From patchwork Sun Feb 6 17:45:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12736624 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C48CC433F5 for ; Sun, 6 Feb 2022 17:45:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343826AbiBFRpO (ORCPT ); Sun, 6 Feb 2022 12:45:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37956 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233776AbiBFRpN (ORCPT ); Sun, 6 Feb 2022 12:45:13 -0500 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92190C06173B for ; Sun, 6 Feb 2022 09:45:12 -0800 (PST) Received: by mail-pj1-x102c.google.com with SMTP id p22-20020a17090adf9600b001b8783b2647so4959280pjv.5 for ; Sun, 06 Feb 2022 09:45:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=iudmqcl5RL2lQzHd0+d84A6aJxrG2FU7tnHbVKt7s9k=; b=jXgqIveXbXfpHK3xZxh/iFoLfYWzklnzuNiAqRi1M+xplyO34XhyZ6i3el9bRS51ml fScaTHsC91beuf45vozaI3/cUEzRJx3wHCeT01NlUV2bRx39uaXx/LTH3qFAPFqXQfoc WKB2Okq5DkJ2C1Ox13Lsoz7QacLNUbk7LZYBc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iudmqcl5RL2lQzHd0+d84A6aJxrG2FU7tnHbVKt7s9k=; b=uVnJ0mPTJxiH+SGtoikkDXvhQM09ymjf0m4QiwNQuIds8vZdZe5CxavXiXNKtkqn/p ZvGiLV1FuVhbsEX1gpG5zj2PrkIcG1TDNcE9KmoxMj8ZE+yqGb9pMjHbrA3ijHpnY/Vo 9bvTnkoIYOwFuY9RkaqUnXiCOUDtKhxrXZwKfUxPjHkn5ptpw3pA+lKJwljmclIwTd+7 37wFcsEULXEKzMWAPl/rBzgX0Y2ZANU1sS0iTD4NhDGXsLlPzYt7EcZEW90h2AD9e3+y whZLm9Xzs3oKRZ6cr78alvrgI34nFcZBwF5uO6AHjtF6EG4ZmXZCYSijVxBrG5wt8fHt c7nw== X-Gm-Message-State: AOAM530nRG8CxWiCyGXOKtQS2Ji8UAw1VQIFUKB0QXpakd/vvJtnY6lT nKd5K6eAWl40f5TE6+M+0QZ2lg== X-Google-Smtp-Source: ABdhPJzssBqvuHlOY2Po/SRruB03uHIsnsc+8+J2nMo5Ouszr2rUP124MvAdZzMkgj01D2PPQPsdjQ== X-Received: by 2002:a17:90b:33d2:: with SMTP id lk18mr9848966pjb.224.1644169512067; Sun, 06 Feb 2022 09:45:12 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d20sm9253313pfu.9.2022.02.06.09.45.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 06 Feb 2022 09:45:11 -0800 (PST) From: Kees Cook To: Alexander Popov Cc: Kees Cook , Peter Zijlstra , Linus Torvalds , Thomas Gleixner , Josh Poimboeuf , Borislav Petkov , Masahiro Yamada , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 1/3] gcc-plugins/stackleak: Provide verbose mode Date: Sun, 6 Feb 2022 09:45:06 -0800 Message-Id: <20220206174508.2425076-2-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220206174508.2425076-1-keescook@chromium.org> References: <20220206174508.2425076-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1923; h=from:subject; bh=1OUNCxVj3tC5iJ58yy3moGifQy/0GbUf79O0B7Mmwjk=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBiAAkjOEH6KrQCd8eB3D7TEo0Rrp85H3WWk+DJFvv5 B52WVuiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYgAJIwAKCRCJcvTf3G3AJpx9D/ 4y/Zlto2vcMKGRxceFpn/DVD6RFBG5qjSUoyBgqpSxEC3uiXiwOPhXMOZNoWa0qsAgGNTN4nUvrZq/ D3Zgw2GPfHa2XnQEZt0Id4gwrHbB6/p33DMhGutC5nJc7GmkICY24l55ng1sUGon4bemLNH9gsPVh6 LIMW7n3QHHpIxOVba+tUVY37DBlTBqZf2ZU6zoXi6KfZhvF5iTzJlkp9jw5RrmOYmqWXJn3Rhj4CcQ ImRxpFtkcBfWfffBMLjSA/w+QssSM8VDFVYSWP4a8OlHU54yiYh/bJydMrxKfUhyAEMzfCs4zKOgfi 