Loading Documentation/dontdiff +2 −0 Original line number Diff line number Diff line Loading @@ -207,6 +207,8 @@ r200_reg_safe.h r300_reg_safe.h r420_reg_safe.h r600_reg_safe.h randomize_layout_hash.h randomize_layout_seed.h recordmcount relocs rlim_names.h Loading arch/Kconfig +40 −1 Original line number Diff line number Diff line Loading @@ -425,7 +425,7 @@ config GCC_PLUGIN_STRUCTLEAK bool "Force initialization of variables containing userspace addresses" depends on GCC_PLUGINS help This plugin zero-initializes any structures that containing a This plugin zero-initializes any structures containing a __user attribute. This can prevent some classes of information exposures. Loading @@ -443,6 +443,45 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE initialized. Since not all existing initializers are detected by the plugin, this can produce false positive warnings. config GCC_PLUGIN_RANDSTRUCT bool "Randomize layout of sensitive kernel structures" depends on GCC_PLUGINS select MODVERSIONS if MODULES help If you say Y here, the layouts of structures explicitly marked by __randomize_layout will be randomized at compile-time. This can introduce the requirement of an additional information exposure vulnerability for exploits targeting these structure types. Enabling this feature will introduce some performance impact, slightly increase memory usage, and prevent the use of forensic tools like Volatility against the system (unless the kernel source tree isn't cleaned after kernel installation). The seed used for compilation is located at scripts/gcc-plgins/randomize_layout_seed.h. It remains after a make clean to allow for external modules to be compiled with the existing seed and will be removed by a make mrproper or make distclean. Note that the implementation requires gcc 4.7 or newer. This plugin was ported from grsecurity/PaX. More information at: * https://grsecurity.net/ * https://pax.grsecurity.net/ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE bool "Use cacheline-aware structure randomization" depends on GCC_PLUGIN_RANDSTRUCT depends on !COMPILE_TEST help If you say Y here, the RANDSTRUCT randomization will make a best effort at restricting randomization to cacheline-sized groups of elements. It will further not randomize bitfields in structures. This reduces the performance hit of RANDSTRUCT at the cost of weakened randomization. config HAVE_CC_STACKPROTECTOR bool help Loading arch/arm/include/asm/assembler.h +2 −0 Original line number Diff line number Diff line Loading @@ -87,6 +87,8 @@ #define CALGN(code...) #endif #define IMM12_MASK 0xfff /* * Enable and disable interrupts */ Loading arch/arm/kernel/entry-armv.S +4 −1 Original line number Diff line number Diff line Loading @@ -797,7 +797,10 @@ ENTRY(__switch_to) #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) ldr r7, [r2, #TI_TASK] ldr r8, =__stack_chk_guard ldr r7, [r7, #TSK_STACK_CANARY] .if (TSK_STACK_CANARY > IMM12_MASK) add r7, r7, #TSK_STACK_CANARY & ~IMM12_MASK .endif ldr r7, [r7, #TSK_STACK_CANARY & IMM12_MASK] #endif #ifdef CONFIG_CPU_USE_DOMAINS mcr p15, 0, r6, c3, c0, 0 @ Set domain register Loading arch/arm/mm/proc-macros.S +4 −6 Original line number Diff line number Diff line Loading @@ -25,11 +25,6 @@ ldr \rd, [\rn, #VMA_VM_FLAGS] .endm .macro tsk_mm, rd, rn ldr \rd, [\rn, #TI_TASK] ldr \rd, [\rd, #TSK_ACTIVE_MM] .endm /* * act_mm - get current->active_mm */ Loading @@ -37,7 +32,10 @@ bic \rd, sp, #8128 bic \rd, \rd, #63 ldr \rd, [\rd, #TI_TASK] ldr \rd, [\rd, #TSK_ACTIVE_MM] .if (TSK_ACTIVE_MM > IMM12_MASK) add \rd, \rd, #TSK_ACTIVE_MM & ~IMM12_MASK .endif ldr \rd, [\rd, #TSK_ACTIVE_MM & IMM12_MASK] .endm /* Loading Loading
