Merge tag 'stackleak-v4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Memory poisoning

Memory poisoning

----------------

----------------

When releasing memory, it is best to poison the contents (clear stack on

When releasing memory, it is best to poison the contents, to avoid reuse

syscall return, wipe heap memory on a free), to avoid reuse attacks that

attacks that rely on the old contents of memory. E.g., clear stack on a

rely on the old contents of memory. This frustrates many uninitialized

syscall return (``CONFIG_GCC_PLUGIN_STACKLEAK``), wipe heap memory on a

variable attacks, stack content exposures, heap content exposures, and

free. This frustrates many uninitialized variable attacks, stack content

use-after-free attacks.

exposures, heap content exposures, and use-after-free attacks.

Destination tracking

Destination tracking

--------------------

--------------------

- shmmni

- shmmni

- softlockup_all_cpu_backtrace

- softlockup_all_cpu_backtrace

- soft_watchdog

- soft_watchdog

- stack_erasing

- stop-a                      [ SPARC only ]

- stop-a                      [ SPARC only ]

- sysrq                       ==> Documentation/admin-guide/sysrq.rst

- sysrq                       ==> Documentation/admin-guide/sysrq.rst

- sysctl_writes_strict

- sysctl_writes_strict

==============================================================

==============================================================

stack_erasing

This parameter can be used to control kernel stack erasing at the end

of syscalls for kernels built with CONFIG_GCC_PLUGIN_STACKLEAK.

That erasing reduces the information which kernel stack leak bugs

can reveal and blocks some uninitialized stack variable attacks.

The tradeoff is the performance impact: on a single CPU system kernel

compilation sees a 1% slowdown, other systems and workloads may vary.

  0: kernel stack erasing is disabled, STACKLEAK_METRICS are not updated.

  1: kernel stack erasing is enabled (default), it is performed before

     returning to the userspace at the end of syscalls.

==============================================================

tainted:

tainted:

Non-zero if the kernel has been tainted. Numeric values, which can be

Non-zero if the kernel has been tainted. Numeric values, which can be

Be very careful vs. KASLR when changing anything here. The KASLR address

Be very careful vs. KASLR when changing anything here. The KASLR address

range must not overlap with anything except the KASAN shadow area, which is

range must not overlap with anything except the KASAN shadow area, which is

correct as KASAN disables KASLR.

correct as KASAN disables KASLR.

For both 4- and 5-level layouts, the STACKLEAK_POISON value in the last 2MB

hole: ffffffffffff4111

	  See Documentation/userspace-api/seccomp_filter.rst for details.

	  See Documentation/userspace-api/seccomp_filter.rst for details.

config HAVE_ARCH_STACKLEAK

	bool

	help

	  An architecture should select this if it has the code which

	  fills the used part of the kernel stack with the STACKLEAK_POISON

	  value before returning from system calls.

config HAVE_STACKPROTECTOR

config HAVE_STACKPROTECTOR

	bool

	bool

	help

	help

{

{

	current->mm->context.flags = is_compat_task() ? MMCF_AARCH32 : 0;

	current->mm->context.flags = is_compat_task() ? MMCF_AARCH32 : 0;

}

}

#ifdef CONFIG_GCC_PLUGIN_STACKLEAK

void __used stackleak_check_alloca(unsigned long size)

{

	unsigned long stack_left;

	unsigned long current_sp = current_stack_pointer;

	struct stack_info info;

	BUG_ON(!on_accessible_stack(current, current_sp, &info));

	stack_left = current_sp - info.low;

	/*

	 * There's a good chance we're almost out of stack space if this

	 * is true. Using panic() over BUG() is more likely to give

	 * reliable debugging output.

	 */

	if (size >= stack_left)

		panic("alloca() over the kernel stack boundary\n");

}

EXPORT_SYMBOL(stackleak_check_alloca);

#endif