From patchwork Thu Apr 11 18:01:17 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 10896583
Return-Path: 
 <kernel-hardening-return-15628-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9B8F91515
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Thu, 11 Apr 2019 18:02:08 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8D56528D22
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Thu, 11 Apr 2019 18:02:08 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7D8AC28D84; Thu, 11 Apr 2019 18:02:08 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham
	version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 9FB0A28D22
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Thu, 11 Apr 2019 18:02:07 +0000 (UTC)
Received: (qmail 11861 invoked by uid 550); 11 Apr 2019 18:01:44 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 11725 invoked from network); 11 Apr 2019 18:01:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=3B85ofSIlvxDsMd0QSuvExy6zf6XDf2ci7ySZr6BosA=;
        b=FJxJDmdUpMx20MRWcPf82L+CMoP0+IfWGeSShTYRZwimBL6DOa2bzUzhOyN5iEpEtS
         eSnQtl/o+Go4aEZMdTcjevr2Nmu2tJ/8HRqkSin2ytgPLG8H4v0C86nFIoDN8cz+i87h
         XeXSbBS7IEYhvq1nFhKV5ZJdGKJM+Tt5ix2lc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=3B85ofSIlvxDsMd0QSuvExy6zf6XDf2ci7ySZr6BosA=;
        b=N4qpp1B9NOabAthGJ4h05ffBqyiEiHPNPhfYRO5HWZMnuJKzWM6E7QQzJCApfsnqP4
         JveWMTQi/n2uGPB71NLyQ12Y+ZxGv/vHYkWiZLVzPQD7ebozJykMd3vcQVcuX9CCpgS2
         q+p7hJrY/taVMK4IzEbaxb/N7BtgDuiMG1KnSJe2lyQlTH4UHalH3Awhbv4DG+LYQvnp
         gqzn6zsy8tQDeRhMLqrYNqSAv+TeKDAasm6PA8dP5PdU3BVqeMab8zQP1/pnJ8tbwf3w
         PaZUUFsExWoaaQwmgXACVKsfdjaVGOfuVm/ONgqL6F3tOTFUKl6sai/JYCKSXWKt74+8
         nizQ==
X-Gm-Message-State: APjAAAUbVPbZ+WfzkLC9+5lhNLgsqiLdqOVAExZGUkSn6EJIzXYs43P6
	AoaideeCAgPoriC7hmE3blLq+Q==
X-Google-Smtp-Source: 
 APXvYqzrgSW9n/rdk1KPTN6pGC6tzHDVoxfPJiuwlJuazwnH8VkZvPgrN08LGboEC+mzZV3GQdJpBA==
X-Received: by 2002:a63:4e5b:: with SMTP id
 o27mr48786170pgl.204.1555005686906;
        Thu, 11 Apr 2019 11:01:26 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@chromium.org>,
	Masahiro Yamada <yamada.masahiro@socionext.com>,
	James Morris <jmorris@namei.org>,
	Alexander Popov <alex.popov@linux.com>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Kostya Serebryany <kcc@google.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Sandeep Patil <sspatil@android.com>,
	Laura Abbott <labbott@redhat.com>,
	Randy Dunlap <rdunlap@infradead.org>,
	Michal Marek <michal.lkml@markovi.net>,
	Emese Revfy <re.emese@gmail.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	kernel-hardening@lists.openwall.com,
	linux-security-module@vger.kernel.org,
	linux-kbuild@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH v2 3/3] security: Implement Clang's stack initialization
Date: Thu, 11 Apr 2019 11:01:17 -0700
Message-Id: <20190411180117.27704-4-keescook@chromium.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20190411180117.27704-1-keescook@chromium.org>
References: <20190411180117.27704-1-keescook@chromium.org>
X-Virus-Scanned: ClamAV using ClamSMTP

CONFIG_INIT_STACK_ALL turns on stack initialization based on
-ftrivial-auto-var-init in Clang builds, which has greater coverage
than CONFIG_GCC_PLUGINS_STRUCTLEAK_BYREF_ALL.

-ftrivial-auto-var-init Clang option provides trivial initializers for
uninitialized local variables, variable fields and padding.

It has three possible values:
  pattern - uninitialized locals are filled with a fixed pattern
    (mostly 0xAA on 64-bit platforms, see https://reviews.llvm.org/D54604
    for more details, but 0x000000AA for 32-bit pointers) likely to cause
    crashes when uninitialized value is used;
  zero (it's still debated whether this flag makes it to the official
    Clang release) - uninitialized locals are filled with zeroes;
  uninitialized (default) - uninitialized locals are left intact.

This patch uses only the "pattern" mode when CONFIG_INIT_STACK_ALL is
enabled.

Developers have the possibility to opt-out of this feature on a
per-variable basis by using __attribute__((uninitialized)), but such
use should be well justified in comments.

Co-developed-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Tested-by: Alexander Potapenko <glider@google.com>
---
 Makefile                   |  5 +++++
 security/Kconfig.hardening | 15 ++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index c0a34064c574..a7d9c6cd0267 100644
--- a/Makefile
+++ b/Makefile
@@ -745,6 +745,11 @@ KBUILD_CFLAGS	+= -fomit-frame-pointer
 endif
 endif
 
+# Initialize all stack variables with a pattern, if desired.
+ifdef CONFIG_INIT_STACK_ALL
+KBUILD_CFLAGS	+= -ftrivial-auto-var-init=pattern
+endif
+
 DEBUG_CFLAGS	:= $(call cc-option, -fno-var-tracking-assignments)
 
 ifdef CONFIG_DEBUG_INFO
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 3dd7a28c3822..5dd61770d3f0 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -18,9 +18,12 @@ config GCC_PLUGIN_STRUCTLEAK
 
 menu "Memory initialization"
 
+config CC_HAS_AUTO_VAR_INIT
+	def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
+
 choice
 	prompt "Initialize kernel stack variables at function entry"
-	depends on GCC_PLUGINS
+	depends on CC_HAS_AUTO_VAR_INIT || GCC_PLUGINS
 	default INIT_STACK_NONE
 	help
 	  This option enables initialization of stack variables at
@@ -76,6 +79,16 @@ choice
 		  of uninitialized stack variable exploits and information
 		  exposures.
 
+	config INIT_STACK_ALL
+		bool "0xAA-init everything on the stack (strongest)"
+		depends on CC_HAS_AUTO_VAR_INIT
+		help
+		  Initializes everything on the stack with a 0xAA
+		  pattern. This is intended to eliminate all classes
+		  of uninitialized stack variable exploits and information
+		  exposures, even variables that were warned to have been
+		  left uninitialized.
+
 endchoice
 
 config GCC_PLUGIN_STRUCTLEAK_VERBOSE