3CIH3vNSO+/CsWIiSFbkPYqCEwn/hfgTAAmZWnUV+0OmGg5JkZI4LxioLaowIHLfU8sx+gq8ZmBAby A/YQpL+LbRW/n4URyc5oVZGf1+X0kZ9ELp4IvBlo4ILBGbEJGjnPj9OD++rXt/uBKucybbXP/Kl1oF GgxTWvz17Rlocl/NrzaQw6M0BvLvUQIBcVClTsoIcTW58YPJydRPuuj0K+JTu8af0yWNU0dwRpwU20 xUO5Vcb99Qvh08AZH5Ob8kWKwl0LR6JB1FEsAaXzLjJaPBgMan7qHCrPLPOPG2GY/Km4ROeNuoIU5k KNYvsRd2bPBDGAQcGLgctfStVUGMaq98IErpU7QZUJ8d1yDttI0Rbf+cvyNg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org In order to compare instrumentation between builds, make the verbose mode of the plugin available during the build. This is rarely needed (behind EXPERT) and very noisy (disabled for COMPILE_TEST). Cc: Alexander Popov Signed-off-by: Kees Cook --- scripts/Makefile.gcc-plugins | 2 ++ security/Kconfig.hardening | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins index 1d16ca1b78c9..f67153b260c0 100644 --- a/scripts/Makefile.gcc-plugins +++ b/scripts/Makefile.gcc-plugins @@ -37,6 +37,8 @@ gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ += -fplugin-arg-stackleak_plugin-track-min-size=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE) gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ += -fplugin-arg-stackleak_plugin-arch=$(SRCARCH) +gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE) \ + += -fplugin-arg-stackleak_plugin-verbose ifdef CONFIG_GCC_PLUGIN_STACKLEAK DISABLE_STACKLEAK_PLUGIN += -fplugin-arg-stackleak_plugin-disable endif diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index d051f8ceefdd..ded4d7c0d132 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -174,6 +174,16 @@ config GCC_PLUGIN_STACKLEAK * https://grsecurity.net/ * https://pax.grsecurity.net/ +config GCC_PLUGIN_STACKLEAK_VERBOSE + bool "Report stack depth analysis instrumentation" if EXPERT + depends on GCC_PLUGIN_STACKLEAK + depends on !COMPILE_TEST # too noisy + help + This option will cause a warning to be printed each time the + stackleak plugin finds a function it thinks needs to be + instrumented. This is useful for comparing coverage between + builds. + config STACKLEAK_TRACK_MIN_SIZE int "Minimum stack frame size of functions tracked by STACKLEAK" default 100 From patchwork Sun Feb 6 17:45:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12736626 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E832DC433F5 for ; Sun, 6 Feb 2022 17:45:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344806AbiBFRpS (ORCPT ); Sun, 6 Feb 2022 12:45:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344781AbiBFRpQ (ORCPT ); Sun, 6 Feb 2022 12:45:16 -0500 Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7EE0C043188 for ; Sun, 6 Feb 2022 09:45:12 -0800 (PST) Received: by mail-pf1-x429.google.com with SMTP id y5so8784116pfe.4 for ; Sun, 06 Feb 2022 09:45:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6iskz+FBLj513LKJP0SIpTgUMOdBW2n6Z2gLN+PMSgA=; b=LHRm33CkBY5V8/+tm1HL8EoysUkEVoniFUHjhF+HJMBSCucOB3Ra3Fk7upn9EfNy7t /1svVUMeSMHcy28RwNLsbW8uHcF2lcOiT+OXWqIXjEFp6RA71kApVtCNm8VW223bzL3S +K46AkioawGWBEnGphgsxFFaWRv/R8SavfMRc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6iskz+FBLj513LKJP0SIpTgUMOdBW2n6Z2gLN+PMSgA=; b=HFy57XmgeQJfVNUUO8gg3AKBK5tC2FrfsaFaQLp8UJFXkptee0EKLJ0r7xfC6lJQJd qd3FIVk8AVtyjRq4BEVkceeen1rxQoBQhLkS/tvBSMlIoWd3fhqxphspKGEU6xhjpzaf /6VgMVd0OFKum77/qAjir4v/kGRURllL3/RHGNyLGEPT/AvsCY4wPrkmfiYa6NiHqrYW iZisQu5fAwTF1G7KlArIyhjKuU6s616+zYp3tVVk4564g7SkMkMxuEqJC7Vi4FwsIaKg DfuCCbf4QW0Lm+KL4LSMlrENtmQ07IwrsjE4zdex8rhIaRQaquhW2Nc7+OWTJq7Spcma UNfQ== X-Gm-Message-State: AOAM532EJsxlgVwoL1HZ664UbILlTM9ij0Nw8H7eFn7vs0viViw27Vva OnG80rFn88E+/vN30O93czSh5A== X-Google-Smtp-Source: ABdhPJx/Hnsk7LZ4mM/pwnpvB4jp1iRjf4dKAVWIoMCBkpSDX6sj+cyHZqyOI82UGSbqYnpBj0zg1w== X-Received: by 2002:a63:4b4a:: with SMTP id k10mr6647215pgl.488.1644169512337; Sun, 06 Feb 2022 09:45:12 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id o21sm9555315pfu.100.2022.02.06.09.45.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 06 Feb 2022 09:45:11 -0800 (PST) From: Kees Cook To: Alexander Popov Cc: Kees Cook , Peter Zijlstra , Linus Torvalds , Thomas Gleixner , Josh Poimboeuf , Borislav Petkov , Masahiro Yamada , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 2/3] gcc-plugins/stackleak: Exactly match strings instead of prefixes Date: Sun, 6 Feb 2022 09:45:07 -0800 Message-Id: <20220206174508.2425076-3-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220206174508.2425076-1-keescook@chromium.org> References: <20220206174508.2425076-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2176; h=from:subject; bh=7ZhUIZRWBZdIwU3QloHv8YfGoYLImcCzFHMebm4HT+0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBiAAkjiFpI0PExnXK3EXjoT6wrAo802WUdEEqkhhYd sOsAlHKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYgAJIwAKCRCJcvTf3G3AJm3SD/ 4m7rQ6j6Ecz7NmABqTILHvHzWkJNjU/p+4pk3t6w33tf0ftDnwOjecSS9JMQz8Y7w+k37Ijet2rUZc AXkXH9rCcl08/zZvfDaV3ZibARlqLTzBmXtnR8vOCkOk6ruYmlGVpQhLJisNDGbsV8vZm8KGigTmpI ErzHSK5fh/k7aorIk0MgWMBAj8FNvPOZgH96R6L2dUchVa8LboX/R7d09nnfGhAlL2oYWZf5DqHm4s frKlRXPhPv1iEb1p13hM4pJZ3WUhB7t/uyjryxIeUXDGh0ZJUE3/QUQWqypHGp/0HopAzRHFOh93tw t+W4go6Mu6d/vwSmYnk/URY4I+/zqyJM+R7BO7aKvQ/sFggvzKEXLAfm3rPlQ9PIb74+9Y+v6Ga/DF FMFWDsjl5a2w/EGjxL62ktEylPpkaEgQsTz8qwIhgIZDszTp1oRWMGcI/1u89xeErJyFeAp20CK2jW pU6vr+jB+nIfUao3lksZnjFIQzkLJoRltTxfwN8ROs/ChP3QVU8xp97KLRTPaZoQ3xTV+5+9cj5P8p UmBpsJbOmRWeilbtMD86UfEiN9i7nk3+Su7EpphDIG2wGFThTz8hDUeL62lnmhDZiVrSSX7JVJEYCq cHphz6qkNsae/nNic5nqr2UwuBqdNt5yJeveH2DBlHlbWBogTC5BU3G9kL+A== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Since STRING_CST may not be NUL terminated, strncmp() was used for check for equality. However, this may lead to mismatches for longer section names where the start matches the tested-for string. Test for exact equality by checking for the presences of NUL termination. Cc: Alexander Popov Signed-off-by: Kees Cook --- scripts/gcc-plugins/stackleak_plugin.