Received: by 10.223.176.5 with SMTP id f5csp2240941wra;
        Thu, 8 Feb 2018 10:39:00 -0800 (PST)
X-Google-Smtp-Source: AH8x225gLQwx7EWAGQfn7kUlklPcoz/n0ut/fmfDLYcnJHfyCCkl8O26+M4nVUs7Rg6bzZX6/UkA
X-Received: by 10.99.105.132 with SMTP id e126mr109529pgc.250.1518115140844;
        Thu, 08 Feb 2018 10:39:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518115140; cv=none;
        d=google.com; s=arc-20160816;
        b=qFUBrFWjCweX8hOuPr3Vpgiy3RgirXj0hOap8xNy7KYkUwLaIXRt40kxHKcdUsjXdg
         gNpl3EDNPmNOl+/n+Owxvk0Id8qutGViXj2G2DfFYVRaYEZPPBzDqYSxS53fE+O4WB/G
         NEEcU/5zWxOonrs2xKw7Wf2rYLo4nTxGsNMPKY24o+D5+2rytzMGXX0q2AqtTq97G33z
         tRwK3wE2NoTRNyWEJlgPoFqkp4ucAPnqnptS12pzVJyYnJAABj0e3i7dUqzHYAWUMeeQ
         1Xbbe6xbHcPimS5NI3o9axZd9OdTLmvyHs1oKKofhL0dZYzqrGiuSCB/CtxHaf6644L7
         vzTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=SdNfOkXEeTYB5wezLE6N5+DqwxbhJXkEycqPOwbUByc=;
        b=Gkz+QpgyRMctCSr5Sco/Rc+s3XA/qhNmVFqqujQp4QHp7g0t/ALqkecsfZe105/n8i
         bETSNpVbS8tRMV7RnPZUvsrAHFZANoRkgNc1vvqJGjWImNQwmtsu+W7+DGwwUeSBU3Ng
         vExQCqSnVIJc3H2X7xilBi8ghHy85DYm5aSSxmxdhSBzjTGwbGIuobeWKS3rwF3CVDK7
         K4yz/IKB5qvA1zZuVyMyCP1qoOOtzIPD28+yIe/tRHKQWC3COX5qCvhmJ48CRlNEqdhx
         7HUjzHXk18sGJv0bku5D09zwx5jk1ZuWHd9ZaCwUiYoTEeIW927B5g+Lk8M79oPvEsqP
         BMzg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=UCdJHv+o;
       dkim=fail header.i=@chromium.org header.s=google header.b=datZatZN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g3-v6si318843plp.38.2018.02.08.10.38.45;
        Thu, 08 Feb 2018 10:39:00 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=UCdJHv+o;
       dkim=fail header.i=@chromium.org header.s=google header.b=datZatZN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752237AbeBHSh2 (ORCPT <rfc822;huangleihappily@gmail.com>
        + 99 others); Thu, 8 Feb 2018 13:37:28 -0500
Received: from mail-vk0-f67.google.com ([209.85.213.67]:43195 "EHLO
        mail-vk0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751544AbeBHSh0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Feb 2018 13:37:26 -0500
Received: by mail-vk0-f67.google.com with SMTP id x203so3342348vkx.10
        for <linux-kernel@vger.kernel.org>; Thu, 08 Feb 2018 10:37:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=SdNfOkXEeTYB5wezLE6N5+DqwxbhJXkEycqPOwbUByc=;
        b=UCdJHv+ogYPFwbWz49KnAktkpHacUUjjGnOeLV2PtO1ZoATTyDmVrSvZJI/0eZob0R
         994cRkkzSIIHdeOmq4aXT11Zhs/DYyxX6gwQI+ge2HvWaMUQ5JO6PR8uBOiyrV661Gio
         kHQVapfsXmxiMnXnsdgXA+7llVffiED7Pk3Y/DByY3u085p0rZiw4HT9mFXQHDF/3BR9
         a8RF7iLbEO9C33yMxVOLZw5lcD4Rwtl+Rn/5I3KbyvztBlurrBRprGWyo+M0oa6UbTwm
         jHdNcxC2vfxpezwqZleb6Vtc/dMCXbzQLe3YJWgIxwtgwj/7TX06IgWFL+UmqUyJlDnM
         ozAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=SdNfOkXEeTYB5wezLE6N5+DqwxbhJXkEycqPOwbUByc=;
        b=datZatZNYcsxKnRkI7rGHdYFaCHP6rZzM9vaO85HBX4AHbcvJWmkvsStda+IymM0a8
         SRO32DURqGlNy/YYk09jLdIFbM9jXBjUd6kAldgSfi9zt3IBkINhXqLtDZL9mrGw/YwW
         G7RuRnsJuiXGFRIaGvPtmreLwHY4MwY9h7Y6U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=SdNfOkXEeTYB5wezLE6N5+DqwxbhJXkEycqPOwbUByc=;
        b=In+B9QS24PCW+BkpHxHTmnY/iuD/nlLmYa9stfknzCWaFGufzy3c9Y2qd96hyBWsFs
         hiW/Uj+x532CiofYNrpl96sIfiRUUu2k+Af5RuAxE1Ocw+l1i2f+Je4Y595gwieY5eub
         wnvgjc0Y/5AQbbno3MLH74Nz0b+NBtbN2+Wy4OJrjQTe+SqRqOnbgztV5RsKq/4+clPH
         lvm1tX/wX7OS3OJYvOlnSHHwJOzY2mO6DDOfwqeonmp0Dm4IMn4XtYny0k9BDiQ0f2IS
         49cQGvKClY7qFOUuUhVGO+AzxDUJxBNn2xnRkTMPMU1dFCS1kB5LePSxmuGcaxjciv7i
         7a1Q==
X-Gm-Message-State: APf1xPBSohBkjOgL2y5L4d05fjy5zbM6bnApNBO1uWVVxX4L4BMfeUx8
        9OYOzxZvn8cdrvGHI8Y9IeOPeor3zYhfpnGDbX5ZPw==
X-Received: by 10.31.201.133 with SMTP id z127mr90837vkf.129.1518114647157;
 Thu, 08 Feb 2018 10:30:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.67.196 with HTTP; Thu, 8 Feb 2018 10:30:46 -0800 (PST)
In-Reply-To: <1518106752-29228-8-git-send-email-yamada.masahiro@socionext.com>
References: <1518106752-29228-1-git-send-email-yamada.masahiro@socionext.com> <1518106752-29228-8-git-send-email-yamada.masahiro@socionext.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Fri, 9 Feb 2018 05:30:46 +1100
X-Google-Sender-Auth: HNJvJJZz-FrX4TdxfiFMQZKeUeA
Message-ID: <CAGXu5jJ02qRCcqTK_M9sFtekizz+0WoHBCBKF_mh-A870eg6eg@mail.gmail.com>
Subject: Re: [RFC PATCH 7/7] Test stackprotector options in Kconfig to kill CC_STACKPROTECTOR_AUTO
To:     Masahiro Yamada <yamada.masahiro@socionext.com>
Cc:     linux-kbuild <linux-kbuild@vger.kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Nicolas Pitre <nicolas.pitre@linaro.org>,
        "Luis R . Rodriguez" <mcgrof@suse.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Ulf Magnusson <ulfalizer@gmail.com>,
        Sam Ravnborg <sam@ravnborg.org>,
        Michal Marek <michal.lkml@markovi.net>,
        Martin Schwidefsky <schwidefsky@de.ibm.com>,
        Pavel Machek <pavel@ucw.cz>,
        linux-s390 <linux-s390@vger.kernel.org>,
        Jiri Kosina <jkosina@suse.cz>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Feb 9, 2018 at 3:19 AM, Masahiro Yamada
<yamada.masahiro@socionext.com> wrote:
> Add CC_HAS_STACKPROTECTOR(_STRONG) and proper dependency.
>
> I re-arranged the choice values, _STRONG, _REGULAR, _NONE in this order
> because the default of choice is the first visible symbol.
> [...]
> +# is this necessary?
> +#ifeq ($(CONFIG_CC_STACKPROTECTOR_NONE),y)
> +#KBUILD_CFLAGS += -fno-stack-protector
> +#endif

