Merge tag 'hardening-v5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

# for the randomize_kstack_offset feature. Disable it for all compilers.

KBUILD_CFLAGS	+= $(call cc-option, -fno-stack-clash-protection)

# Clear used registers at func exit (to reduce data lifetime and ROP gadgets).

ifdef CONFIG_ZERO_CALL_USED_REGS

KBUILD_CFLAGS	+= -fzero-call-used-regs=used-gpr

endif

DEBUG_CFLAGS	:=

# Workaround for GCC versions < 5.0

// SPDX-License-Identifier: GPL-2.0

// SPDX-License-Identifier: GPL-2.0-or-later

/*

 * Test cases for compiler-based stack variable zeroing via future

 * compiler flags or CONFIG_GCC_PLUGIN_STRUCTLEAK*.

 * Test cases for compiler-based stack variable zeroing via

 * -ftrivial-auto-var-init={zero,pattern} or CONFIG_GCC_PLUGIN_STRUCTLEAK*.

 *

 * External build example:

 *	clang -O2 -Wall -ftrivial-auto-var-init=pattern \

 *		-o test_stackinit test_stackinit.c

 */

#ifdef __KERNEL__

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

#include <linux/init.h>

#include <linux/module.h>

#include <linux/string.h>

#else

/* Userspace headers. */

#include <stdio.h>

#include <stdint.h>

#include <string.h>

#include <stdbool.h>

#include <errno.h>

#include <sys/types.h>

/* Linux kernel-ism stubs for stand-alone userspace build. */

#define KBUILD_MODNAME		"stackinit"

#define pr_fmt(fmt)		KBUILD_MODNAME ": " fmt

#define pr_err(fmt, ...)	fprintf(stderr, pr_fmt(fmt), ##__VA_ARGS__)

#define pr_warn(fmt, ...)	fprintf(stderr, pr_fmt(fmt), ##__VA_ARGS__)

#define pr_info(fmt, ...)	fprintf(stdout, pr_fmt(fmt), ##__VA_ARGS__)

#define __init			/**/

#define __exit			/**/

#define __user			/**/

#define noinline		__attribute__((__noinline__))

#define __aligned(x)		__attribute__((__aligned__(x)))

#ifdef __clang__

# define __compiletime_error(message) /**/

#else

# define __compiletime_error(message) __attribute__((__error__(message)))

#endif

#define __compiletime_assert(condition, msg, prefix, suffix)		\

	do {								\

		extern void prefix ## suffix(void) __compiletime_error(msg); \

		if (!(condition))					\

			prefix ## suffix();				\

	} while (0)

#define _compiletime_assert(condition, msg, prefix, suffix) \

	__compiletime_assert(condition, msg, prefix, suffix)

#define compiletime_assert(condition, msg) \

	_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)

#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)

#define BUILD_BUG_ON(condition) \

	BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition)

typedef uint8_t			u8;

typedef uint16_t		u16;

typedef uint32_t		u32;

typedef uint64_t		u64;

#define module_init(func)	static int (*do_init)(void) = func

#define module_exit(func)	static void (*do_exit)(void) = func

#define MODULE_LICENSE(str)	int main(void) {		\

					int rc;			\

					/* License: str */	\

					rc = do_init();		\

					if (rc == 0)		\

						do_exit();	\

					return rc;		\

				}

#endif /* __KERNEL__ */

/* Exfiltration buffer. */

#define MAX_VAR_SIZE	128

static u8 check_buf[MAX_VAR_SIZE];

	return false;

}

/* Whether the test is expected to fail. */

#define WANT_SUCCESS				0

#define XFAIL					1

#define DO_NOTHING_TYPE_SCALAR(var_type)	var_type

#define DO_NOTHING_TYPE_STRING(var_type)	void

#define DO_NOTHING_TYPE_STRUCT(var_type)	void

#define INIT_CLONE_STRING		[FILL_SIZE_STRING]

#define INIT_CLONE_STRUCT		/**/

#define INIT_SCALAR_none		/**/

#define INIT_SCALAR_zero		= 0

#define ZERO_CLONE_SCALAR(zero)		memset(&(zero), 0x00, sizeof(zero))

#define ZERO_CLONE_STRING(zero)		memset(&(zero), 0x00, sizeof(zero))

/*

 * For the struct, intentionally poison padding to see if it gets

 * copied out in direct assignments.

