Re: [kernel-hardening] Re: [PATCH 2/3] Makefile: Move stackprotector availability out of Kconfig

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Oct 4, 2017 at 8:13 AM, Greg KH <greg@xxxxxxxxx> wrote:
> On Wed, Oct 04, 2017 at 11:33:38PM +0900, Masahiro Yamada wrote:
>> Hi Kees,
>>
>>
>> 2017-10-03 4:20 GMT+09:00 Kees Cook <keescook@xxxxxxxxxxxx>:
>> > Various portions of the kernel, especially per-architecture pieces,
>> > need to know if the compiler is building it with the stack protector.
>> > This was done in the arch/Kconfig with 'select', but this doesn't
>> > allow a way to do auto-detected compiler support. In preparation for
>> > creating an on-if-available default, move the logic for the definition of
>> > CONFIG_CC_STACKPROTECTOR into the Makefile.
>> >
>> > Cc: Masahiro Yamada <yamada.masahiro@xxxxxxxxxxxxx>
>> > Cc: Michal Marek <mmarek@xxxxxxxx>
>> > Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
>> > Cc: Ingo Molnar <mingo@xxxxxxxxxx>
>> > Cc: Laura Abbott <labbott@xxxxxxxxxx>
>> > Cc: Nicholas Piggin <npiggin@xxxxxxxxx>
>> > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
>> > Cc: linux-kbuild@xxxxxxxxxxxxxxx
>> > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
>> > ---
>> >  Makefile     | 7 +++++--
>> >  arch/Kconfig | 8 --------
>> >  2 files changed, 5 insertions(+), 10 deletions(-)
>> >
>> > diff --git a/Makefile b/Makefile
>> > index d1119941261c..e122a9cf0399 100644
>> > --- a/Makefile
>> > +++ b/Makefile
>> > @@ -688,8 +688,11 @@ else
>> >    stackp-flag := $(call cc-option, -fno-stack-protector)
>> >  endif
>> >  endif
>> > -# Find arch-specific stack protector compiler sanity-checking script.
>> > -ifdef CONFIG_CC_STACKPROTECTOR
>> > +ifdef stackp-name
>> > +  # If the stack protector has been selected, inform the rest of the build.
>> > +  KBUILD_CFLAGS += -DCONFIG_CC_STACKPROTECTOR
>> > +  KBUILD_AFLAGS += -DCONFIG_CC_STACKPROTECTOR
>> > +  # Find arch-specific stack protector compiler sanity-checking script.
>> >    stackp-path := $(srctree)/scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh
>> >    stackp-check := $(wildcard $(stackp-path))
>> >  endif
>>
>>
>> I have not tested this series,
>> but I think this commit is bad (with the follow-up patch applied).
>>
>>
>> I thought of this scenario:
>>
>> [1] Kernel is configured with CONFIG_CC_STACKPROTECTOR_AUTO
>>
>> [2] Kernel is built with a compiler without stack protector support.
>>
>> [3] CONFIG_CC_STACKPROTECTOR is not defined,
>>     so __stack_chk_fail() is not compiled.
>>
>> [4] Out-of-tree modules are compiled with a compiler with
>>     stack protector support.
>>     __stack_chk_fail() is inserted to functions of the modules.
>
> We don't ever support the system of loading a module built with anything
> other than the _exact_ same compiler than the kernel was.  So this will
> not happen (well, if someone tries it, they get to keep the pieces their
> kernel image is now in...)
>
>> [5] insmod fails because reference to __stack_chk_fail()
>>     can not be resolved.
>
> Even nicer, we failed "cleanly" :)
>
> This isn't a real-world issue, sorry.

If we wanted a slightly different failure, we could simply add the
stack protection feature to the VERMAGIC_STRING define:

diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
index af6c03f7f986..300163aba666 100644
--- a/include/linux/vermagic.h
+++ b/include/linux/vermagic.h
@@ -30,11 +30,19 @@
 #else
 #define MODULE_RANDSTRUCT_PLUGIN
 #endif
+#if defined(__SSP__)
+#define MODULE_STACKPROTECTOR "stack-protector "
+#elif define (__SSP_STRONG__)
+#define MODULE_STACKPROTECTOR "stack-protector-strong "
+#else
+#define MODULE_STACKPROTECTOR ""
+#endif

 #define VERMAGIC_STRING                                                \
        UTS_RELEASE " "                                                 \
        MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT                     \
        MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS       \
        MODULE_ARCH_VERMAGIC                                            \
+       MODULE_STACKPROTECTOR                                           \
        MODULE_RANDSTRUCT_PLUGIN


Do you want me to send this patch, or should we allow it to fail with
the "missing reference" (which may actually be more expressive...) I
think the way it is right now is better, but I'm open to either.

-Kees

-- 
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux&nblp;USB Development]     [Linux Media]     [Video for Linux]     [Linux Audio Users]     [Yosemite Secrets]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux