From 3e75c03cb21bef99464b5d1d52a3e3003af685d6 Mon Sep 17 00:00:00 2001 From: Flavio Ceolin Date: Fri, 13 Dec 2024 08:58:17 -0800 Subject: [PATCH] security: Add default stack protection level STACK_CANARIES was enabling canaries in all functions using the compiler flag -fstack-protector-all. This became confuse with the addition of the options STRONG and EXPLICIT. This commit adds the missing option (default level) and disambiguous the options mapping them close to the compiler flags. Now we have the following options: STACK_CANARIES -> fstack-protector STACK_CANARIES_STRONG -> fstack-protector-strong STACK_CANARIES_ALL -> fstack-protector-all STACK_CANARIES_EXPLICIT -> fstack-protector-explicit Note that from now on STACK_CANARIES_ALL is the symbol that adds canaries for all functions. Signed-off-by: Flavio Ceolin --- CMakeLists.txt | 2 ++ cmake/compiler/arcmwdt/compiler_flags.cmake | 3 ++- cmake/compiler/compiler_flags_template.cmake | 1 + cmake/compiler/gcc/compiler_flags.cmake | 5 ++++- kernel/Kconfig | 14 ++++++++++++-- kernel/compiler_stack_protect.c | 2 +- 6 files changed, 22 insertions(+), 5 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6feef29ce34..5bd9348cb57 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -177,6 +177,8 @@ if(CONFIG_STACK_CANARIES) zephyr_compile_options($) elseif(CONFIG_STACK_CANARIES_STRONG) zephyr_compile_options($) +elseif(CONFIG_STACK_CANARIES_ALL) + zephyr_compile_options($) elseif(CONFIG_STACK_CANARIES_EXPLICIT) zephyr_compile_options($) endif() diff --git a/cmake/compiler/arcmwdt/compiler_flags.cmake b/cmake/compiler/arcmwdt/compiler_flags.cmake index 3f8a46f4f01..7234afc0c80 100644 --- a/cmake/compiler/arcmwdt/compiler_flags.cmake +++ b/cmake/compiler/arcmwdt/compiler_flags.cmake @@ -167,8 +167,9 @@ set_compiler_property(PROPERTY imacros -imacros) # Security canaries. #no support of -mstack-protector-guard=global" -set_compiler_property(PROPERTY security_canaries -fstack-protector-all) +set_compiler_property(PROPERTY security_canaries -fstack-protector) set_compiler_property(PROPERTY security_canaries_strong -fstack-protector-strong) +set_compiler_property(PROPERTY security_canaries_all -fstack-protector-all) #no support of _FORTIFY_SOURCE" set_compiler_property(PROPERTY security_fortify_compile_time) diff --git a/cmake/compiler/compiler_flags_template.cmake b/cmake/compiler/compiler_flags_template.cmake index e35660491c6..447db04a2d3 100644 --- a/cmake/compiler/compiler_flags_template.cmake +++ b/cmake/compiler/compiler_flags_template.cmake @@ -93,6 +93,7 @@ set_compiler_property(PROPERTY coverage) # Security canaries flags. set_compiler_property(PROPERTY security_canaries) set_compiler_property(PROPERTY security_canaries_strong) +set_compiler_property(PROPERTY security_canaries_all) set_compiler_property(PROPERTY security_canaries_explicit) set_compiler_property(PROPERTY security_fortify_compile_time) diff --git a/cmake/compiler/gcc/compiler_flags.cmake b/cmake/compiler/gcc/compiler_flags.cmake index 59ae986915b..e650dd424f3 100644 --- a/cmake/compiler/gcc/compiler_flags.cmake +++ b/cmake/compiler/gcc/compiler_flags.cmake @@ -167,18 +167,21 @@ set_property(TARGET compiler-cpp PROPERTY no_rtti "-fno-rtti") set_compiler_property(PROPERTY coverage -fprofile-arcs -ftest-coverage -fno-inline) # Security canaries. -set_compiler_property(PROPERTY security_canaries -fstack-protector-all) +set_compiler_property(PROPERTY security_canaries -fstack-protector) set_compiler_property(PROPERTY security_canaries_strong -fstack-protector-strong) +set_compiler_property(PROPERTY security_canaries_all -fstack-protector-all) set_compiler_property(PROPERTY security_canaries_explicit -fstack-protector-explicit) # Only a valid option with GCC 7.x and above, so let's do check and set. if(CONFIG_STACK_CANARIES_TLS) check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=tls) check_set_compiler_property(APPEND PROPERTY security_canaries_strong -mstack-protector-guard=tls) + check_set_compiler_property(APPEND PROPERTY security_canaries_all -mstack-protector-guard=tls) check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=tls) else() check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=global) check_set_compiler_property(APPEND PROPERTY security_canaries_global -mstack-protector-guard=global) + check_set_compiler_property(APPEND PROPERTY security_canaries_all -mstack-protector-guard=global) check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=global) endif() diff --git a/kernel/Kconfig b/kernel/Kconfig index 2c0cbfce085..36fcf1d821c 100644 --- a/kernel/Kconfig +++ b/kernel/Kconfig @@ -890,12 +890,14 @@ choice will occur at build time. config STACK_CANARIES - bool "Maximum protection available" + bool "Default protection" depends on ENTROPY_GENERATOR || TEST_RANDOM_GENERATOR select NEED_LIBC_MEM_PARTITION if !STACK_CANARIES_TLS select REQUIRES_STACK_CANARIES help - This option enables compiler stack canaries for all functions. + This option enables compiler stack canaries in functions that have + vulnerable objects. Generally this means function that call alloca or + have buffers larger than 8 bytes. config STACK_CANARIES_STRONG bool "Strong protection" @@ -907,6 +909,14 @@ config STACK_CANARIES_STRONG functions that have local array definitiion or have references to local frame addresses. +config STACK_CANARIES_ALL + bool "Maximum protection available" + depends on ENTROPY_GENERATOR || TEST_RANDOM_GENERATOR + select NEED_LIBC_MEM_PARTITION if !STACK_CANARIES_TLS + select REQUIRES_STACK_CANARIES + help + This option enables compiler stack canaries for all functions. + config STACK_CANARIES_EXPLICIT bool "Explicit protection" depends on ENTROPY_GENERATOR || TEST_RANDOM_GENERATOR diff --git a/kernel/compiler_stack_protect.c b/kernel/compiler_stack_protect.c index d48190c6c9e..30da82d4a49 100644 --- a/kernel/compiler_stack_protect.c +++ b/kernel/compiler_stack_protect.c @@ -11,7 +11,7 @@ * This module provides functions to support compiler stack protection * using canaries. This feature is enabled with configuration * CONFIG_STACK_CANARIES=y or CONFIG_STACK_CANARIES_STRONG=y or - * CONFIG_STACK_CANARIES_EXPLICIT=y. + * CONFIG_STACK_CANARIES_ALL=y or CONFIG_STACK_CANARIES_EXPLICIT=y. * * When this feature is enabled, the compiler generated code refers to * function __stack_chk_fail and global variable __stack_chk_guard.