <jmorris at namei.org>
Cc: "Serge E. Hallyn" <serge at hallyn.com>
Cc: Kai Huang <kai.huang at intel.com>
Cc: Hou Wenlong <houwenlong.hwl at antgroup.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov at linux.intel.com>
Cc: Andrew Morton <akpm at linux-foundation.org>
Cc: "Peter Zijlstra (Intel)" <peterz at infradead.org>
Cc: Sami Tolvanen <samitolvanen at google.com>
Cc: Christophe Leroy <christophe.leroy at csgroup.eu>
Cc: <linux-kbuild at vger.kernel.org>
Cc: <kasan-dev at googlegroups.com>
Cc: <linux-hardening at vger.kernel.org>
Cc: <linux-security-module at vger.kernel.org>
---
 arch/x86/include/asm/init.h |  2 +-
 include/linux/init.h        |  4 +++-
 scripts/Makefile.ubsan      | 12 ++++++++++++
 security/Kconfig.hardening  |  5 ++++-
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/arch/x86/include/asm/init.h b/arch/x86/include/asm/init.h
index 8b1b1abcef15..6bfdaeddbae8 100644
--- a/arch/x86/include/asm/init.h
+++ b/arch/x86/include/asm/init.h
@@ -5,7 +5,7 @@
 #if defined(CONFIG_CC_IS_CLANG) && CONFIG_CLANG_VERSION < 170000
 #define __head	__section(".head.text") __no_sanitize_undefined __no_stack_protector
 #else
-#define __head	__section(".head.text") __no_sanitize_undefined
+#define __head	__section(".head.text") __no_sanitize_undefined __no_sanitize_coverage
 #endif
 
 struct x86_mapping_info {
diff --git a/include/linux/init.h b/include/linux/init.h
index ee1309473bc6..c65a050d52a7 100644
--- a/include/linux/init.h
+++ b/include/linux/init.h
@@ -49,7 +49,9 @@
 
 /* These are for everybody (although not all archs will actually
    discard it in modules) */
-#define __init		__section(".init.text") __cold  __latent_entropy __noinitretpoline
+#define __init		__section(".init.text") __cold __latent_entropy	\
+						__noinitretpoline	\
+						__no_sanitize_coverage
 #define __initdata	__section(".init.data")
 #define __initconst	__section(".init.rodata")
 #define __exitdata	__section(".exit.data")
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
index 9e35198edbf0..cfb3ecde07dd 100644
--- a/scripts/Makefile.ubsan
+++ b/scripts/Makefile.ubsan
@@ -22,3 +22,15 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP)     +=	\
 	-fsanitize=implicit-unsigned-integer-truncation		\
 	-fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl
 export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y)
+
+ifdef CONFIG_CC_IS_CLANG
+stackleak-cflags-$(CONFIG_STACKLEAK)	+=	\
+	-fsanitize-coverage=stack-depth		\
+	-fsanitize-coverage-stack-depth-callback-min=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE)
+export STACKLEAK_CFLAGS := $(stackleak-cflags-y)
+ifdef CONFIG_STACKLEAK
+    DISABLE_STACKLEAK		:= -fno-sanitize-coverage=stack-depth
+endif
+export DISABLE_STACKLEAK
+KBUILD_CFLAGS += $(STACKLEAK_CFLAGS)
+endif
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index edcc489a6805..e86b61e44b33 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -158,10 +158,13 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE
 	  initialized. Since not all existing initializers are detected
 	  by the plugin, this can produce false positive warnings.
 
+config CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
+	def_bool $(cc-option,-fsanitize-coverage-stack-depth-callback-min=1)
+
 config STACKLEAK
 	bool "Poison kernel stack before returning from syscalls"
 	depends on HAVE_ARCH_STACKLEAK
-	depends on GCC_PLUGINS
+	depends on GCC_PLUGINS || CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
 	help
 	  This option makes the kernel erase the kernel stack before
 	  returning from system calls. This has the effect of leaving
-- 
2.34.1

More information about the Linux-security-module-archive mailing list