mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2024-12-29 17:22:07 +00:00
94 lines
3.3 KiB
Plaintext
94 lines
3.3 KiB
Plaintext
|
menu "Kernel hardening options"
|
||
|
|
||
|
config GCC_PLUGIN_STRUCTLEAK
|
||
|
bool
|
||
|
help
|
||
|
While the kernel is built with warnings enabled for any missed
|
||
|
stack variable initializations, this warning is silenced for
|
||
|
anything passed by reference to another function, under the
|
||
|
occasionally misguided assumption that the function will do
|
||
|
the initialization. As this regularly leads to exploitable
|
||
|
flaws, this plugin is available to identify and zero-initialize
|
||
|
such variables, depending on the chosen level of coverage.
|
||
|
|
||
|
This plugin was originally ported from grsecurity/PaX. More
|
||
|
information at:
|
||
|
* https://grsecurity.net/
|
||
|
* https://pax.grsecurity.net/
|
||
|
|
||
|
menu "Memory initialization"
|
||
|
|
||
|
choice
|
||
|
prompt "Initialize kernel stack variables at function entry"
|
||
|
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
|
||
|
default INIT_STACK_NONE
|
||
|
help
|
||
|
This option enables initialization of stack variables at
|
||
|
function entry time. This has the possibility to have the
|
||
|
greatest coverage (since all functions can have their
|
||
|
variables initialized), but the performance impact depends
|
||
|
on the function calling complexity of a given workload's
|
||
|
syscalls.
|
||
|
|
||
|
This chooses the level of coverage over classes of potentially
|
||
|
uninitialized variables. The selected class will be
|
||
|
initialized before use in a function.
|
||
|
|
||
|
config INIT_STACK_NONE
|
||
|
bool "no automatic initialization (weakest)"
|
||
|
help
|
||
|
Disable automatic stack variable initialization.
|
||
|
This leaves the kernel vulnerable to the standard
|
||
|
classes of uninitialized stack variable exploits
|
||
|
and information exposures.
|
||
|
|
||
|
config GCC_PLUGIN_STRUCTLEAK_USER
|
||
|
bool "zero-init structs marked for userspace (weak)"
|
||
|
depends on GCC_PLUGINS
|
||
|
select GCC_PLUGIN_STRUCTLEAK
|
||
|
help
|
||
|
Zero-initialize any structures on the stack containing
|
||
|
a __user attribute. This can prevent some classes of
|
||
|
uninitialized stack variable exploits and information
|
||
|
exposures, like CVE-2013-2141:
|
||
|
https://git.kernel.org/linus/b9e146d8eb3b9eca
|
||
|
|
||
|
config GCC_PLUGIN_STRUCTLEAK_BYREF
|
||
|
bool "zero-init structs passed by reference (strong)"
|
||
|
depends on GCC_PLUGINS
|
||
|
select GCC_PLUGIN_STRUCTLEAK
|
||
|
help
|
||
|
Zero-initialize any structures on the stack that may
|
||
|
be passed by reference and had not already been
|
||
|
explicitly initialized. This can prevent most classes
|
||
|
of uninitialized stack variable exploits and information
|
||
|
exposures, like CVE-2017-1000410:
|
||
|
https://git.kernel.org/linus/06e7e776ca4d3654
|
||
|
|
||
|
config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
|
||
|
bool "zero-init anything passed by reference (very strong)"
|
||
|
depends on GCC_PLUGINS
|
||
|
select GCC_PLUGIN_STRUCTLEAK
|
||
|
help
|
||
|
Zero-initialize any stack variables that may be passed
|
||
|
by reference and had not already been explicitly
|
||
|
initialized. This is intended to eliminate all classes
|
||
|
of uninitialized stack variable exploits and information
|
||
|
exposures.
|
||
|
|
||
|
endchoice
|
||
|
|
||
|
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
|
||
|
bool "Report forcefully initialized variables"
|
||
|
depends on GCC_PLUGIN_STRUCTLEAK
|
||
|
depends on !COMPILE_TEST # too noisy
|
||
|
help
|
||
|
This option will cause a warning to be printed each time the
|
||
|
structleak plugin finds a variable it thinks needs to be
|
||
|
initialized. Since not all existing initializers are detected
|
||
|
by the plugin, this can produce false positive warnings.
|
||
|
|
||
|
endmenu
|
||
|
|
||
|
endmenu
|