kconfig: force INIT_STACK_NONE
This commit is contained in:
parent
94613113f5
commit
f9fc42fa93
@ -34,83 +34,14 @@ config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
|
|||||||
config CC_HAS_AUTO_VAR_INIT_ZERO
|
config CC_HAS_AUTO_VAR_INIT_ZERO
|
||||||
def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BARE || CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
|
def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BARE || CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
|
||||||
|
|
||||||
choice
|
config INIT_STACK_NONE
|
||||||
prompt "Initialize kernel stack variables at function entry"
|
bool "no automatic initialization (weakest)"
|
||||||
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
|
default y
|
||||||
default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
|
|
||||||
default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO
|
|
||||||
default INIT_STACK_NONE
|
|
||||||
help
|
help
|
||||||
This option enables initialization of stack variables at
|
Disable automatic stack variable initialization.
|
||||||
function entry time. This has the possibility to have the
|
This leaves the kernel vulnerable to the standard
|
||||||
greatest coverage (since all functions can have their
|
classes of uninitialized stack variable exploits
|
||||||
variables initialized), but the performance impact depends
|
and information exposures.
|
||||||
on the function calling complexity of a given workload's
|
|
||||||
syscalls.
|
|
||||||
|
|
||||||
This chooses the level of coverage over classes of potentially
|
|
||||||
uninitialized variables. The selected class of variable will be
|
|
||||||
initialized before use in a function.
|
|
||||||
|
|
||||||
config INIT_STACK_NONE
|
|
||||||
bool "no automatic stack variable initialization (weakest)"
|
|
||||||
help
|
|
||||||
Disable automatic stack variable initialization.
|
|
||||||
This leaves the kernel vulnerable to the standard
|
|
||||||
classes of uninitialized stack variable exploits
|
|
||||||
and information exposures.
|
|
||||||
|
|
||||||
config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
|
|
||||||
bool "zero-init everything passed by reference (very strong)"
|
|
||||||
depends on GCC_PLUGINS
|
|
||||||
select GCC_PLUGIN_STRUCTLEAK
|
|
||||||
help
|
|
||||||
Zero-initialize any stack variables that may be passed
|
|
||||||
by reference and had not already been explicitly
|
|
||||||
initialized. This is intended to eliminate all classes
|
|
||||||
of uninitialized stack variable exploits and information
|
|
||||||
exposures.
|
|
||||||
|
|
||||||
As a side-effect, this keeps a lot of variables on the
|
|
||||||
stack that can otherwise be optimized out, so combining
|
|
||||||
this with CONFIG_KASAN_STACK can lead to a stack overflow
|
|
||||||
and is disallowed.
|
|
||||||
|
|
||||||
config INIT_STACK_ALL_PATTERN
|
|
||||||
bool "pattern-init everything (strongest)"
|
|
||||||
depends on CC_HAS_AUTO_VAR_INIT_PATTERN
|
|
||||||
help
|
|
||||||
Initializes everything on the stack (including padding)
|
|
||||||
with a specific debug value. This is intended to eliminate
|
|
||||||
all classes of uninitialized stack variable exploits and
|
|
||||||
information exposures, even variables that were warned about
|
|
||||||
having been left uninitialized.
|
|
||||||
|
|
||||||
Pattern initialization is known to provoke many existing bugs
|
|
||||||
related to uninitialized locals, e.g. pointers receive
|
|
||||||
non-NULL values, buffer sizes and indices are very big. The
|
|
||||||
pattern is situation-specific; Clang on 64-bit uses 0xAA
|
|
||||||
repeating for all types and padding except float and double
|
|
||||||
which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF
|
|
||||||
repeating for all types and padding.
|
|
||||||
|
|
||||||
config INIT_STACK_ALL_ZERO
|
|
||||||
bool "zero-init everything (strongest and safest)"
|
|
||||||
depends on CC_HAS_AUTO_VAR_INIT_ZERO
|
|
||||||
help
|
|
||||||
Initializes everything on the stack (including padding)
|
|
||||||
with a zero value. This is intended to eliminate all
|
|
||||||
classes of uninitialized stack variable exploits and
|
|
||||||
information exposures, even variables that were warned
|
|
||||||
about having been left uninitialized.
|
|
||||||
|
|
||||||
Zero initialization provides safe defaults for strings
|
|
||||||
(immediately NUL-terminated), pointers (NULL), indices
|
|
||||||
(index 0), and sizes (0 length), so it is therefore more
|
|
||||||
suitable as a production security mitigation than pattern
|
|
||||||
initialization.
|
|
||||||
|
|
||||||
endchoice
|
|
||||||
|
|
||||||
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
|
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
|
||||||
bool "Report forcefully initialized variables"
|
bool "Report forcefully initialized variables"
|
||||||
|
Loading…
Reference in New Issue
Block a user