--- /dev/null
+From foo@baz Sun Oct 16 03:03:28 PM CEST 2022
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 14 Sep 2021 12:49:03 -0700
+Subject: hardening: Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO
+
+From: Kees Cook <keescook@chromium.org>
+
+commit f02003c860d921171be4a27e2893766eb3bc6871 upstream.
+
+Currently under Clang, CC_HAS_AUTO_VAR_INIT_ZERO requires an extra
+-enable flag compared to CC_HAS_AUTO_VAR_INIT_PATTERN. GCC 12[1] will
+not, and will happily ignore the Clang-specific flag. However, its
+presence on the command-line is both cumbersome and confusing. Due to
+GCC's tolerant behavior, though, we can continue to use a single Kconfig
+cc-option test for the feature on both compilers, but then drop the
+Clang-specific option in the Makefile.
+
+In other words, this patch does not change anything other than making the
+compiler command line shorter once GCC supports -ftrivial-auto-var-init=zero.
+
+[1] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=a25e0b5e6ac8a77a71c229e0a7b744603365b0e9
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: llvm@lists.linux.dev
+Fixes: dcb7c0b9461c ("hardening: Clarify Kconfig text for auto-var-init")
+Suggested-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/lkml/20210914102837.6172-1-will@kernel.org/
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 6 +++---
+ security/Kconfig.hardening | 5 ++++-
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -816,12 +816,12 @@ endif
+
+ # Initialize all stack variables with a zero value.
+ ifdef CONFIG_INIT_STACK_ALL_ZERO
+-# Future support for zero initialization is still being debated, see
+-# https://bugs.llvm.org/show_bug.cgi?id=45497. These flags are subject to being
+-# renamed or dropped.
+ KBUILD_CFLAGS += -ftrivial-auto-var-init=zero
++ifdef CONFIG_CC_IS_CLANG
++# https://bugs.llvm.org/show_bug.cgi?id=45497
+ KBUILD_CFLAGS += -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang
+ endif
++endif
+
+ DEBUG_CFLAGS :=
+
+--- a/security/Kconfig.hardening
++++ b/security/Kconfig.hardening
+@@ -23,13 +23,16 @@ config CC_HAS_AUTO_VAR_INIT_PATTERN
+ def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
+
+ config CC_HAS_AUTO_VAR_INIT_ZERO
++ # GCC ignores the -enable flag, so we can test for the feature with
++ # a single invocation using the flag, but drop it as appropriate in
++ # the Makefile, depending on the presence of Clang.
+ def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang)
+
+ choice
+ prompt "Initialize kernel stack variables at function entry"
+ default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
+ default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
+- default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN
++ default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO
+ default INIT_STACK_NONE
+ help
+ This option enables initialization of stack variables at
--- /dev/null
+From foo@baz Sun Oct 16 03:03:28 PM CEST 2022
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 20 Jul 2021 14:54:17 -0700
+Subject: hardening: Clarify Kconfig text for auto-var-init
+
+From: Kees Cook <keescook@chromium.org>
+
+commit dcb7c0b9461c2a30f6616262736daac6f01ecb09 upstream.
+
+Clarify the details around the automatic variable initialization modes
+available. Specifically this details the values used for pattern init
+and expands on the rationale for zero init safety. Additionally makes
+zero init the default when available.
+
+Cc: glider@google.com
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: linux-security-module@vger.kernel.org
+Cc: clang-built-linux@googlegroups.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/Kconfig.hardening | 52 +++++++++++++++++++++++++++------------------
+ 1 file changed, 32 insertions(+), 20 deletions(-)
+
+--- a/security/Kconfig.hardening
++++ b/security/Kconfig.hardening
+@@ -29,6 +29,7 @@ choice
+ prompt "Initialize kernel stack variables at function entry"
+ default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
+ default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
++ default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN
+ default INIT_STACK_NONE
+ help
+ This option enables initialization of stack variables at
+@@ -39,11 +40,11 @@ choice
+ syscalls.
+
+ This chooses the level of coverage over classes of potentially
+- uninitialized variables. The selected class will be
++ uninitialized variables. The selected class of variable will be
+ initialized before use in a function.
+
+ config INIT_STACK_NONE
+- bool "no automatic initialization (weakest)"
++ bool "no automatic stack variable initialization (weakest)"
+ help
+ Disable automatic stack variable initialization.
+ This leaves the kernel vulnerable to the standard
+@@ -80,7 +81,7 @@ choice
+ and is disallowed.
+
+ config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
+- bool "zero-init anything passed by reference (very strong)"
++ bool "zero-init everything passed by reference (very strong)"
+ depends on GCC_PLUGINS
+ depends on !(KASAN && KASAN_STACK=1)
+ select GCC_PLUGIN_STRUCTLEAK
+@@ -91,33 +92,44 @@ choice
+ of uninitialized stack variable exploits and information
+ exposures.
+
++ As a side-effect, this keeps a lot of variables on the
++ stack that can otherwise be optimized out, so combining
++ this with CONFIG_KASAN_STACK can lead to a stack overflow
++ and is disallowed.
