| Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame^] | 1 | menu "Kernel hardening options" |
| 2 | |
| 3 | config GCC_PLUGIN_STRUCTLEAK |
| 4 | bool |
| 5 | help |
| 6 | While the kernel is built with warnings enabled for any missed |
| 7 | stack variable initializations, this warning is silenced for |
| 8 | anything passed by reference to another function, under the |
| 9 | occasionally misguided assumption that the function will do |
| 10 | the initialization. As this regularly leads to exploitable |
| 11 | flaws, this plugin is available to identify and zero-initialize |
| 12 | such variables, depending on the chosen level of coverage. |
| 13 | |
| 14 | This plugin was originally ported from grsecurity/PaX. More |
| 15 | information at: |
| 16 | * https://grsecurity.net/ |
| 17 | * https://pax.grsecurity.net/ |
| 18 | |
| 19 | menu "Memory initialization" |
| 20 | |
| 21 | choice |
| 22 | prompt "Initialize kernel stack variables at function entry" |
| 23 | default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS |
| 24 | default INIT_STACK_NONE |
| 25 | help |
| 26 | This option enables initialization of stack variables at |
| 27 | function entry time. This has the possibility to have the |
| 28 | greatest coverage (since all functions can have their |
| 29 | variables initialized), but the performance impact depends |
| 30 | on the function calling complexity of a given workload's |
| 31 | syscalls. |
| 32 | |
| 33 | This chooses the level of coverage over classes of potentially |
| 34 | uninitialized variables. The selected class will be |
| 35 | initialized before use in a function. |
| 36 | |
| 37 | config INIT_STACK_NONE |
| 38 | bool "no automatic initialization (weakest)" |
| 39 | help |
| 40 | Disable automatic stack variable initialization. |
| 41 | This leaves the kernel vulnerable to the standard |
| 42 | classes of uninitialized stack variable exploits |
| 43 | and information exposures. |
| 44 | |
| 45 | config GCC_PLUGIN_STRUCTLEAK_USER |
| 46 | bool "zero-init structs marked for userspace (weak)" |
| 47 | depends on GCC_PLUGINS |
| 48 | select GCC_PLUGIN_STRUCTLEAK |
| 49 | help |
| 50 | Zero-initialize any structures on the stack containing |
| 51 | a __user attribute. This can prevent some classes of |
| 52 | uninitialized stack variable exploits and information |
| 53 | exposures, like CVE-2013-2141: |
| 54 | https://git.kernel.org/linus/b9e146d8eb3b9eca |
| 55 | |
| 56 | config GCC_PLUGIN_STRUCTLEAK_BYREF |
| 57 | bool "zero-init structs passed by reference (strong)" |
| 58 | depends on GCC_PLUGINS |
| 59 | select GCC_PLUGIN_STRUCTLEAK |
| 60 | help |
| 61 | Zero-initialize any structures on the stack that may |
| 62 | be passed by reference and had not already been |
| 63 | explicitly initialized. This can prevent most classes |
| 64 | of uninitialized stack variable exploits and information |
| 65 | exposures, like CVE-2017-1000410: |
| 66 | https://git.kernel.org/linus/06e7e776ca4d3654 |
| 67 | |
| 68 | config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |
| 69 | bool "zero-init anything passed by reference (very strong)" |
| 70 | depends on GCC_PLUGINS |
| 71 | select GCC_PLUGIN_STRUCTLEAK |
| 72 | help |
| 73 | Zero-initialize any stack variables that may be passed |
| 74 | by reference and had not already been explicitly |
| 75 | initialized. This is intended to eliminate all classes |
| 76 | of uninitialized stack variable exploits and information |
| 77 | exposures. |
| 78 | |
| 79 | endchoice |
| 80 | |
| 81 | config GCC_PLUGIN_STRUCTLEAK_VERBOSE |
| 82 | bool "Report forcefully initialized variables" |
| 83 | depends on GCC_PLUGIN_STRUCTLEAK |
| 84 | depends on !COMPILE_TEST # too noisy |
| 85 | help |
| 86 | This option will cause a warning to be printed each time the |
| 87 | structleak plugin finds a variable it thinks needs to be |
| 88 | initialized. Since not all existing initializers are detected |
| 89 | by the plugin, this can produce false positive warnings. |
| 90 | |
| 91 | endmenu |
| 92 | |
| 93 | endmenu |