From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 18/21] linux: Poison kernel stack before returning from syscalls
Date: Mon, 26 Dec 2022 19:30:34 +0000 [thread overview]
Message-ID: <0d75d16c-8e27-f49d-f1b4-548a52a7a763@ipfire.org> (raw)
In-Reply-To: <0e60a1de-6210-835e-54a4-ec5e3128e42e@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2089 bytes --]
>From the kernel documentation:
> This option makes the kernel erase the kernel stack before
> returning from system calls. This has the effect of leaving
> the stack initialized to the poison value, which both reduces
> the lifetime of any sensitive stack contents and reduces
> potential for uninitialized stack variable exploits or information
> exposures (it does not cover functions reaching the same stack
> depth as prior functions during the same syscall). This blocks
> most uninitialized stack variable attacks, with the performance
> impact being driven by the depth of the stack usage, rather than
> the function calling complexity.
>
> The performance impact on a single CPU system kernel compilation
> sees a 1% slowdown, other systems and workloads may vary and you
> are advised to test this feature on your expected workload before
> deploying it.
>
> This plugin was ported from grsecurity/PaX.
Let's give it a try. A 1% increase in compile time does not bother us
too much, and given that this is enabled in IPFire 3.x as well, we may
as well take the opportunity to gain experience with this in the field.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.x86_64-ipfire | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index f1d6c2ede..3d9e01e38 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6915,7 +6915,10 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
-# CONFIG_GCC_PLUGIN_STACKLEAK is not set
+CONFIG_GCC_PLUGIN_STACKLEAK=y
+CONFIG_STACKLEAK_TRACK_MIN_SIZE=100
+# CONFIG_STACKLEAK_METRICS is not set
+# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y
--
2.35.3
next prev parent reply other threads:[~2022-12-26 19:30 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-26 19:24 [PATCH 00/21] linux: Update to 5.15.85 and backport many IPFire 3.x changes Peter Müller
2022-12-26 19:24 ` [PATCH 01/21] linux: Update to 5.15.85 Peter Müller
2022-12-27 10:37 ` Michael Tremer
2022-12-29 11:14 ` Peter Müller
2022-12-29 11:16 ` Michael Tremer
2022-12-26 19:24 ` [PATCH 02/21] linux: Disable the entire PCMCIA/CardBus subsystem Peter Müller
2022-12-27 10:39 ` Michael Tremer
2022-12-26 19:25 ` [PATCH 03/21] linux: Enable parallel crypto by default Peter Müller
2022-12-27 10:39 ` Michael Tremer
2022-12-26 19:25 ` [PATCH 04/21] linux: Disable syscalls that allows processes to r/w other processes' memory Peter Müller
2022-12-27 11:22 ` Michael Tremer
2022-12-26 19:26 ` [PATCH 05/21] linux: Disable the latent entropy plugin Peter Müller
2022-12-27 11:22 ` Michael Tremer
2022-12-26 19:26 ` [PATCH 06/21] linux: Build all library routines as modules and disable self-tests Peter Müller
2022-12-27 11:22 ` Michael Tremer
2022-12-26 19:26 ` [PATCH 07/21] linux: Build all HWRNGs as modules Peter Müller
2022-12-27 11:23 ` Michael Tremer
2022-12-26 19:27 ` [PATCH 08/21] linux: Compile binfmt_misc as a module Peter Müller
2022-12-27 11:23 ` Michael Tremer
2022-12-26 19:27 ` [PATCH 09/21] linux: Wipe all memory when rebooting on EFI Peter Müller
2022-12-27 11:23 ` Michael Tremer
2022-12-26 19:27 ` [PATCH 10/21] linux: Disable the Distributed Lock Manager Peter Müller
2022-12-27 11:24 ` Michael Tremer
2022-12-26 19:28 ` [PATCH 11/21] linux: Disable some character devices that do not make sense Peter Müller
2022-12-27 11:24 ` Michael Tremer
2022-12-26 19:28 ` [PATCH 12/21] linux: Make graphics configruation sane Peter Müller
2022-12-27 11:24 ` Michael Tremer
2022-12-26 19:28 ` [PATCH 13/21] linux: Disable all sorts of useless Device Mapper targets Peter Müller
2022-12-27 11:25 ` Michael Tremer
2022-12-26 19:29 ` [PATCH 14/21] linux: Enable various modern ciphers/hashes/etc. and acceleration Peter Müller
2022-12-27 11:25 ` Michael Tremer
2022-12-26 19:29 ` [PATCH 15/21] linux: Compress the kernel, modules and firmware using Zstandard Peter Müller
2022-12-27 11:26 ` Michael Tremer
2022-12-26 19:29 ` [PATCH 16/21] linux: Disable ACPI configfs support Peter Müller
2022-12-27 11:29 ` Michael Tremer
2022-12-26 19:30 ` [PATCH 17/21] linux: Enable support for more USB host controllers as modules Peter Müller
2022-12-27 11:33 ` Michael Tremer
2022-12-26 19:30 ` Peter Müller [this message]
2022-12-27 11:35 ` [PATCH 18/21] linux: Poison kernel stack before returning from syscalls Michael Tremer
2022-12-26 19:30 ` [PATCH 19/21] linux: Enable Landlock support Peter Müller
2022-12-27 11:36 ` Michael Tremer
2022-12-26 19:31 ` [PATCH 20/21] linux: Update x86_64 rootfile Peter Müller
2022-12-27 11:36 ` Michael Tremer
2022-12-26 19:31 ` [PATCH 21/21] linux: Align ARM kernel configurations as much as possible Peter Müller
2022-12-27 10:36 ` [PATCH 00/21] linux: Update to 5.15.85 and backport many IPFire 3.x changes Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0d75d16c-8e27-f49d-f1b4-548a52a7a763@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox