Re: [PATCH 18/21] linux: Poison kernel stack before returning from syscalls

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2491 bytes --]



> On 26 Dec 2022, at 20:30, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> From the kernel documentation:
> 
>> This option makes the kernel erase the kernel stack before
>> returning from system calls. This has the effect of leaving
>> the stack initialized to the poison value, which both reduces
>> the lifetime of any sensitive stack contents and reduces
>> potential for uninitialized stack variable exploits or information
>> exposures (it does not cover functions reaching the same stack
>> depth as prior functions during the same syscall). This blocks
>> most uninitialized stack variable attacks, with the performance
>> impact being driven by the depth of the stack usage, rather than
>> the function calling complexity.
>> 
>> The performance impact on a single CPU system kernel compilation
>> sees a 1% slowdown, other systems and workloads may vary and you
>> are advised to test this feature on your expected workload before
>> deploying it.
>> 
>> This plugin was ported from grsecurity/PaX.
> 
> Let's give it a try. A 1% increase in compile time does not bother us
> too much, and given that this is enabled in IPFire 3.x as well, we may
> as well take the opportunity to gain experience with this in the field.

This is enabled, but not tested.

And it does not say, that this will increase the compile time. Compiling the kernel is the benchmark here.

Since IPFire (as a firewall) is very syscall-heavy, we might indeed have a might higher impact.

> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.x86_64-ipfire | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index f1d6c2ede..3d9e01e38 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6915,7 +6915,10 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
> # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
> CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
> # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
> -# CONFIG_GCC_PLUGIN_STACKLEAK is not set
> +CONFIG_GCC_PLUGIN_STACKLEAK=y
> +CONFIG_STACKLEAK_TRACK_MIN_SIZE=100
> +# CONFIG_STACKLEAK_METRICS is not set
> +# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
> CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
> # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
> CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y
> -- 
> 2.35.3