Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f0865810 authored by Kees Cook's avatar Kees Cook Committed by Nick Desaulniers
Browse files

UPSTREAM: hardening: Clarify Kconfig text for auto-var-init 



Clarify the details around the automatic variable initialization modes
available. Specifically this details the values used for pattern init
and expands on the rationale for zero init safety. Additionally makes
zero init the default when available.

Cc: glider@google.com
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: linux-security-module@vger.kernel.org
Cc: clang-built-linux@googlegroups.com
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Acked-by: default avatarGustavo A. R. Silva <gustavoars@kernel.org>
(cherry picked from commit dcb7c0b9461c2a30f6616262736daac6f01ecb09)
Change-Id: Id2a3b2b2953677e29e6deb931350b04091474b08
Signed-off-by: default avatarNathan Chancellor <nathan@kernel.org>
parent 07228609

security/Kconfig.hardening

+32 −20
Original line number Diff line number Diff line
@@ -29,6 +29,7 @@ choice 
	prompt "Initialize kernel stack variables at function entry"

	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS

	default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN

	default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN

	default INIT_STACK_NONE

	help

	  This option enables initialization of stack variables at
@@ -39,11 +40,11 @@ choice 
	  syscalls.



	  This chooses the level of coverage over classes of potentially

	  uninitialized variables. The selected class will be

	  uninitialized variables. The selected class of variable will be

	  initialized before use in a function.



	config INIT_STACK_NONE

		bool "no automatic initialization (weakest)"

		bool "no automatic stack variable initialization (weakest)"

		help

		  Disable automatic stack variable initialization.

		  This leaves the kernel vulnerable to the standard
@@ -80,7 +81,7 @@ choice 
		  and is disallowed.



	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL

		bool "zero-init anything passed by reference (very strong)"

		bool "zero-init everything passed by reference (very strong)"

		depends on GCC_PLUGINS

		depends on !(KASAN && KASAN_STACK=1)

		select GCC_PLUGIN_STRUCTLEAK
@@ -91,33 +92,44 @@ choice 
		  of uninitialized stack variable exploits and information

		  exposures.



		  As a side-effect, this keeps a lot of variables on the

		  stack that can otherwise be optimized out, so combining

		  this with CONFIG_KASAN_STACK can lead to a stack overflow

		  and is disallowed.



	config INIT_STACK_ALL_PATTERN

		bool "0xAA-init everything on the stack (strongest)"

		bool "pattern-init everything (strongest)"

		depends on CC_HAS_AUTO_VAR_INIT_PATTERN

		help

		  Initializes everything on the stack with a 0xAA

		  pattern. This is intended to eliminate all classes

		  of uninitialized stack variable exploits and information

		  exposures, even variables that were warned to have been

		  left uninitialized.

		  Initializes everything on the stack (including padding)

		  with a specific debug value. This is intended to eliminate

		  all classes of uninitialized stack variable exploits and

		  information exposures, even variables that were warned about

		  having been left uninitialized.



		  Pattern initialization is known to provoke many existing bugs

		  related to uninitialized locals, e.g. pointers receive

		  non-NULL values, buffer sizes and indices are very big.

		  non-NULL values, buffer sizes and indices are very big. The

		  pattern is situation-specific; Clang on 64-bit uses 0xAA

		  repeating for all types and padding except float and double

		  which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF

		  repeating for all types and padding.



	config INIT_STACK_ALL_ZERO

		bool "zero-init everything on the stack (strongest and safest)"

		bool "zero-init everything (strongest and safest)"

		depends on CC_HAS_AUTO_VAR_INIT_ZERO

		help

		  Initializes everything on the stack with a zero

		  value. This is intended to eliminate all classes

		  of uninitialized stack variable exploits and information

		  exposures, even variables that were warned to have been

		  left uninitialized.



		  Zero initialization provides safe defaults for strings,

		  pointers, indices and sizes, and is therefore

		  more suitable as a security mitigation measure.

		  Initializes everything on the stack (including padding)

		  with a zero value. This is intended to eliminate all

		  classes of uninitialized stack variable exploits and

		  information exposures, even variables that were warned

		  about having been left uninitialized.



		  Zero initialization provides safe defaults for strings

		  (immediately NUL-terminated), pointers (NULL), indices

		  (index 0), and sizes (0 length), so it is therefore more

		  suitable as a production security mitigation than pattern

		  initialization.



endchoice