On Thu, Jun 20, 2024 at 09:16:49PM +0800, Jinjie Ruan wrote:
> Add the STACKLEAK gcc plugin to arm32 by adding the helper used by
> stackleak common code: on_thread_stack(). It initialize the stack with the
> poison value before returning from system calls which improves the kernel
> security. Additionally, this disables the plugin in EFI stub code and
> decompress code, which are out of scope for the protection.
Oh very cool! Thanks for sending this!
> Before the test on Qemu versatilepb board:
> # echo STACKLEAK_ERASING > /sys/kernel/debug/provoke-crash/DIRECT
> lkdtm: Performing direct entry STACKLEAK_ERASING
> lkdtm: XFAIL: stackleak is not supported on this arch (HAVE_ARCH_STACKLEAK=n)
>
> After:
> # echo STACKLEAK_ERASING > /sys/kernel/debug/provoke-crash/DIRECT
> lkdtm: Performing direct entry STACKLEAK_ERASING
> lkdtm: stackleak stack usage:
> high offset: 80 bytes
> current: 280 bytes
> lowest: 696 bytes
> tracked: 696 bytes
> untracked: 192 bytes
> poisoned: 7220 bytes
> low offset: 4 bytes
> lkdtm: OK: the rest of the thread stack is properly erased
>
> Signed-off-by: Jinjie Ruan <ruanjinjie@xxxxxxxxxx>
> ---
> arch/arm/Kconfig | 1 +
> arch/arm/boot/compressed/Makefile | 1 +
> arch/arm/include/asm/stacktrace.h | 5 +++++
> arch/arm/kernel/entry-common.S | 3 +++
> drivers/firmware/efi/libstub/Makefile | 3 ++-
> 5 files changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index 036381c5d42f..b211b7f5a138 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -86,6 +86,7 @@ config ARM
> select HAVE_ARCH_PFN_VALID
> select HAVE_ARCH_SECCOMP
> select HAVE_ARCH_SECCOMP_FILTER if AEABI && !OABI_COMPAT
> + select HAVE_ARCH_STACKLEAK
> select HAVE_ARCH_THREAD_STRUCT_WHITELIST
> select HAVE_ARCH_TRACEHOOK
> select HAVE_ARCH_TRANSPARENT_HUGEPAGE if ARM_LPAE
> diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
> index 6bca03c0c7f0..945b5975fce2 100644
> --- a/arch/arm/boot/compressed/Makefile
> +++ b/arch/arm/boot/compressed/Makefile
> @@ -9,6 +9,7 @@ OBJS =
>
> HEAD = head.o
> OBJS += misc.o decompress.o
> +CFLAGS_decompress.o += $(DISABLE_STACKLEAK_PLUGIN)
> ifeq ($(CONFIG_DEBUG_UNCOMPRESS),y)
> OBJS += debug.o
> AFLAGS_head.o += -DDEBUG
> diff --git a/arch/arm/include/asm/stacktrace.h b/arch/arm/include/asm/stacktrace.h
> index 360f0d2406bf..a9b4b72ed241 100644
> --- a/arch/arm/include/asm/stacktrace.h
> +++ b/arch/arm/include/asm/stacktrace.h
> @@ -26,6 +26,11 @@ struct stackframe {
> #endif
> };
>
> +static inline bool on_thread_stack(void)
> +{
> + return !(((unsigned long)(current->stack) ^ current_stack_pointer) & ~(THREAD_SIZE - 1));
> +}
> +
> static __always_inline
> void arm_get_current_stackframe(struct pt_regs *regs, struct stackframe *frame)
> {
> diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
> index 5c31e9de7a60..f379c852dcb7 100644
> --- a/arch/arm/kernel/entry-common.S
> +++ b/arch/arm/kernel/entry-common.S
> @@ -119,6 +119,9 @@ no_work_pending:
>
> ct_user_enter save = 0
>
> +#ifdef CONFIG_GCC_PLUGIN_STACKLEAK
> + bl stackleak_erase_on_task_stack
> +#endif
> restore_user_regs fast = 0, offset = 0
> ENDPROC(ret_to_user_from_irq)
> ENDPROC(ret_to_user)
> diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
> index 06f0428a723c..20d8a491f25f 100644
> --- a/drivers/firmware/efi/libstub/Makefile
> +++ b/drivers/firmware/efi/libstub/Makefile
> @@ -27,7 +27,8 @@ cflags-$(CONFIG_ARM64) += -fpie $(DISABLE_STACKLEAK_PLUGIN) \
> cflags-$(CONFIG_ARM) += -DEFI_HAVE_STRLEN -DEFI_HAVE_STRNLEN \
> -DEFI_HAVE_MEMCHR -DEFI_HAVE_STRRCHR \
> -DEFI_HAVE_STRCMP -fno-builtin -fpic \
> - $(call cc-option,-mno-single-pic-base)
> + $(call cc-option,-mno-single-pic-base) \
> + $(DISABLE_STACKLEAK_PLUGIN)
> cflags-$(CONFIG_RISCV) += -fpic -DNO_ALTERNATIVE -mno-relax
> cflags-$(CONFIG_LOONGARCH) += -fpie
This looks very straight forward! If an ARM person can Ack this, I could
carry it via the hardening tree. Otherwise, it should probably go via
rmk's patch tracker?
-Kees
--
Kees Cook