++
+ config INIT_STACK_ALL_PATTERN
+- bool "0xAA-init everything on the stack (strongest)"
++ bool "pattern-init everything (strongest)"
+ depends on CC_HAS_AUTO_VAR_INIT_PATTERN
+ help
+- Initializes everything on the stack with a 0xAA
+- pattern. This is intended to eliminate all classes
+- of uninitialized stack variable exploits and information
+- exposures, even variables that were warned to have been
+- left uninitialized.
++ Initializes everything on the stack (including padding)
++ with a specific debug value. This is intended to eliminate
++ all classes of uninitialized stack variable exploits and
++ information exposures, even variables that were warned about
++ having been left uninitialized.
+
+ Pattern initialization is known to provoke many existing bugs
+ related to uninitialized locals, e.g. pointers receive
+- non-NULL values, buffer sizes and indices are very big.
++ non-NULL values, buffer sizes and indices are very big. The
++ pattern is situation-specific; Clang on 64-bit uses 0xAA
++ repeating for all types and padding except float and double
++ which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF
++ repeating for all types and padding.
+
+ config INIT_STACK_ALL_ZERO
+- bool "zero-init everything on the stack (strongest and safest)"
++ bool "zero-init everything (strongest and safest)"
+ depends on CC_HAS_AUTO_VAR_INIT_ZERO
+ help
+- Initializes everything on the stack with a zero
+- value. This is intended to eliminate all classes
+- of uninitialized stack variable exploits and information
+- exposures, even variables that were warned to have been
+- left uninitialized.
+-
+- Zero initialization provides safe defaults for strings,
+- pointers, indices and sizes, and is therefore
+- more suitable as a security mitigation measure.
++ Initializes everything on the stack (including padding)
++ with a zero value. This is intended to eliminate all
++ classes of uninitialized stack variable exploits and
++ information exposures, even variables that were warned
++ about having been left uninitialized.
++
++ Zero initialization provides safe defaults for strings
++ (immediately NUL-terminated), pointers (NULL), indices
++ (index 0), and sizes (0 length), so it is therefore more
++ suitable as a production security mitigation than pattern
++ initialization.
+
+ endchoice
+
--- /dev/null
+From foo@baz Sun Oct 16 03:03:28 PM CEST 2022
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 29 Sep 2022 22:57:43 -0700
+Subject: hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zero
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 607e57c6c62c00965ae276902c166834ce73014a upstream.
+
+Now that Clang's -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang
+option is no longer required, remove it from the command line. Clang 16
+and later will warn when it is used, which will cause Kconfig to think
+it can't use -ftrivial-auto-var-init=zero at all. Check for whether it
+is required and only use it when so.
+
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: linux-kbuild@vger.kernel.org
+Cc: llvm@lists.linux.dev
+Cc: stable@vger.kernel.org
+Fixes: f02003c860d9 ("hardening: Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 4 ++--
+ security/Kconfig.hardening | 14 ++++++++++----
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -817,8 +817,8 @@ endif
+ # Initialize all stack variables with a zero value.
+ ifdef CONFIG_INIT_STACK_ALL_ZERO
+ KBUILD_CFLAGS += -ftrivial-auto-var-init=zero
+-ifdef CONFIG_CC_IS_CLANG
+-# https://bugs.llvm.org/show_bug.cgi?id=45497
++ifdef CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
++# https://github.com/llvm/llvm-project/issues/44842
+ KBUILD_CFLAGS += -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang
+ endif
+ endif
+--- a/security/Kconfig.hardening
++++ b/security/Kconfig.hardening
+@@ -22,11 +22,17 @@ menu "Memory initialization"
+ config CC_HAS_AUTO_VAR_INIT_PATTERN
+ def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
+
+-config CC_HAS_AUTO_VAR_INIT_ZERO
+- # GCC ignores the -enable flag, so we can test for the feature with
+- # a single invocation using the flag, but drop it as appropriate in
+- # the Makefile, depending on the presence of Clang.
++config CC_HAS_AUTO_VAR_INIT_ZERO_BARE
++ def_bool $(cc-option,-ftrivial-auto-var-init=zero)
++
++config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
++ # Clang 16 and later warn about using the -enable flag, but it
++ # is required before then.
+ def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang)
++ depends on !CC_HAS_AUTO_VAR_INIT_ZERO_BARE
++
++config CC_HAS_AUTO_VAR_INIT_ZERO
++ def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BARE || CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
+
+ choice
+ prompt "Initialize kernel stack variables at function entry"
f2fs-increase-the-limit-for-reserve_root.patch
f2fs-fix-to-do-sanity-check-on-destination-blkaddr-during-recovery.patch
f2fs-fix-to-do-sanity-check-on-summary-info.patch
+hardening-clarify-kconfig-text-for-auto-var-init.patch
+hardening-avoid-harmless-clang-option-under-config_init_stack_all_zero.patch
+hardening-remove-clang-s-enable-flag-for-ftrivial-auto-var-init-zero.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