Yes, and also in the case of a broken stack protector, because some
compilers enable stack protector by default, so if we've selected it
to be NONE or detected it as broken, we need to force it off in the
compiler.

> +# TODO: run scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh from Kconfig

FWIW, this is the part that I got stuck on.
gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh depends on the KBUILD
flags that got built up and detected up to this point in the Makefile,
so I couldn't find a way to run it out of Kconfig since it didn't know
what the KBUILD flags were yet.

> +
>  ifeq ($(cc-name),clang)
>  KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,)
>  KBUILD_CFLAGS += $(call cc-disable-warning, unused-variable)
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 76c0b54..50723d8 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -538,10 +538,20 @@ config HAVE_CC_STACKPROTECTOR
>           - its compiler supports the -fstack-protector option
>           - it has implemented a stack canary (e.g. __stack_chk_guard)
>
> +config CC_HAS_STACKPROTECTOR
> +       bool
> +       option shell="$CC -Werror -fstack-protector -c -x c /dev/null"
> +
> +config CC_HAS_STACKPROTECTOR_STRONG
> +       bool
> +       option shell="$CC -Werror -fstack-protector-strong -c -x c /dev/null"

I'm nervous we'll get tripped up here, since $CC may not include the
right $(KBUILD_CPPFLAGS) and $(CC_OPTION_CFLAGS) as in cc-option, both
of which are calculated during the Makefile run. But maybe it won't be
a problem in actual use.

> +
> +config CC_STACKPROTECTOR
> +       bool
> +
>  choice
>         prompt "Stack Protector buffer overflow detection"
>         depends on HAVE_CC_STACKPROTECTOR
> -       default CC_STACKPROTECTOR_AUTO
>         help
>           This option turns on the "stack-protector" GCC feature. This
>           feature puts, at the beginning of functions, a canary value on
> @@ -551,26 +561,10 @@ choice
>           overwrite the canary, which gets detected and the attack is then
>           neutralized via a kernel panic.
>
> -config CC_STACKPROTECTOR_NONE
> -       bool "None"
> -       help
> -         Disable "stack-protector" GCC feature.
> -
> -config CC_STACKPROTECTOR_REGULAR
> -       bool "Regular"
> -       help
> -         Functions will have the stack-protector canary logic added if they
> -         have an 8-byte or larger character array on the stack.
> -
> -         This feature requires gcc version 4.2 or above, or a distribution
> -         gcc with the feature backported ("-fstack-protector").
> -
> -         On an x86 "defconfig" build, this feature adds canary checks to
> -         about 3% of all kernel functions, which increases kernel code size
> -         by about 0.3%.
> -
>  config CC_STACKPROTECTOR_STRONG
>         bool "Strong"
> +       depends on CC_HAS_STACKPROTECTOR_STRONG
> +       select CC_STACKPROTECTOR
>         help
>           Functions will have the stack-protector canary logic added in any
>           of the following conditions:
> @@ -588,11 +582,25 @@ config CC_STACKPROTECTOR_STRONG
>           about 20% of all kernel functions, which increases the kernel code
>           size by about 2%.
>
> -config CC_STACKPROTECTOR_AUTO
> -       bool "Automatic"
> +config CC_STACKPROTECTOR_REGULAR
> +       bool "Regular"
> +       depends on CC_HAS_STACKPROTECTOR
> +       select CC_STACKPROTECTOR
> +       help
> +         Functions will have the stack-protector canary logic added if they
> +         have an 8-byte or larger character array on the stack.
> +
> +         This feature requires gcc version 4.2 or above, or a distribution
> +         gcc with the feature backported ("-fstack-protector").
> +
> +         On an x86 "defconfig" build, this feature adds canary checks to
> +         about 3% of all kernel functions, which increases kernel code size
> +         by about 0.3%.
> +
> +config CC_STACKPROTECTOR_NONE
> +       bool "None"
>         help
> -         If the compiler supports it, the best available stack-protector
> -         option will be chosen.
> +         Disable "stack-protector" GCC feature.
>
>  endchoice

I continue to love the idea, but we can't know a given ssp option is
_working_ until we run the test script, which may depend on compiler
flags. Regardless, I'll give this series a try and see if I can fix
anything I trip over. I've got a lot of notes on testing after getting
..._AUTO working. Whatever happens, I hugely prefer having the
automatic selection possible in the Kconfig! Thanks for working on
this! :)

-Kees

-- 
Kees Cook
Pixel Security