 * */

#define ZERO_CLONE_STRUCT(zero)				\

	do {						\

		memset(&(zero), 0xFF, sizeof(zero));	\

		zero.one = 0;				\

		zero.two = 0;				\

		zero.three = 0;				\

		zero.four = 0;				\

	} while (0)

#define INIT_STRING_none		[FILL_SIZE_STRING] /**/

#define INIT_STRING_zero		[FILL_SIZE_STRING] = { }

#define INIT_SCALAR_none(var_type)	/**/

#define INIT_SCALAR_zero(var_type)	= 0

#define INIT_STRUCT_none		/**/

#define INIT_STRUCT_zero		= { }

#define INIT_STRUCT_static_partial	= { .two = 0, }

#define INIT_STRUCT_static_all		= { .one = arg->one,		\

					    .two = arg->two,		\

					    .three = arg->three,	\

					    .four = arg->four,		\

#define INIT_STRING_none(var_type)	[FILL_SIZE_STRING] /**/

#define INIT_STRING_zero(var_type)	[FILL_SIZE_STRING] = { }

#define INIT_STRUCT_none(var_type)	/**/

#define INIT_STRUCT_zero(var_type)	= { }

#define __static_partial		{ .two = 0, }

#define __static_all			{ .one = 0,			\

					  .two = 0,			\

					  .three = 0,			\

					  .four = 0,			\

					}

#define INIT_STRUCT_dynamic_partial	= { .two = arg->two, }

#define INIT_STRUCT_dynamic_all		= { .one = arg->one,		\

#define __dynamic_partial		{ .two = arg->two, }

#define __dynamic_all			{ .one = arg->one,		\

					  .two = arg->two,		\

					  .three = arg->three,		\

					  .four = arg->four,		\

					}

#define INIT_STRUCT_runtime_partial	;				\

					var.two = 0

#define INIT_STRUCT_runtime_all		;				\

					var.one = 0;			\

#define __runtime_partial		var.two = 0

#define __runtime_all			var.one = 0;			\

					var.two = 0;			\

					var.three = 0;			\

					memset(&var.four, 0,		\

					       sizeof(var.four))

					var.four = 0

#define INIT_STRUCT_static_partial(var_type)				\

					= __static_partial

#define INIT_STRUCT_static_all(var_type)				\

					= __static_all

#define INIT_STRUCT_dynamic_partial(var_type)				\

					= __dynamic_partial

#define INIT_STRUCT_dynamic_all(var_type)				\

					= __dynamic_all

#define INIT_STRUCT_runtime_partial(var_type)				\

					; __runtime_partial

#define INIT_STRUCT_runtime_all(var_type)				\

					; __runtime_all

#define INIT_STRUCT_assigned_static_partial(var_type)			\

					; var = (var_type)__static_partial

#define INIT_STRUCT_assigned_static_all(var_type)			\

					; var = (var_type)__static_all

#define INIT_STRUCT_assigned_dynamic_partial(var_type)			\

					; var = (var_type)__dynamic_partial

#define INIT_STRUCT_assigned_dynamic_all(var_type)			\

					; var = (var_type)__dynamic_all

#define INIT_STRUCT_assigned_copy(var_type)				\

					; var = *(arg)