Documentation/dontdiff +2 −0 Original line number Diff line number Diff line Loading @@ -207,6 +207,8 @@ r200_reg_safe.h r300_reg_safe.h r420_reg_safe.h r600_reg_safe.h randomize_layout_hash.h randomize_layout_seed.h recordmcount relocs rlim_names.h Loading
arch/Kconfig +40 −1 Original line number Diff line number Diff line Loading @@ -425,7 +425,7 @@ config GCC_PLUGIN_STRUCTLEAK bool "Force initialization of variables containing userspace addresses" depends on GCC_PLUGINS help This plugin zero-initializes any structures that containing a This plugin zero-initializes any structures containing a __user attribute. This can prevent some classes of information exposures. Loading @@ -443,6 +443,45 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE initialized. Since not all existing initializers are detected by the plugin, this can produce false positive warnings. config GCC_PLUGIN_RANDSTRUCT bool "Randomize layout of sensitive kernel structures" depends on GCC_PLUGINS select MODVERSIONS if MODULES help If you say Y here, the layouts of structures explicitly marked by __randomize_layout will be randomized at compile-time. This can introduce the requirement of an additional information exposure vulnerability for exploits targeting these structure types. Enabling this feature will introduce some performance impact, slightly increase memory usage, and prevent the use of forensic tools like Volatility against the system (unless the kernel source tree isn't cleaned after kernel installation). The seed used for compilation is located at scripts/gcc-plgins/randomize_layout_seed.h. It remains after a make clean to allow for external modules to be compiled with the existing seed and will be removed by a make mrproper or make distclean. Note that the implementation requires gcc 4.7 or newer. This plugin was ported from grsecurity/PaX. More information at: * https://grsecurity.net/ * https://pax.grsecurity.net/ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE bool "Use cacheline-aware structure randomization" depends on GCC_PLUGIN_RANDSTRUCT depends on !COMPILE_TEST help If you say Y here, the RANDSTRUCT randomization will make a best effort at restricting randomization to cacheline-sized groups of elements. It will further not randomize bitfields in structures. This reduces the performance hit of RANDSTRUCT at the cost of weakened randomization. config HAVE_CC_STACKPROTECTOR bool help Loading
arch/arm/include/asm/assembler.h +2 −0 Original line number Diff line number Diff line Loading @@ -87,6 +87,8 @@ #define CALGN(code...) #endif #define IMM12_MASK 0xfff /* * Enable and disable interrupts */ Loading
arch/arm/kernel/entry-armv.S +4 −1 Original line number Diff line number Diff line Loading @@ -797,7 +797,10 @@ ENTRY(__switch_to) #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) ldr r7, [r2, #TI_TASK] ldr r8, =__stack_chk_guard ldr r7, [r7, #TSK_STACK_CANARY] .if (TSK_STACK_CANARY > IMM12_MASK) add r7, r7, #TSK_STACK_CANARY & ~IMM12_MASK .endif ldr r7, [r7, #TSK_STACK_CANARY & IMM12_MASK] #endif #ifdef CONFIG_CPU_USE_DOMAINS mcr p15, 0, r6, c3, c0, 0 @ Set domain register Loading
arch/arm/mm/proc-macros.S +4 −6 Original line number Diff line number Diff line Loading @@ -25,11 +25,6 @@ ldr \rd, [\rn, #VMA_VM_FLAGS] .endm .macro tsk_mm, rd, rn ldr \rd, [\rn, #TI_TASK] ldr \rd, [\rd, #TSK_ACTIVE_MM] .endm /* * act_mm - get current->active_mm */ Loading @@ -37,7 +32,10 @@ bic \rd, sp, #8128 bic \rd, \rd, #63 ldr \rd, [\rd, #TI_TASK] ldr \rd, [\rd, #TSK_ACTIVE_MM] .if (TSK_ACTIVE_MM > IMM12_MASK) add \rd, \rd, #TSK_ACTIVE_MM & ~IMM12_MASK .endif ldr \rd, [\rd, #TSK_ACTIVE_MM & IMM12_MASK] .endm /* Loading
