1# SPDX-License-Identifier: GPL-2.0-only 2menu "Kernel hardening options" 3 4config GCC_PLUGIN_STRUCTLEAK 5 bool 6 help 7 While the kernel is built with warnings enabled for any missed 8 stack variable initializations, this warning is silenced for 9 anything passed by reference to another function, under the 10 occasionally misguided assumption that the function will do 11 the initialization. As this regularly leads to exploitable 12 flaws, this plugin is available to identify and zero-initialize 13 such variables, depending on the chosen level of coverage. 14 15 This plugin was originally ported from grsecurity/PaX. More 16 information at: 17 * https://grsecurity.net/ 18 * https://pax.grsecurity.net/ 19 20menu "Memory initialization" 21 22config CC_HAS_AUTO_VAR_INIT 23 def_bool $(cc-option,-ftrivial-auto-var-init=pattern) 24 25choice 26 prompt "Initialize kernel stack variables at function entry" 27 default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS 28 default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT 29 default INIT_STACK_NONE 30 help 31 This option enables initialization of stack variables at 32 function entry time. This has the possibility to have the 33 greatest coverage (since all functions can have their 34 variables initialized), but the performance impact depends 35 on the function calling complexity of a given workload's 36 syscalls. 37 38 This chooses the level of coverage over classes of potentially 39 uninitialized variables. The selected class will be 40 initialized before use in a function. 41 42 config INIT_STACK_NONE 43 bool "no automatic initialization (weakest)" 44 help 45 Disable automatic stack variable initialization. 46 This leaves the kernel vulnerable to the standard 47 classes of uninitialized stack variable exploits 48 and information exposures. 49 50 config GCC_PLUGIN_STRUCTLEAK_USER 51 bool "zero-init structs marked for userspace (weak)" 52 depends on GCC_PLUGINS 53 select GCC_PLUGIN_STRUCTLEAK 54 help 55 Zero-initialize any structures on the stack containing 56 a __user attribute. This can prevent some classes of 57 uninitialized stack variable exploits and information 58 exposures, like CVE-2013-2141: 59 https://git.kernel.org/linus/b9e146d8eb3b9eca 60 61 config GCC_PLUGIN_STRUCTLEAK_BYREF 62 bool "zero-init structs passed by reference (strong)" 63 depends on GCC_PLUGINS 64 depends on !(KASAN && KASAN_STACK=1) 65 select GCC_PLUGIN_STRUCTLEAK 66 help 67 Zero-initialize any structures on the stack that may 68 be passed by reference and had not already been 69 explicitly initialized. This can prevent most classes 70 of uninitialized stack variable exploits and information 71 exposures, like CVE-2017-1000410: 72 https://git.kernel.org/linus/06e7e776ca4d3654 73 74 As a side-effect, this keeps a lot of variables on the 75 stack that can otherwise be optimized out, so combining 76 this with CONFIG_KASAN_STACK can lead to a stack overflow 77 and is disallowed. 78 79 config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL 80 bool "zero-init anything passed by reference (very strong)" 81 depends on GCC_PLUGINS 82 depends on !(KASAN && KASAN_STACK=1) 83 select GCC_PLUGIN_STRUCTLEAK 84 help 85 Zero-initialize any stack variables that may be passed 86 by reference and had not already been explicitly 87 initialized. This is intended to eliminate all classes 88 of uninitialized stack variable exploits and information 89 exposures. 90 91 config INIT_STACK_ALL 92 bool "0xAA-init everything on the stack (strongest)" 93 depends on CC_HAS_AUTO_VAR_INIT 94 help 95 Initializes everything on the stack with a 0xAA 96 pattern. This is intended to eliminate all classes 97 of uninitialized stack variable exploits and information 98 exposures, even variables that were warned to have been 99 left uninitialized. 100 101endchoice 102 103config GCC_PLUGIN_STRUCTLEAK_VERBOSE 104 bool "Report forcefully initialized variables" 105 depends on GCC_PLUGIN_STRUCTLEAK 106 depends on !COMPILE_TEST # too noisy 107 help 108 This option will cause a warning to be printed each time the 109 structleak plugin finds a variable it thinks needs to be 110 initialized. Since not all existing initializers are detected 111 by the plugin, this can produce false positive warnings. 112 113config GCC_PLUGIN_STACKLEAK 114 bool "Poison kernel stack before returning from syscalls" 115 depends on GCC_PLUGINS 116 depends on HAVE_ARCH_STACKLEAK 117 help 118 This option makes the kernel erase the kernel stack before 119 returning from system calls. This has the effect of leaving 120 the stack initialized to the poison value, which both reduces 121 the lifetime of any sensitive stack contents and reduces 122 potential for uninitialized stack variable exploits or information 123 exposures (it does not cover functions reaching the same stack 124 depth as prior functions during the same syscall). This blocks 125 most uninitialized stack variable attacks, with the performance 126 impact being driven by the depth of the stack usage, rather than 127 the function calling complexity. 128 129 The performance impact on a single CPU system kernel compilation 130 sees a 1% slowdown, other systems and workloads may vary and you 131 are advised to test this feature on your expected workload before 132 deploying it. 133 134 This plugin was ported from grsecurity/PaX. More information at: 135 * https://grsecurity.net/ 136 * https://pax.grsecurity.net/ 137 138config STACKLEAK_TRACK_MIN_SIZE 139 int "Minimum stack frame size of functions tracked by STACKLEAK" 140 default 100 141 range 0 4096 142 depends on GCC_PLUGIN_STACKLEAK 143 help 144 The STACKLEAK gcc plugin instruments the kernel code for tracking 145 the lowest border of the kernel stack (and for some other purposes). 146 It inserts the stackleak_track_stack() call for the functions with 147 a stack frame size greater than or equal to this parameter. 148 If unsure, leave the default value 100. 149 150config STACKLEAK_METRICS 151 bool "Show STACKLEAK metrics in the /proc file system" 152 depends on GCC_PLUGIN_STACKLEAK 153 depends on PROC_FS 154 help 155 If this is set, STACKLEAK metrics for every task are available in 156 the /proc file system. In particular, /proc/<pid>/stack_depth 157 shows the maximum kernel stack consumption for the current and 158 previous syscalls. Although this information is not precise, it 159 can be useful for estimating the STACKLEAK performance impact for 160 your workloads. 161 162config STACKLEAK_RUNTIME_DISABLE 163 bool "Allow runtime disabling of kernel stack erasing" 164 depends on GCC_PLUGIN_STACKLEAK 165 help 166 This option provides 'stack_erasing' sysctl, which can be used in 167 runtime to control kernel stack erasing for kernels built with 168 CONFIG_GCC_PLUGIN_STACKLEAK. 169 170endmenu 171 172endmenu 173