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/scripts/gcc-plugins/stackleak_plugin.c b/scripts/gcc-plugins/stackleak_plugin.c index e9db7dcb3e5f..623bcad6d0c7 100644 --- a/scripts/gcc-plugins/stackleak_plugin.c +++ b/scripts/gcc-plugins/stackleak_plugin.c @@ -429,6 +429,23 @@ static unsigned int stackleak_cleanup_execute(void) return 0; } +/* + * STRING_CST may or may not be NUL terminated: + * https://gcc.gnu.org/onlinedocs/gccint/Constant-expressions.html + */ +static inline bool string_equal(tree node, const char *string, int length) +{ + if (TREE_STRING_LENGTH(node) < length) + return false; + if (TREE_STRING_LENGTH(node) > length + 1) + return false; + if (TREE_STRING_LENGTH(node) == length + 1 && + TREE_STRING_POINTER(node)[length] != '\0') + return false; + return !strncmp(TREE_STRING_POINTER(node), string, length); +} +#define STRING_EQUAL(node, str) string_equal(node, str, strlen(str)) + static bool stackleak_gate(void) { tree section; @@ -438,13 +455,13 @@ static bool stackleak_gate(void) if (section && TREE_VALUE(section)) { section = TREE_VALUE(TREE_VALUE(section)); - if (!strncmp(TREE_STRING_POINTER(section), ".init.text", 10)) + if (STRING_EQUAL(section, ".init.text")) return false; - if (!strncmp(TREE_STRING_POINTER(section), ".devinit.text", 13)) + if (STRING_EQUAL(section, ".devinit.text")) return false; - if (!strncmp(TREE_STRING_POINTER(section), ".cpuinit.text", 13)) + if (STRING_EQUAL(section, ".cpuinit.text")) return false; - if (!strncmp(TREE_STRING_POINTER(section), ".meminit.text", 13)) + if (STRING_EQUAL(section, ".meminit.text")) return false; } From patchwork Sun Feb 6 17:45:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12736627 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31BC4C4332F for ; Sun, 6 Feb 2022 17:45:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344989AbiBFRpT (ORCPT ); Sun, 6 Feb 2022 12:45:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37992 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344848AbiBFRpR (ORCPT ); Sun, 6 Feb 2022 12:45:17 -0500 Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 05B97C043189 for ; Sun, 6 Feb 2022 09:45:12 -0800 (PST) Received: by mail-pf1-x42d.google.com with SMTP id n32so9697214pfv.11 for ; Sun, 06 Feb 2022 09:45:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Vqdb+IjvR7W8E5ZbYWXJikM0js3mZmH+zUbAZQxhgw8=; b=CD2cSm+Jq/YqWHrsk91+IgI6ZtNrSFWIZi4U225H/t3jQslCYy7ZusGLWFch+Nqa5o 6cf8TP6OuQL4NNV/YI9/dN29UEneYoQDDCjSI2vFPM0k+6gBBXmBNREyEc2cLADqQR98 3+OJykZ7Y+YwhWGkvn/y6NFZOkBdehWpaiagw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Vqdb+IjvR7W8E5ZbYWXJikM0js3mZmH+zUbAZQxhgw8=; b=SVwMvG8NFPfvsAM9Fu2nvRJi5+ZnmdqeLdr3ASjYSsWRjcgIfATSQ6yeHrgLkaUpmu iYgX7BD/0ddf9qH1/dXaYAq/xdrrRSWWTAglrgFuGX0Vb8weOEynpfp7+Zwow5FNdhKh 57BkruwLFyOwn0tQdjLZt6ZFZAoszv5EoRQRd26+Mp941rni1oEZP9tzKl60E6wmdmxA +k26KpxhuehiOsl94B82TjduZoAFU/TrhFRPojjcz61yL9ygRaGTgKVBqDe0bhDIkSyj i15t5HZ7rOYTPU2DmoD0rINOBayeq9VB115N/exsxAJ+2Cq5F9hBqHkNvqD3yHduZpLm lmWw== X-Gm-Message-State: AOAM532VxQvSgEHl6x45ZumcXrLDIIwGt5Ev4eGgJQ0uoD9pWxmj1ixi K5f/ho8zAhoRM+6IY43OvVtO+g== X-Google-Smtp-Source: ABdhPJyEofsTh8CiCMqluEuIuZ1SrpnKNOKrVsxFi0C1QiJP1PbwZoDra0ohb1ZaCI+aRJ92f52J5w== X-Received: by 2002:aa7:9d9b:: with SMTP id f27mr12269201pfq.84.1644169512496; Sun, 06 Feb 2022 09:45:12 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id f3sm9537609pfe.67.2022.02.06.09.45.