From patchwork Tue Apr 23 19:49:25 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 10913701
Return-Path: 
 <kernel-hardening-return-15748-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B6BE11390
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Tue, 23 Apr 2019 19:50:12 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A60B22853A
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Tue, 23 Apr 2019 19:50:12 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 964622862D; Tue, 23 Apr 2019 19:50:12 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham
	version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id B4ED22853A
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Tue, 23 Apr 2019 19:50:11 +0000 (UTC)
Received: (qmail 13675 invoked by uid 550); 23 Apr 2019 19:49:46 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 13570 invoked from network); 23 Apr 2019 19:49:44 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=c1yvrTp26kS5NawWcZJOQE+ZT11RXDj4zCYzH5JQkb4=;
        b=gBarm0KyqlLBbUD5hPMVInIA8uyoBUU1s9w2XhxSa/TdXy16ac3S9zPTiwpec0Xjxh
         k2iBIMrLqWyOdZQO+VJ42jdLCmpOKyo2RFhUC/3BwQP8xCGDY8M5Cj2Qr/GejGmlSTGx
         /z6ix2Imuf0FkqRjO5mbUmWJ6wVb5RlU8tdLU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=c1yvrTp26kS5NawWcZJOQE+ZT11RXDj4zCYzH5JQkb4=;
        b=M1rcrnrMyEFR5AgjMKn2RSQuB+q0GxKs48T+mLSam6VmTVDQmXPZbo7eHIjYIV5h2p
         Fu9SI51jJMB/kI+qDQhX+lgMtNI8tRAwM3T5NFma5pQmeJvAj7bzF7EN21e+ZpVDF6D3
         cXS44kQVgxogffFGDiSz97h4sYJgR6Hh6fFeGwHvhkw+wQ/H90UlWhsDd/jPVhvF0qmO
         4B3hWT5D3dZg8GI+mt9Ky4U4s/cAhmEDYu7wz0AkX3DcME67xzEgHEEsCXtQxxaZbP+1
         W8ZwDItosUKQtR/X+M/2CWXioagNxB2S+uoSrm4aXv1a516Arvg+cbKICKAemmgZsTB6
         NHyw==
X-Gm-Message-State: APjAAAWJtqtvrkBgq8oD6sYKc9eXkbrCZxcWe66M5XfifBv0vvvaeNkw
	H5tgKR+7HltY3p78d51es49UTA==
X-Google-Smtp-Source: 
 APXvYqzZKSGP0Gr7+//KabyT7/cEXmI45ZXQ8jFT1mTgjiC3sDJ9jp6sUQnfstuFJi2ylQJ0ftTsgg==
X-Received: by 2002:a63:1d45:: with SMTP id d5mr9916626pgm.184.1556048972642;
        Tue, 23 Apr 2019 12:49:32 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@chromium.org>,
	Masahiro Yamada <yamada.masahiro@socionext.com>,
	James Morris <jmorris@namei.org>,
	Alexander Popov <alex.popov@linux.com>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Kostya Serebryany <kcc@google.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Sandeep Patil <sspatil@android.com>,
	Laura Abbott <labbott@redhat.com>,
	Randy Dunlap <rdunlap@infradead.org>,
	Michal Marek <michal.lkml@markovi.net>,
	Emese Revfy <re.emese@gmail.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Kernel Hardening <kernel-hardening@lists.openwall.com>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: [PATCH v3 3/3] security: Implement Clang's stack initialization
Date: Tue, 23 Apr 2019 12:49:25 -0700
Message-Id: <20190423194925.32151-4-keescook@chromium.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20190423194925.32151-1-keescook@chromium.org>
References: <20190423194925.32151-1-keescook@chromium.org>
X-Virus-Scanned: ClamAV using ClamSMTP

CONFIG_INIT_STACK_ALL turns on stack initialization based on
-ftrivial-auto-var-init in Clang builds, which has greater coverage
than CONFIG_GCC_PLUGINS_STRUCTLEAK_BYREF_ALL.

-ftrivial-auto-var-init Clang option provides trivial initializers for
uninitialized local variables, variable fields and padding.

It has three possible values:
  pattern - uninitialized locals are filled with a fixed pattern
    (mostly 0xAA on 64-bit platforms, see https://reviews.llvm.org/D54604
    for more details, but 0x000000AA for 32-bit pointers) likely to cause
    crashes when uninitialized value is used;
  zero (it's still debated whether this flag makes it to the official
    Clang release) - uninitialized locals are filled with zeroes;
  uninitialized (default) - uninitialized locals are left intact.

This patch uses only the "pattern" mode when CONFIG_INIT_STACK_ALL is
enabled.

Developers have the possibility to opt-out of this feature on a
per-variable basis by using __attribute__((uninitialized)), but such
use should be well justified in comments.

Co-developed-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 Makefile                   |  5 +++++
 security/Kconfig.hardening | 14 ++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/Makefile b/Makefile
index c0a34064c574..a7d9c6cd0267 100644
--- a/Makefile
+++ b/Makefile
@@ -745,6 +745,11 @@ KBUILD_CFLAGS	+= -fomit-frame-pointer
 endif
 endif
 
+# Initialize all stack variables with a pattern, if desired.
+ifdef CONFIG_INIT_STACK_ALL
+KBUILD_CFLAGS	+= -ftrivial-auto-var-init=pattern
+endif
+
 DEBUG_CFLAGS	:= $(call cc-option, -fno-var-tracking-assignments)
 
 ifdef CONFIG_DEBUG_INFO
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index a96d4a43ca65..0a1d4ca314f4 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -18,9 +18,13 @@ config GCC_PLUGIN_STRUCTLEAK
 
 menu "Memory initialization"
 
+config CC_HAS_AUTO_VAR_INIT
+	def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
+
 choice
 	prompt "Initialize kernel stack variables at function entry"
 	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
+	default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT
 	default INIT_STACK_NONE
 	help
 	  This option enables initialization of stack variables at
@@ -76,6 +80,16 @@ choice
 		  of uninitialized stack variable exploits and information
 		  exposures.
 
+	config INIT_STACK_ALL
+		bool "0xAA-init everything on the stack (strongest)"
+		depends on CC_HAS_AUTO_VAR_INIT
+		help
+		  Initializes everything on the stack with a 0xAA
+		  pattern. This is intended to eliminate all classes
+		  of uninitialized stack variable exploits and information
+		  exposures, even variables that were warned to have been
+		  left uninitialized.
+
 endchoice
 
 config GCC_PLUGIN_STRUCTLEAK_VERBOSE