On Wed, Oct 4, 2017 at 8:13 AM, Greg KH <greg@xxxxxxxxx> wrote: > On Wed, Oct 04, 2017 at 11:33:38PM +0900, Masahiro Yamada wrote: >> Hi Kees, >> >> >> 2017-10-03 4:20 GMT+09:00 Kees Cook <keescook@xxxxxxxxxxxx>: >> > Various portions of the kernel, especially per-architecture pieces, >> > need to know if the compiler is building it with the stack protector. >> > This was done in the arch/Kconfig with 'select', but this doesn't >> > allow a way to do auto-detected compiler support. In preparation for >> > creating an on-if-available default, move the logic for the definition of >> > CONFIG_CC_STACKPROTECTOR into the Makefile. >> > >> > Cc: Masahiro Yamada <yamada.masahiro@xxxxxxxxxxxxx> >> > Cc: Michal Marek <mmarek@xxxxxxxx> >> > Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> >> > Cc: Ingo Molnar <mingo@xxxxxxxxxx> >> > Cc: Laura Abbott <labbott@xxxxxxxxxx> >> > Cc: Nicholas Piggin <npiggin@xxxxxxxxx> >> > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> >> > Cc: linux-kbuild@xxxxxxxxxxxxxxx >> > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> >> > --- >> > Makefile | 7 +++++-- >> > arch/Kconfig | 8 -------- >> > 2 files changed, 5 insertions(+), 10 deletions(-) >> > >> > diff --git a/Makefile b/Makefile >> > index d1119941261c..e122a9cf0399 100644 >> > --- a/Makefile >> > +++ b/Makefile >> > @@ -688,8 +688,11 @@ else >> > stackp-flag := $(call cc-option, -fno-stack-protector) >> > endif >> > endif >> > -# Find arch-specific stack protector compiler sanity-checking script. >> > -ifdef CONFIG_CC_STACKPROTECTOR >> > +ifdef stackp-name >> > + # If the stack protector has been selected, inform the rest of the build. >> > + KBUILD_CFLAGS += -DCONFIG_CC_STACKPROTECTOR >> > + KBUILD_AFLAGS += -DCONFIG_CC_STACKPROTECTOR >> > + # Find arch-specific stack protector compiler sanity-checking script. >> > stackp-path := $(srctree)/scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh >> > stackp-check := $(wildcard $(stackp-path)) >> > endif >> >> >> I have not tested this series, >> but I think this commit is bad (with the follow-up patch applied). >> >> >> I thought of this scenario: >> >> [1] Kernel is configured with CONFIG_CC_STACKPROTECTOR_AUTO >> >> [2] Kernel is built with a compiler without stack protector support. >> >> [3] CONFIG_CC_STACKPROTECTOR is not defined, >> so __stack_chk_fail() is not compiled. >> >> [4] Out-of-tree modules are compiled with a compiler with >> stack protector support. >> __stack_chk_fail() is inserted to functions of the modules. > > We don't ever support the system of loading a module built with anything > other than the _exact_ same compiler than the kernel was. So this will > not happen (well, if someone tries it, they get to keep the pieces their > kernel image is now in...) > >> [5] insmod fails because reference to __stack_chk_fail() >> can not be resolved. > > Even nicer, we failed "cleanly" :) > > This isn't a real-world issue, sorry. If we wanted a slightly different failure, we could simply add the stack protection feature to the VERMAGIC_STRING define: diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h index af6c03f7f986..300163aba666 100644 --- a/include/linux/vermagic.h +++ b/include/linux/vermagic.h @@ -30,11 +30,19 @@ #else #define MODULE_RANDSTRUCT_PLUGIN #endif +#if defined(__SSP__) +#define MODULE_STACKPROTECTOR "stack-protector " +#elif define (__SSP_STRONG__) +#define MODULE_STACKPROTECTOR "stack-protector-strong " +#else +#define MODULE_STACKPROTECTOR "" +#endif #define VERMAGIC_STRING \ UTS_RELEASE " " \ MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \ MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \ MODULE_ARCH_VERMAGIC \ + MODULE_STACKPROTECTOR \ MODULE_RANDSTRUCT_PLUGIN Do you want me to send this patch, or should we allow it to fail with the "missing reference" (which may actually be more expressive...) I think the way it is right now is better, but I'm open to either. -Kees -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html