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 06 Feb 2022 09:45:11 -0800 (PST) From: Kees Cook To: Alexander Popov Cc: Kees Cook , Peter Zijlstra , Linus Torvalds , Thomas Gleixner , Josh Poimboeuf , Borislav Petkov , Masahiro Yamada , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 3/3] gcc-plugins/stackleak: Ignore .noinstr.text and .entry.text Date: Sun, 6 Feb 2022 09:45:08 -0800 Message-Id: <20220206174508.2425076-4-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220206174508.2425076-1-keescook@chromium.org> References: <20220206174508.2425076-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1210; h=from:subject; bh=pVDpB0fLeXzkw7qtOTlz2Xjee/LCaGQ3lZV5lGGvWcE=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBiAAkjkTUerpEggmIzHyPJuyDEgbgzPKYmgGRrnVOi cs5tNtOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYgAJIwAKCRCJcvTf3G3AJhwwEA CMMwXjllOJPlCgUdB/Vxpjt1yZo3bgDDu0djnWckBM5Fdstv8Pm9MoCDUdWaCOhgCM5JWYowz91COz e4xHfc0WiPZE9YvNSQ/HjlAewWRP0D4Qdfz3hRfxBL2h2lqOAD/kqbkbJutoB0FvsaR743uPk9lfsY S904GcaCkeMn7wBkzR/jEiJht7Z0TmKDahakj5yOfUiQXKckEO/k+NqdrfxjEQdJlJgNHusa9aREVG z4M/hxIuTSBZNjkI/zU/CJtPsZcxODRzsof+af4XcbH/wWHZGetGx2MyTThL381ZheVCCz/MPjvhDN 1OBV4wRzNrTCWrsUAiTCGLFgcAa6quWbqGJQ7Vg++5UXXjY0bxWSCea4ouYA9G8uLyUhUYjkp1ch30 yozbt2bpcWX5uwGFrIO/yjv52WnpDwwpSLnkbNkDiJSVRkMtAmoN7npt5M/stzHbZgEISVGONmcbNl cJERD8Whq8p9RQUM5KuSTCfl/BMoxDfDuZfINCB6TCG497jTLQq0+OEJ2D+9XklmTFYmVn5JqIjK32 SQxtSUW2Rg+2barzot9TFsjVzZXaXAO9ntsYn4Blm4vWEFxvaaBkJAy0OuBRU2HFA1Ib6MUxBLe9Es gqI1DbTc5+7Aw8Uzt1vfvxXR9+2IKquvEnSkrNpMrLT6gWPd801T5o2S9Hbw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org The .noinstr.text section functions may not have "current()" sanely available. Similarly true for .entry.text, though such a check is currently redundant. Add a check for both. In an x86_64 defconfig build, the following functions no longer receive stackleak instrumentation: __do_fast_syscall_32() do_int80_syscall_32() do_machine_check() do_syscall_64() exc_general_protection() fixup_bad_iret() Suggested-by: Peter Zijlstra Cc: Alexander Popov Signed-off-by: Kees Cook --- scripts/gcc-plugins/stackleak_plugin.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/gcc-plugins/stackleak_plugin.c b/scripts/gcc-plugins/stackleak_plugin.c index 623bcad6d0c7..c8dc7fe4f959 100644 --- a/scripts/gcc-plugins/stackleak_plugin.c +++ b/scripts/gcc-plugins/stackleak_plugin.c @@ -463,6 +463,10 @@ static bool stackleak_gate(void) return false; if (STRING_EQUAL(section, ".meminit.text")) return false; + if (STRING_EQUAL(section, ".noinstr.text")) + return false; + if (STRING_EQUAL(section, ".entry.text")) + return false; } return track_frame_size >= 0;