|
Message-ID: <CAGXu5jKqt=DgMVKS8znL05scbXdxRhgkaf7D5ipYA3Q=csLB5A@mail.gmail.com> Date: Wed, 4 Oct 2017 09:22:24 -0700 From: Kees Cook <keescook@...omium.org> To: Greg KH <greg@...ah.com> Cc: Masahiro Yamada <yamada.masahiro@...ionext.com>, Andrew Morton <akpm@...ux-foundation.org>, Michal Marek <mmarek@...e.com>, Ingo Molnar <mingo@...nel.org>, Laura Abbott <labbott@...hat.com>, Nicholas Piggin <npiggin@...il.com>, Al Viro <viro@...iv.linux.org.uk>, Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>, Yoshinori Sato <ysato@...rs.sourceforge.jp>, Rich Felker <dalias@...c.org>, "David S. Miller" <davem@...emloft.net>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, linux-sh <linux-sh@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Mark Rutland <mark.rutland@....com> Subject: Re: Re: [PATCH 2/3] Makefile: Move stackprotector availability out of Kconfig On Wed, Oct 4, 2017 at 8:13 AM, Greg KH <greg@...ah.com> wrote: > On Wed, Oct 04, 2017 at 11:33:38PM +0900, Masahiro Yamada wrote: >> Hi Kees, >> >> >> 2017-10-03 4:20 GMT+09:00 Kees Cook <keescook@...omium.org>: >> > Various portions of the kernel, especially per-architecture pieces, >> > need to know if the compiler is building it with the stack protector. >> > This was done in the arch/Kconfig with 'select', but this doesn't >> > allow a way to do auto-detected compiler support. In preparation for >> > creating an on-if-available default, move the logic for the definition of >> > CONFIG_CC_STACKPROTECTOR into the Makefile. >> > >> > Cc: Masahiro Yamada <yamada.masahiro@...ionext.com> >> > Cc: Michal Marek <mmarek@...e.com> >> > Cc: Andrew Morton <akpm@...ux-foundation.org> >> > Cc: Ingo Molnar <mingo@...nel.org> >> > Cc: Laura Abbott <labbott@...hat.com> >> > Cc: Nicholas Piggin <npiggin@...il.com> >> > Cc: Al Viro <viro@...iv.linux.org.uk> >> > Cc: linux-kbuild@...r.kernel.org >> > Signed-off-by: Kees Cook <keescook@...omium.org> >> > --- >> > Makefile | 7 +++++-- >> > arch/Kconfig | 8 -------- >> > 2 files changed, 5 insertions(+), 10 deletions(-) >> > >> > diff --git a/Makefile b/Makefile >> > index d1119941261c..e122a9cf0399 100644 >> > --- a/Makefile >> > +++ b/Makefile >> > @@ -688,8 +688,11 @@ else >> > stackp-flag := $(call cc-option, -fno-stack-protector) >> > endif >> > endif >> > -# Find arch-specific stack protector compiler sanity-checking script. >> > -ifdef CONFIG_CC_STACKPROTECTOR >> > +ifdef stackp-name >> > + # If the stack protector has been selected, inform the rest of the build. >> > + KBUILD_CFLAGS += -DCONFIG_CC_STACKPROTECTOR >> > + KBUILD_AFLAGS += -DCONFIG_CC_STACKPROTECTOR >> > + # Find arch-specific stack protector compiler sanity-checking script. >> > stackp-path := $(srctree)/scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh >> > stackp-check := $(wildcard $(stackp-path)) >> > endif >> >> >> I have not tested this series, >> but I think this commit is bad (with the follow-up patch applied). >> >> >> I thought of this scenario: >> >> [1] Kernel is configured with CONFIG_CC_STACKPROTECTOR_AUTO >> >> [2] Kernel is built with a compiler without stack protector support. >> >> [3] CONFIG_CC_STACKPROTECTOR is not defined, >> so __stack_chk_fail() is not compiled. >> >> [4] Out-of-tree modules are compiled with a compiler with >> stack protector support. >> __stack_chk_fail() is inserted to functions of the modules. > > We don't ever support the system of loading a module built with anything > other than the _exact_ same compiler than the kernel was. So this will > not happen (well, if someone tries it, they get to keep the pieces their > kernel image is now in...) > >> [5] insmod fails because reference to __stack_chk_fail() >> can not be resolved. > > Even nicer, we failed "cleanly" :) > > This isn't a real-world issue, sorry. If we wanted a slightly different failure, we could simply add the stack protection feature to the VERMAGIC_STRING define: diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h index af6c03f7f986..300163aba666 100644 --- a/include/linux/vermagic.h +++ b/include/linux/vermagic.h @@ -30,11 +30,19 @@ #else #define MODULE_RANDSTRUCT_PLUGIN #endif +#if defined(__SSP__) +#define MODULE_STACKPROTECTOR "stack-protector " +#elif define (__SSP_STRONG__) +#define MODULE_STACKPROTECTOR "stack-protector-strong " +#else +#define MODULE_STACKPROTECTOR "" +#endif #define VERMAGIC_STRING \ UTS_RELEASE " " \ MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \ MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \ MODULE_ARCH_VERMAGIC \ + MODULE_STACKPROTECTOR \ MODULE_RANDSTRUCT_PLUGIN Do you want me to send this patch, or should we allow it to fail with the "missing reference" (which may actually be more expressive...) I think the way it is right now is better, but I'm open to either. -Kees -- Kees Cook Pixel Security
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.