Skip to content
  • Alexander Popov's avatar
    x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls · afaef01c
    Alexander Popov authored
    The STACKLEAK feature (initially developed by PaX Team) has the following
    benefits:
    
    1. Reduces the information that can be revealed through kernel stack leak
       bugs. The idea of erasing the thread stack at the end of syscalls is
       similar to CONFIG_PAGE_POISONING and memzero_explicit() in kernel
       crypto, which all comply with FDP_RIP.2 (Full Residual Information
       Protection) of the Common Criteria standard.
    
    2. Blocks some uninitialized stack variable attacks (e.g. CVE-2017-17712,
       CVE-2010-2963). That kind of bugs should be killed by improving C
       compilers in future, which might take a long time.
    
    This commit introduces the code filling the used part of the kernel
    stack with a poison value before returning to userspace. Full
    STACKLEAK feature also contains the gcc plugin which comes in a
    separate commit.
    
    The STACKLEAK feature is ported from grsecurity/PaX. More information at:
      https://grsecurity.net/
      https://pax.grsecurity.net/
    
    This code is modified from Brad Spengler/PaX Team's code in the last
    public patch of grsecurity/PaX based on our understanding of the code.
    Changes or omissions from the original code are ours and don't reflect
    the original grsecurity/PaX code.
    
    Performance impact:
    
    Hardware: Intel Core i7-4770, 16 GB RAM
    
    Test #1: building the Linux kernel on a single core
            0.91% slowdown
    
    Test #2
    
    : hackbench -s 4096 -l 2000 -g 15 -f 25 -P
            4.2% slowdown
    
    So the STACKLEAK description in Kconfig includes: "The tradeoff is the
    performance impact: on a single CPU system kernel compilation sees a 1%
    slowdown, other systems and workloads may vary and you are advised to
    test this feature on your expected workload before deploying it".
    
    Signed-off-by: default avatarAlexander Popov <alex.popov@linux.com>
    Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Reviewed-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
    Acked-by: default avatarIngo Molnar <mingo@kernel.org>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    afaef01c