From patchwork Fri Jun 28 12:37:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 168075 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp3649178ilk; Fri, 28 Jun 2019 05:39:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqx+z6MHbh4PCfcXh6bNzNWV3qNHjecEv3i1Uz+/omyxRotST6qH7un/e5oV/rss7JheGlAx X-Received: by 2002:a17:902:968c:: with SMTP id n12mr11942799plp.59.1561725578994; Fri, 28 Jun 2019 05:39:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561725578; cv=none; d=google.com; s=arc-20160816; b=tboJ1/3fHNLJwt6X4tARu26O8n5uysal/cKz++j4YlCushwSDdilxhujY3RmJSM0as KJMoIiC+WvwenkS8Mbk6ujvVYO+k+84hbNApMhkCPSaEtUaK6iuKN5KyfUZ0CzU2r0Jc 4qnNKc2wpsQLrKaDnno9KU9MR4ra5GkD5l6wxzRTqcdBwkEDZDK4ck7+UM8Xu8KOpt9z RfZlKOLP9EerJ2NZ6FzOWDH5FucketqAUVXX3rSssYN0iMFMWnFp2v/JRaQ7zZQOCTsZ 0IFvyixv8AYWrFZIfFfil6VJs3ObPpfPq6hLPDm/ukiBQZ0es5OHKzkEpimv/A3cMqcZ Uh9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=nff3XZWiPJ+iGq+oeWxQOPy25dfAmAdQcpKfoOitJoU=; b=rc/jzQN74ISvpYBN0ekpKc7uXsejY9oE0S4R9CTNoqulh2sAZ63xJieeqLWlpPalbz RS9ejdzDx5UBeDqigOdmnexiOE6iHqTqH7ixJmQXzoCWAfo3W8JnNublchDYRk+krAcz d4M+CrLPxy9arm5m8u84gJPu2toeIQFU0SKq9phegzNeUDrzqf5MuM+WeX0D2r2NpBCv ykFxe59YEBTdAQ2zSo8eJlqXR0A7+8inpRa3aPXuTrdnjazlIIvzkOPQ5PcQJu2sTJsP /aHSkQPgB8HHZzCbVGxKecq1eZT/KkRdh70oDtNPwTW/ujPE3POvUwVRGCHW2/DiaY21 lt3A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h1si2085141pld.439.2019.06.28.05.39.38; Fri, 28 Jun 2019 05:39:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727084AbfF1Mjh (ORCPT + 30 others); Fri, 28 Jun 2019 08:39:37 -0400 Received: from mout.kundenserver.de ([217.72.192.75]:58439 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726675AbfF1Mjg (ORCPT ); Fri, 28 Jun 2019 08:39:36 -0400 Received: from threadripper.lan ([149.172.19.189]) by mrelayeu.kundenserver.de (mreue109 [212.227.15.145]) with ESMTPA (Nemesis) id 1MSbp1-1i9oCT1Vaz-00Syc4; Fri, 28 Jun 2019 14:38:36 +0200 From: Arnd Bergmann To: Kees Cook , James Morris , "Serge E. Hallyn" Cc: James Smart , Dick Kennedy , "James E . J . Bottomley" , "Martin K . Petersen" , Larry Finger , Florian Schilhabel , Greg Kroah-Hartman , "David S . Miller" , Wensong Zhang , Simon Horman , Julian Anastasov , Pablo Neira Ayuso , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org, netdev@vger.kernel.org, lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, Ard Biesheuvel , Arnd Bergmann , Masahiro Yamada , Alexander Potapenko , Andrew Morton , Michal Hocko , Thomas Gleixner , linux-security-module@vger.kernel.org Subject: [PATCH 1/4] [v2] structleak: disable STRUCTLEAK_BYREF in combination with KASAN_STACK Date: Fri, 28 Jun 2019 14:37:46 +0200 Message-Id: <20190628123819.2785504-1-arnd@arndb.de> X-Mailer: git-send-email 2.20.0 MIME-Version: 1.0 X-Provags-ID: V03:K1:Vyv7hDWAtsub/JNqLOHsg4FkzINNTOEYL230tDKN/RItqenQapP gyiBCpoLRRoTqs8Tv2p30vIpq0szU20cz8WHVZAjO+wDA1cj9+wZTfO8K4w5U23pnLNweti UywkJH8BUfN6F1OQXF9XsDDZcZtuJH4mRwHl7vS8Crfb6pptLcNlGI4ZF0Y6qEGx/xprLOw 3JJuBgcheAN7frqGyD/ng== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1; V03:K0:hCq8JItJh8A=:onuXm76BFuVcDFqRETOYkg MtmPnl8+G4vcDKCWOcOBqIwlOGi23HDTrEy1N2iM59a8glWED6at9+xN5y070TSqE0F74f5Bp SG6oYbbB8UDm3jlsYCu4oElgMn80THtjNnFdcKdCHyaBlaVtvkU7NCXkVh4O/2jppR3D8tSbB NhDDlCDWofUbrSnIF7sbuz/JZwrrOo30UDP6JD6l+8gLfCwjR9RBtMUh76ESFfy9vUGaqlpI2 x5QNSlqT2uFQ8CtPKhaBorUssjMKG1C3Jzz1ivMBDLDCkEKN3/rJ16yRUjtNVoKzVJCFy9/vM Njg89iGc2HhaQR9EElUOXKdNypG2lkuoixugjYhI+FEsRi6J6jPqAgL/GsRD+wj5NYVan393T x/OJDB1MtoCErAkNCeQtN+S4UZlTsGP/neFdqAG/RcsdcjktiPUZhw9PWKzHHOZ17Erp1lF+K HHIuvo3LVNWSCKk2Db2RWCYWSroITpsS5zUZMvNj0yC/Cmurp81cwCXsVe6RzlNoBKUkqtnau t6uOPEhloDMMgxKksXBitbTPaG4vSVZnHSLStJRfV67Xk+LtyIHrrvU+5Koezdsypn457AiF4 8GnQKZWviq2xLyRkSPaTL2o5G9ohCYKa6AwRDJpsMLVj30s09byWPoS+7O8pdcH4N2CbOLlag XOaT19Ih6zHEsveSXAncAy+o55MhMno3iNzFdCME5MQ9sQOSBSTXNdD9W9fUEzNCrw83/TIFK 4Pu9RqEacN2PYZhmmiTscWmrBRdsNgqikx+SQA== Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The combination of KASAN_STACK and GCC_PLUGIN_STRUCTLEAK_BYREF leads to much larger kernel stack usage, as seen from the