/*

 * @name: unique string name for the test

	BUILD_BUG_ON(sizeof(zero) > MAX_VAR_SIZE);		\

								\

	/* Fill clone type with zero for per-field init. */	\

	memset(&zero, 0x00, sizeof(zero));			\

	ZERO_CLONE_ ## which(zero);				\

	/* Clear entire check buffer for 0xFF overlap test. */	\

	memset(check_buf, 0x00, sizeof(check_buf));		\

	/* Fill stack with 0xFF. */				\

		return (xfail) ? 0 : 1;				\

	}							\

}

#define DEFINE_TEST(name, var_type, which, init_level)		\

#define DEFINE_TEST(name, var_type, which, init_level, xfail)	\

/* no-op to force compiler into ignoring "uninitialized" vars */\

static noinline __init DO_NOTHING_TYPE_ ## which(var_type)	\

do_nothing_ ## name(var_type *ptr)				\

					 var_type *arg)		\

{								\

	char buf[VAR_BUFFER];					\

	var_type var INIT_ ## which ## _ ## init_level;		\

	var_type var						\

		INIT_ ## which ## _ ## init_level(var_type);	\

								\

	target_start = &var;					\

	target_size = sizeof(var);				\

								\

	return (int)buf[0] | (int)buf[sizeof(buf) - 1];		\

}								\

DEFINE_TEST_DRIVER(name, var_type, which, 0)

DEFINE_TEST_DRIVER(name, var_type, which, xfail)

/* Structure with no padding. */

struct test_packed {

	unsigned long four;

};

/* Try to trigger unhandled padding in a structure. */

struct test_aligned {

	u32 internal1;

	u64 internal2;

} __aligned(64);

/* Trigger unhandled padding in a structure. */

struct test_big_hole {

	u8 one;

	u8 two;

	u8 three;

	/* 61 byte padding hole here. */

	struct test_aligned four;

	u8 four __aligned(64);

} __aligned(64);

struct test_trailing_hole {

	unsigned long four;

};

#define DEFINE_SCALAR_TEST(name, init)				\

		DEFINE_TEST(name ## _ ## init, name, SCALAR, init)

#define DEFINE_SCALAR_TEST(name, init, xfail)			\

		DEFINE_TEST(name ## _ ## init, name, SCALAR,	\

			    init, xfail)

#define DEFINE_SCALAR_TESTS(init)				\

		DEFINE_SCALAR_TEST(u8, init);			\

		DEFINE_SCALAR_TEST(u16, init);			\

		DEFINE_SCALAR_TEST(u32, init);			\

		DEFINE_SCALAR_TEST(u64, init);			\

		DEFINE_TEST(char_array_ ## init, unsigned char, STRING, init)

#define DEFINE_SCALAR_TESTS(init, xfail)			\

		DEFINE_SCALAR_TEST(u8, init, xfail);		\

		DEFINE_SCALAR_TEST(u16, init, xfail);		\

		DEFINE_SCALAR_TEST(u32, init, xfail);		\

		DEFINE_SCALAR_TEST(u64, init, xfail);		\

		DEFINE_TEST(char_array_ ## init, unsigned char,	\

			    STRING, init, xfail)

#define DEFINE_STRUCT_TEST(name, init)				\

#define DEFINE_STRUCT_TEST(name, init, xfail)			\

		DEFINE_TEST(name ## _ ## init,			\

			    struct test_ ## name, STRUCT, init)

			    struct test_ ## name, STRUCT, init, \

			    xfail)

#define DEFINE_STRUCT_TESTS(init, xfail)			\

		DEFINE_STRUCT_TEST(small_hole, init, xfail);	\

		DEFINE_STRUCT_TEST(big_hole, init, xfail);	\

		DEFINE_STRUCT_TEST(trailing_hole, init, xfail);	\

		DEFINE_STRUCT_TEST(packed, init, xfail)

#define DEFINE_STRUCT_TESTS(init)				\

		DEFINE_STRUCT_TEST(small_hole, init);		\

		DEFINE_STRUCT_TEST(big_hole, init);		\

		DEFINE_STRUCT_TEST(trailing_hole, init);	\

		DEFINE_STRUCT_TEST(packed, init)

