diff options
author | Linus Torvalds | 2019-03-09 09:06:15 -0800 |
---|---|---|
committer | Linus Torvalds | 2019-03-09 09:06:15 -0800 |
commit | 2bb995405fe52dd893db57456556e8dc4fce35a7 (patch) | |
tree | 205f798be891b8ede69ea83deb1156ad5d4f2cf5 /scripts | |
parent | a39f009acefd85d3e36bcae828a4e67c9dce9684 (diff) | |
parent | 50ceaa95ea09703722b30b4afa617c972071cd7f (diff) |
Merge tag 'gcc-plugins-v5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull gcc-plugins updates from Kees Cook:
"This adds additional type coverage to the existing structleak plugin
and adds a large set of selftests to help evaluate stack variable
zero-initialization coverage.
That can be used to test whatever instrumentation might be performing
zero-initialization: either with the structleak plugin or with Clang's
coming "-ftrivial-auto-var-init=zero" option.
Summary:
- Add scalar and array initialization coverage
- Refactor Kconfig to make options more clear
- Add self-test module for testing automatic initialization"
* tag 'gcc-plugins-v5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
lib: Introduce test_stackinit module
gcc-plugins: structleak: Generalize to all variable types
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/Makefile.gcc-plugins | 2 | ||||
-rw-r--r-- | scripts/gcc-plugins/Kconfig | 58 | ||||
-rw-r--r-- | scripts/gcc-plugins/structleak_plugin.c | 36 |
3 files changed, 74 insertions, 22 deletions
diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins index 35042d96cf5d..5f7df50cfe7a 100644 --- a/scripts/Makefile.gcc-plugins +++ b/scripts/Makefile.gcc-plugins @@ -15,6 +15,8 @@ gcc-plugin-$(CONFIG_GCC_PLUGIN_SANCOV) += sancov_plugin.so gcc-plugin-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) += structleak_plugin.so gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE) \ += -fplugin-arg-structleak_plugin-verbose +gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF) \ + += -fplugin-arg-structleak_plugin-byref gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL) \ += -fplugin-arg-structleak_plugin-byref-all gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) \ diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index d9fd9988ef27..74271dba4f94 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig @@ -67,23 +67,59 @@ config GCC_PLUGIN_LATENT_ENTROPY * https://pax.grsecurity.net/ config GCC_PLUGIN_STRUCTLEAK - bool "Force initialization of variables containing userspace addresses" + bool "Zero initialize stack variables" help - This plugin zero-initializes any structures containing a - __user attribute. This can prevent some classes of information - exposures. - - This plugin was ported from grsecurity/PaX. More information at: + While the kernel is built with warnings enabled for any missed + stack variable initializations, this warning is silenced for + anything passed by reference to another function, under the + occasionally misguided assumption that the function will do + the initialization. As this regularly leads to exploitable + flaws, this plugin is available to identify and zero-initialize + such variables, depending on the chosen level of coverage. + + This plugin was originally ported from grsecurity/PaX. More + information at: * https://grsecurity.net/ * https://pax.grsecurity.net/ -config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL - bool "Force initialize all struct type variables passed by reference" +choice + prompt "Coverage" depends on GCC_PLUGIN_STRUCTLEAK - depends on !COMPILE_TEST + default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL help - Zero initialize any struct type local variable that may be passed by - reference without having been initialized. + This chooses the level of coverage over classes of potentially + uninitialized variables. The selected class will be + zero-initialized before use. + + config GCC_PLUGIN_STRUCTLEAK_USER + bool "structs marked for userspace" + help + Zero-initialize any structures on the stack containing + a __user attribute. This can prevent some classes of + uninitialized stack variable exploits and information + exposures, like CVE-2013-2141: + https://git.kernel.org/linus/b9e146d8eb3b9eca + + config GCC_PLUGIN_STRUCTLEAK_BYREF + bool "structs passed by reference" + help + Zero-initialize any structures on the stack that may + be passed by reference and had not already been + explicitly initialized. This can prevent most classes + of uninitialized stack variable exploits and information + exposures, like CVE-2017-1000410: + https://git.kernel.org/linus/06e7e776ca4d3654 + + config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL + bool "anything passed by reference" + help + Zero-initialize any stack variables that may be passed + by reference and had not already been explicitly + initialized. This is intended to eliminate all classes + of uninitialized stack variable exploits and information + exposures. + +endchoice config GCC_PLUGIN_STRUCTLEAK_VERBOSE bool "Report forcefully initialized variables" diff --git a/scripts/gcc-plugins/structleak_plugin.c b/scripts/gcc-plugins/structleak_plugin.c index 10292f791e99..e89be8f5c859 100644 --- a/scripts/gcc-plugins/structleak_plugin.c +++ b/scripts/gcc-plugins/structleak_plugin.c @@ -16,6 +16,7 @@ * Options: * -fplugin-arg-structleak_plugin-disable * -fplugin-arg-structleak_plugin-verbose + * -fplugin-arg-structleak_plugin-byref * -fplugin-arg-structleak_plugin-byref-all * * Usage: @@ -26,7 +27,6 @@ * $ gcc -fplugin=./structleak_plugin.so test.c -O2 * * TODO: eliminate redundant initializers - * increase type coverage */ #include "gcc-common.h" @@ -37,13 +37,18 @@ __visible int plugin_is_GPL_compatible; static struct plugin_info structleak_plugin_info = { - .version = "201607271510vanilla", + .version = "20190125vanilla", .help = "disable\tdo not activate plugin\n" - "verbose\tprint all initialized variables\n", + "byref\tinit structs passed by reference\n" + "byref-all\tinit anything passed by reference\n" + "verbose\tprint all initialized variables\n", }; +#define BYREF_STRUCT 1 +#define BYREF_ALL 2 + static bool verbose; -static bool byref_all; +static int byref; static tree handle_user_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs) { @@ -118,6 +123,7 @@ static void initialize(tree var) gimple_stmt_iterator gsi; tree initializer; gimple init_stmt; + tree type; /* this is the original entry bb before the forced split */ bb = single_succ(ENTRY_BLOCK_PTR_FOR_FN(cfun)); @@ -148,11 +154,15 @@ static void initialize(tree var) if (verbose) inform(DECL_SOURCE_LOCATION(var), "%s variable will be forcibly initialized", - (byref_all && TREE_ADDRESSABLE(var)) ? "byref" - : "userspace"); + (byref && TREE_ADDRESSABLE(var)) ? "byref" + : "userspace"); /* build the initializer expression */ - initializer = build_constructor(TREE_TYPE(var), NULL); + type = TREE_TYPE(var); + if (AGGREGATE_TYPE_P(type)) + initializer = build_constructor(type, NULL); + else + initializer = fold_convert(type, integer_zero_node); /* build the initializer stmt */ init_stmt = gimple_build_assign(var, initializer); @@ -184,13 +194,13 @@ static unsigned int structleak_execute(void) if (!auto_var_in_fn_p(var, current_function_decl)) continue; - /* only care about structure types */ - if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE) + /* only care about structure types unless byref-all */ + if (byref != BYREF_ALL && TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE) continue; /* if the type is of interest, examine the variable */ if (TYPE_USERSPACE(type) || - (byref_all && TREE_ADDRESSABLE(var))) + (byref && TREE_ADDRESSABLE(var))) initialize(var); } @@ -232,8 +242,12 @@ __visible int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gc verbose = true; continue; } + if (!strcmp(argv[i].key, "byref")) { + byref = BYREF_STRUCT; + continue; + } if (!strcmp(argv[i].key, "byref-all")) { - byref_all = true; + byref = BYREF_ALL; continue; } error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); |