warnings about functions that now exceed the 2048 byte limit: drivers/media/i2c/tvp5150.c:253:1: error: the frame size of 3936 bytes is larger than 2048 bytes drivers/media/tuners/r820t.c:1327:1: error: the frame size of 2816 bytes is larger than 2048 bytes drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c:16552:1: error: the frame size of 3144 bytes is larger than 2048 bytes [-Werror=frame-larger-than=] fs/ocfs2/aops.c:1892:1: error: the frame size of 2088 bytes is larger than 2048 bytes fs/ocfs2/dlm/dlmrecovery.c:737:1: error: the frame size of 2088 bytes is larger than 2048 bytes fs/ocfs2/namei.c:1677:1: error: the frame size of 2584 bytes is larger than 2048 bytes fs/ocfs2/super.c:1186:1: error: the frame size of 2640 bytes is larger than 2048 bytes fs/ocfs2/xattr.c:3678:1: error: the frame size of 2176 bytes is larger than 2048 bytes net/bluetooth/l2cap_core.c:7056:1: error: the frame size of 2144 bytes is larger than 2048 bytes [-Werror=frame-larger-than=] net/bluetooth/l2cap_core.c: In function 'l2cap_recv_frame': net/bridge/br_netlink.c:1505:1: error: the frame size of 2448 bytes is larger than 2048 bytes net/ieee802154/nl802154.c:548:1: error: the frame size of 2232 bytes is larger than 2048 bytes net/wireless/nl80211.c:1726:1: error: the frame size of 2224 bytes is larger than 2048 bytes net/wireless/nl80211.c:2357:1: error: the frame size of 4584 bytes is larger than 2048 bytes net/wireless/nl80211.c:5108:1: error: the frame size of 2760 bytes is larger than 2048 bytes net/wireless/nl80211.c:6472:1: error: the frame size of 2112 bytes is larger than 2048 bytes The structleak plugin was previously disabled for CONFIG_COMPILE_TEST, but meant we missed some bugs, so this time we should address them. The frame size warnings are distracting, and risking a kernel stack overflow is generally not beneficial to performance, so it may be best to disallow that particular combination. This can be done by turning off either one. I picked the dependency in GCC_PLUGIN_STRUCTLEAK_BYREF and GCC_PLUGIN_STRUCTLEAK_BYREF_ALL, as this option is designed to make uninitialized stack usage less harmful when enabled on its own, but it also prevents KASAN from detecting those cases in which it was in fact needed. KASAN_STACK is currently implied by KASAN on gcc, but could be made a user selectable option if we want to allow combining (non-stack) KASAN with GCC_PLUGIN_STRUCTLEAK_BYREF. Note that it would be possible to specifically address the files that print the warning, but presumably the overall stack usage is still significantly higher than in other configurations, so this would not address the full problem. I could not test this with CONFIG_INIT_STACK_ALL, which may or may not suffer from a similar problem. Fixes: 81a56f6dcd20 ("gcc-plugins: structleak: Generalize to all variable types") Signed-off-by: Arnd Bergmann --- [v2] do it for both GCC_PLUGIN_STRUCTLEAK_BYREF and GCC_PLUGIN_STRUCTLEAK_BYREF_ALL. --- security/Kconfig.hardening | 7 +++++++ 1 file changed, 7 insertions(+) -- 2.20.0 Acked-by: Kees Cook diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index a1ffe2eb4d5f..af4c979b38ee 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -61,6 +61,7 @@ choice config GCC_PLUGIN_STRUCTLEAK_BYREF bool "zero-init structs passed by reference (strong)" depends on GCC_PLUGINS + depends on !(KASAN && KASAN_STACK=1) select GCC_PLUGIN_STRUCTLEAK help Zero-initialize any structures on the stack that may @@ -70,9 +71,15 @@ choice exposures, like CVE-2017-1000410: https://git.kernel.org/linus/06e7e776ca4d3654 + As a side-effect, this keeps a lot of variables on the + stack that can otherwise be optimized out, so combining + this with CONFIG_KASAN_STACK can lead to a stack overflow + and is disallowed. + config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL bool "zero-init anything passed by reference (very strong)" depends on GCC_PLUGINS + depends on !(KASAN && KASAN_STACK=1) select GCC_PLUGIN_STRUCTLEAK help Zero-initialize any stack variables that may be passed