niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity

hardening: Clarify Kconfig text for auto-var-init

Browse source 
Clarify the details around the automatic variable initialization modes
available. Specifically this details the values used for pattern init
and expands on the rationale for zero init safety. Additionally makes
zero init the default when available.

Cc: glider@google.com
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: linux-security-module@vger.kernel.org
Cc: clang-built-linux@googlegroups.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Gustavo A. R. Silva <gustavoars@kernel.org>
This commit is contained in:
Kees Cook 2021-07-20 14:54:17 -07:00
parent a82adfd5c7
commit dcb7c0b946
1 changed files with 31 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
security/Kconfig.hardening
View file

@ -29,6 +29,7 @@ choice
prompt "Initialize kernel stack variables at function entry" prompt "Initialize kernel stack variables at function entry"
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN
default INIT_STACK_NONE default INIT_STACK_NONE
help help
This option enables initialization of stack variables at This option enables initialization of stack variables at
@ -39,11 +40,11 @@ choice
syscalls. syscalls.
This chooses the level of coverage over classes of potentially This chooses the level of coverage over classes of potentially
uninitialized variables. The selected class will be uninitialized variables. The selected class of variable will be
initialized before use in a function. initialized before use in a function.
config INIT_STACK_NONE config INIT_STACK_NONE
bool "no automatic initialization (weakest)" bool "no automatic stack variable initialization (weakest)"
help help
Disable automatic stack variable initialization. Disable automatic stack variable initialization.
This leaves the kernel vulnerable to the standard This leaves the kernel vulnerable to the standard
@ -80,7 +81,7 @@ choice
and is disallowed. and is disallowed.
config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
bool "zero-init anything passed by reference (very strong)" bool "zero-init everything passed by reference (very strong)"
depends on GCC_PLUGINS depends on GCC_PLUGINS
depends on !(KASAN && KASAN_STACK) depends on !(KASAN && KASAN_STACK)
select GCC_PLUGIN_STRUCTLEAK select GCC_PLUGIN_STRUCTLEAK
@ -91,33 +92,44 @@ choice
of uninitialized stack variable exploits and information of uninitialized stack variable exploits and information
exposures. exposures.
As a side-effect, this keeps a lot of variables on the
stack that can otherwise be optimized out, so combining
this with CONFIG_KASAN_STACK can lead to a stack overflow
and is disallowed.
config INIT_STACK_ALL_PATTERN config INIT_STACK_ALL_PATTERN
bool "0xAA-init everything on the stack (strongest)" bool "pattern-init everything (strongest)"
depends on CC_HAS_AUTO_VAR_INIT_PATTERN depends on CC_HAS_AUTO_VAR_INIT_PATTERN
help help
Initializes everything on the stack with a 0xAA Initializes everything on the stack (including padding)
pattern. This is intended to eliminate all classes with a specific debug value. This is intended to eliminate
of uninitialized stack variable exploits and information all classes of uninitialized stack variable exploits and
exposures, even variables that were warned to have been information exposures, even variables that were warned about
left uninitialized. having been left uninitialized.
Pattern initialization is known to provoke many existing bugs Pattern initialization is known to provoke many existing bugs
related to uninitialized locals, e.g. pointers receive related to uninitialized locals, e.g. pointers receive
non-NULL values, buffer sizes and indices are very big. non-NULL values, buffer sizes and indices are very big. The
pattern is situation-specific; Clang on 64-bit uses 0xAA
repeating for all types and padding except float and double
which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF
repeating for all types and padding.
config INIT_STACK_ALL_ZERO config INIT_STACK_ALL_ZERO
bool "zero-init everything on the stack (strongest and safest)" bool "zero-init everything (strongest and safest)"
depends on CC_HAS_AUTO_VAR_INIT_ZERO depends on CC_HAS_AUTO_VAR_INIT_ZERO
help help
Initializes everything on the stack with a zero Initializes everything on the stack (including padding)
value. This is intended to eliminate all classes with a zero value. This is intended to eliminate all
of uninitialized stack variable exploits and information classes of uninitialized stack variable exploits and
exposures, even variables that were warned to have been information exposures, even variables that were warned
left uninitialized. about having been left uninitialized.
Zero initialization provides safe defaults for strings, Zero initialization provides safe defaults for strings
pointers, indices and sizes, and is therefore (immediately NUL-terminated), pointers (NULL), indices
more suitable as a security mitigation measure. (index 0), and sizes (0 length), so it is therefore more
suitable as a production security mitigation than pattern
initialization.
endchoice endchoice