On Wed, Oct 4, 2017 at 8:13 AM, Greg KH <greg@xxxxxxxxx> wrote:
> On Wed, Oct 04, 2017 at 11:33:38PM +0900, Masahiro Yamada wrote:
>> Hi Kees,
>>
>>
>> 2017-10-03 4:20 GMT+09:00 Kees Cook <keescook@xxxxxxxxxxxx>:
>> > Various portions of the kernel, especially per-architecture pieces,
>> > need to know if the compiler is building it with the stack protector.
>> > This was done in the arch/Kconfig with 'select', but this doesn't
>> > allow a way to do auto-detected compiler support. In preparation for
>> > creating an on-if-available default, move the logic for the definition of
>> > CONFIG_CC_STACKPROTECTOR into the Makefile.
>> >
>> > Cc: Masahiro Yamada <yamada.masahiro@xxxxxxxxxxxxx>
>> > Cc: Michal Marek <mmarek@xxxxxxxx>
>> > Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
>> > Cc: Ingo Molnar <mingo@xxxxxxxxxx>
>> > Cc: Laura Abbott <labbott@xxxxxxxxxx>
>> > Cc: Nicholas Piggin <npiggin@xxxxxxxxx>
>> > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
>> > Cc: linux-kbuild@xxxxxxxxxxxxxxx
>> > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
>> > ---
>> > Makefile | 7 +++++--
>> > arch/Kconfig | 8 --------
>> > 2 files changed, 5 insertions(+), 10 deletions(-)
>> >
>> > diff --git a/Makefile b/Makefile
>> > index d1119941261c..e122a9cf0399 100644
>> > --- a/Makefile
>> > +++ b/Makefile
>> > @@ -688,8 +688,11 @@ else
>> > stackp-flag := $(call cc-option, -fno-stack-protector)
>> > endif
>> > endif
>> > -# Find arch-specific stack protector compiler sanity-checking script.
>> > -ifdef CONFIG_CC_STACKPROTECTOR
>> > +ifdef stackp-name
>> > + # If the stack protector has been selected, inform the rest of the build.
>> > + KBUILD_CFLAGS += -DCONFIG_CC_STACKPROTECTOR
>> > + KBUILD_AFLAGS += -DCONFIG_CC_STACKPROTECTOR
>> > + # Find arch-specific stack protector compiler sanity-checking script.
>> > stackp-path := $(srctree)/scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh
>> > stackp-check := $(wildcard $(stackp-path))
>> > endif
>>
>>
>> I have not tested this series,
>> but I think this commit is bad (with the follow-up patch applied).
>>
>>
>> I thought of this scenario:
>>
>> [1] Kernel is configured with CONFIG_CC_STACKPROTECTOR_AUTO
>>
>> [2] Kernel is built with a compiler without stack protector support.
>>
>> [3] CONFIG_CC_STACKPROTECTOR is not defined,
>> so __stack_chk_fail() is not compiled.
>>
>> [4] Out-of-tree modules are compiled with a compiler with
>> stack protector support.
>> __stack_chk_fail() is inserted to functions of the modules.
>
> We don't ever support the system of loading a module built with anything
> other than the _exact_ same compiler than the kernel was. So this will
> not happen (well, if someone tries it, they get to keep the pieces their
> kernel image is now in...)
>
>> [5] insmod fails because reference to __stack_chk_fail()
>> can not be resolved.
>
> Even nicer, we failed "cleanly" :)
>
> This isn't a real-world issue, sorry.
If we wanted a slightly different failure, we could simply add the
stack protection feature to the VERMAGIC_STRING define:
diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
index af6c03f7f986..300163aba666 100644
--- a/include/linux/vermagic.h
+++ b/include/linux/vermagic.h
@@ -30,11 +30,19 @@
#else
#define MODULE_RANDSTRUCT_PLUGIN
#endif
+#if defined(__SSP__)
+#define MODULE_STACKPROTECTOR "stack-protector "
+#elif define (__SSP_STRONG__)
+#define MODULE_STACKPROTECTOR "stack-protector-strong "
+#else
+#define MODULE_STACKPROTECTOR ""
+#endif
#define VERMAGIC_STRING \
UTS_RELEASE " " \
MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
MODULE_ARCH_VERMAGIC \
+ MODULE_STACKPROTECTOR \
MODULE_RANDSTRUCT_PLUGIN
Do you want me to send this patch, or should we allow it to fail with
the "missing reference" (which may actually be more expressive...) I
think the way it is right now is better, but I'm open to either.
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
