On Tue, Jul 24, 2018 at 5:44 AM, Alexander Popov <[email protected]> wrote: > On 21.07.2018 00:41, Laura Abbott wrote: >> This adds support for the STACKLEAK gcc plugin to arm64 by implementing >> stackleak_check_alloca(), based heavily on the x86 version, and adding the >> two helpers used by the stackleak common code: current_top_of_stack() and >> on_thread_stack(). The stack erasure calls are made at syscall returns. >> Additionally, this disables the plugin in hypervisor and EFI stub code, >> which are out of scope for the protection. >> >> Reviewed-by: Mark Rutland <[email protected]> >> Reviewed-by: Kees Cook <[email protected]> >> Signed-off-by: Laura Abbott <[email protected]> >> --- >> v3: Actual commit text courtesy of Kees. A comment explaining why we >> panic >> --- >> arch/arm64/Kconfig | 1 + >> arch/arm64/include/asm/processor.h | 15 +++++++++++++++ >> arch/arm64/kernel/entry.S | 7 +++++++ >> arch/arm64/kernel/process.c | 22 ++++++++++++++++++++++ >> arch/arm64/kvm/hyp/Makefile | 3 ++- >> drivers/firmware/efi/libstub/Makefile | 3 ++- >> 6 files changed, 49 insertions(+), 2 deletions(-) > > Laura, thanks for your work! > > I've reviewed and tested this patch on my LeMaker HiKey board (HiSilicon Kirin > 620 SoC). The lkdtm tests for STACKLEAK work fine. > > Acked-by: Alexander Popov <[email protected]> > > For testing I applied your patches above Kees' for-next/kspp: > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=for-next/kspp > > I've had one trouble with building CONFIG_STACKLEAK_RUNTIME_DISABLE on arm64. > Kees, could you please fold this into the 7th patch of the series?
Sure thing! -Kees > > ---- >8 ---- > > diff --git a/kernel/stackleak.c b/kernel/stackleak.c > index f731c9a..03031f7a 100644 > --- a/kernel/stackleak.c > +++ b/kernel/stackleak.c > @@ -16,6 +16,7 @@ > > #ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE > #include <linux/jump_label.h> > +#include <linux/sysctl.h> > > static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass); > -- Kees Cook Pixel Security