#define DEFINE_STRUCT_INITIALIZER_TESTS(base)			\

		DEFINE_STRUCT_TESTS(base ## _ ## partial,	\

				    WANT_SUCCESS);		\

		DEFINE_STRUCT_TESTS(base ## _ ## all,		\

				    WANT_SUCCESS)

/* These should be fully initialized all the time! */

DEFINE_SCALAR_TESTS(zero);

DEFINE_STRUCT_TESTS(zero);

/* Static initialization: padding may be left uninitialized. */

DEFINE_STRUCT_TESTS(static_partial);

DEFINE_STRUCT_TESTS(static_all);

/* Dynamic initialization: padding may be left uninitialized. */

DEFINE_STRUCT_TESTS(dynamic_partial);

DEFINE_STRUCT_TESTS(dynamic_all);

/* Runtime initialization: padding may be left uninitialized. */

DEFINE_STRUCT_TESTS(runtime_partial);

DEFINE_STRUCT_TESTS(runtime_all);

DEFINE_SCALAR_TESTS(zero, WANT_SUCCESS);

DEFINE_STRUCT_TESTS(zero, WANT_SUCCESS);

/* Struct initializers: padding may be left uninitialized. */

DEFINE_STRUCT_INITIALIZER_TESTS(static);

DEFINE_STRUCT_INITIALIZER_TESTS(dynamic);

DEFINE_STRUCT_INITIALIZER_TESTS(runtime);

DEFINE_STRUCT_INITIALIZER_TESTS(assigned_static);

DEFINE_STRUCT_INITIALIZER_TESTS(assigned_dynamic);

DEFINE_STRUCT_TESTS(assigned_copy, XFAIL);

/* No initialization without compiler instrumentation. */

DEFINE_SCALAR_TESTS(none);

DEFINE_STRUCT_TESTS(none);

DEFINE_TEST(user, struct test_user, STRUCT, none);

DEFINE_SCALAR_TESTS(none, WANT_SUCCESS);

DEFINE_STRUCT_TESTS(none, WANT_SUCCESS);

/* Initialization of members with __user attribute. */

DEFINE_TEST(user, struct test_user, STRUCT, none, WANT_SUCCESS);

/*

 * Check two uses through a variable declaration outside either path,

static int noinline __leaf_switch_none(int path, bool fill)

{

	switch (path) {

		/*

		 * This is intentionally unreachable. To silence the

		 * warning, build with -Wno-switch-unreachable

		 */

		uint64_t var;

	case 1:

 * non-code areas (i.e. in a switch statement before the first "case").

 * https://bugs.llvm.org/show_bug.cgi?id=44916

 */

DEFINE_TEST_DRIVER(switch_1_none, uint64_t, SCALAR, 1);

DEFINE_TEST_DRIVER(switch_2_none, uint64_t, SCALAR, 1);

DEFINE_TEST_DRIVER(switch_1_none, uint64_t, SCALAR, XFAIL);

DEFINE_TEST_DRIVER(switch_2_none, uint64_t, SCALAR, XFAIL);

static int __init test_stackinit_init(void)

{

	test_structs(zero);

	/* Padding here appears to be accidentally always initialized? */

	test_structs(dynamic_partial);

	test_structs(assigned_dynamic_partial);

	/* Padding initialization depends on compiler behaviors. */

	test_structs(static_partial);

	test_structs(static_all);

	test_structs(dynamic_all);

	test_structs(runtime_partial);

	test_structs(runtime_all);

	test_structs(assigned_static_partial);

	test_structs(assigned_static_all);

	test_structs(assigned_dynamic_all);

	/* Everything fails this since it effectively performs a memcpy(). */

	test_structs(assigned_copy);

	/* STRUCTLEAK_BYREF_ALL should cover everything from here down. */

	test_scalars(none);

	prompt "Initialize kernel stack variables at function entry"

	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS

	default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN

	default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN

	default INIT_STACK_NONE

	help

	  This option enables initialization of stack variables at

	  syscalls.

