@@ -5,7 +5,7 @@
#if defined(CONFIG_CC_IS_CLANG) && CONFIG_CLANG_VERSION < 170000
#define __head __section(".head.text") __no_sanitize_undefined __no_stack_protector
#else
-#define __head __section(".head.text") __no_sanitize_undefined
+#define __head __section(".head.text") __no_sanitize_undefined __no_sanitize_coverage
#endif
struct x86_mapping_info {
@@ -49,7 +49,9 @@
/* These are for everybody (although not all archs will actually
discard it in modules) */
-#define __init __section(".init.text") __cold __latent_entropy __noinitretpoline
+#define __init __section(".init.text") __cold __latent_entropy \
+ __noinitretpoline \
+ __no_sanitize_coverage
#define __initdata __section(".init.data")
#define __initconst __section(".init.rodata")
#define __exitdata __section(".exit.data")
@@ -22,3 +22,15 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \
-fsanitize=implicit-unsigned-integer-truncation \
-fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl
export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y)
+
+ifdef CONFIG_CC_IS_CLANG
+stackleak-cflags-$(CONFIG_STACKLEAK) += \
+ -fsanitize-coverage=stack-depth \
+ -fsanitize-coverage-stack-depth-callback-min=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE)
+export STACKLEAK_CFLAGS := $(stackleak-cflags-y)
+ifdef CONFIG_STACKLEAK
+ DISABLE_STACKLEAK := -fno-sanitize-coverage=stack-depth
+endif
+export DISABLE_STACKLEAK
+KBUILD_CFLAGS += $(STACKLEAK_CFLAGS)
+endif
@@ -158,10 +158,13 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE
initialized. Since not all existing initializers are detected
by the plugin, this can produce false positive warnings.
+config CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
+ def_bool $(cc-option,-fsanitize-coverage-stack-depth-callback-min=1)
+
config STACKLEAK
bool "Poison kernel stack before returning from syscalls"
depends on HAVE_ARCH_STACKLEAK
- depends on GCC_PLUGINS
+ depends on GCC_PLUGINS || CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
help
This option makes the kernel erase the kernel stack before
returning from system calls. This has the effect of leaving
Wire up stackleak to Clang's proposed[1] stack depth tracking callback option. While __noinstr already contained __no_sanitize_coverage, it was still needed for __init and __head section markings. This is needed to make sure the callback is not executed in unsupported contexts. Link: https://github.com/llvm/llvm-project/pull/138323 [1] Signed-off-by: Kees Cook <kees@kernel.org> --- Cc: Arnd Bergmann <arnd@arndb.de> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: <x86@kernel.org> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Masahiro Yamada <masahiroy@kernel.org> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Nicolas Schier <nicolas.schier@linux.dev> Cc: Marco Elver <elver@google.com> Cc: Andrey Konovalov <andreyknvl@gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Ard Biesheuvel <ardb@kernel.org> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> Cc: Paul Moore <paul@paul-moore.com> Cc: James Morris <jmorris@namei.org> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: Kai Huang <kai.huang@intel.com> Cc: Hou Wenlong <houwenlong.hwl@antgroup.com> Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org> Cc: Sami Tolvanen <samitolvanen@google.com> Cc: Christophe Leroy <christophe.leroy@csgroup.eu> Cc: <linux-kbuild@vger.kernel.org> Cc: <kasan-dev@googlegroups.com> Cc: <linux-hardening@vger.kernel.org> Cc: <linux-security-module@vger.kernel.org> --- arch/x86/include/asm/init.h | 2 +- include/linux/init.h | 4 +++- scripts/Makefile.ubsan | 12 ++++++++++++ security/Kconfig.hardening | 5 ++++- 4 files changed, 20 insertions(+), 3 deletions(-)