	  This chooses the level of coverage over classes of potentially

	  uninitialized variables. The selected class will be

	  uninitialized variables. The selected class of variable will be

	  initialized before use in a function.

	config INIT_STACK_NONE

		bool "no automatic initialization (weakest)"

		bool "no automatic stack variable initialization (weakest)"

		help

		  Disable automatic stack variable initialization.

		  This leaves the kernel vulnerable to the standard

		  and is disallowed.

	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL

		bool "zero-init anything passed by reference (very strong)"

		bool "zero-init everything passed by reference (very strong)"

		depends on GCC_PLUGINS

		depends on !(KASAN && KASAN_STACK)

		select GCC_PLUGIN_STRUCTLEAK

		  of uninitialized stack variable exploits and information

		  exposures.

		  As a side-effect, this keeps a lot of variables on the

		  stack that can otherwise be optimized out, so combining

		  this with CONFIG_KASAN_STACK can lead to a stack overflow

		  and is disallowed.

	config INIT_STACK_ALL_PATTERN

		bool "0xAA-init everything on the stack (strongest)"

		bool "pattern-init everything (strongest)"

		depends on CC_HAS_AUTO_VAR_INIT_PATTERN

		help

		  Initializes everything on the stack with a 0xAA

		  pattern. This is intended to eliminate all classes

		  of uninitialized stack variable exploits and information

		  exposures, even variables that were warned to have been

		  left uninitialized.

		  Initializes everything on the stack (including padding)

		  with a specific debug value. This is intended to eliminate

		  all classes of uninitialized stack variable exploits and

		  information exposures, even variables that were warned about

		  having been left uninitialized.

		  Pattern initialization is known to provoke many existing bugs

		  related to uninitialized locals, e.g. pointers receive

		  non-NULL values, buffer sizes and indices are very big.

		  non-NULL values, buffer sizes and indices are very big. The

		  pattern is situation-specific; Clang on 64-bit uses 0xAA

		  repeating for all types and padding except float and double

		  which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF

		  repeating for all types and padding.

	config INIT_STACK_ALL_ZERO

		bool "zero-init everything on the stack (strongest and safest)"

		bool "zero-init everything (strongest and safest)"

		depends on CC_HAS_AUTO_VAR_INIT_ZERO

		help

		  Initializes everything on the stack with a zero

		  value. This is intended to eliminate all classes

		  of uninitialized stack variable exploits and information

		  exposures, even variables that were warned to have been

		  left uninitialized.

		  Zero initialization provides safe defaults for strings,

		  pointers, indices and sizes, and is therefore

		  more suitable as a security mitigation measure.

		  Initializes everything on the stack (including padding)

		  with a zero value. This is intended to eliminate all

		  classes of uninitialized stack variable exploits and

		  information exposures, even variables that were warned

		  about having been left uninitialized.

		  Zero initialization provides safe defaults for strings

		  (immediately NUL-terminated), pointers (NULL), indices

		  (index 0), and sizes (0 length), so it is therefore more

		  suitable as a production security mitigation than pattern

		  initialization.

endchoice

	  touching "cold" memory areas. Most cases see 3-5% impact. Some

	  synthetic workloads have measured as high as 8%.

config CC_HAS_ZERO_CALL_USED_REGS

	def_bool $(cc-option,-fzero-call-used-regs=used-gpr)

config ZERO_CALL_USED_REGS

	bool "Enable register zeroing on function exit"

	depends on CC_HAS_ZERO_CALL_USED_REGS

	help

	  At the end of functions, always zero any caller-used register

	  contents. This helps ensure that temporary values are not

	  leaked beyond the function boundary. This means that register

	  contents are less likely to be available for side channels

	  and information exposures. Additionally, this helps reduce the

	  number of useful ROP gadgets by about 20% (and removes compiler

	  generated "write-what-where" gadgets) in the resulting kernel

	  image. This has a less than 1% performance impact on most

	  workloads. Image size growth depends on architecture, and should

	  be evaluated for suitability. For example, x86_64 grows by less

	  than 1%, and arm64 grows by about 5%.

endmenu

endmenu