enable kernel stack protection

Bug #369152 reported by Andy Whitcroft
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Andy Whitcroft

Bug Description

As requested by the security team could we enable CC_STACKPROTECTOR in the kernel.

Related branches

Andy Whitcroft (apw)
Changed in linux (Ubuntu):
assignee: nobody → Andy Whitcroft (apw)
status: New → In Progress
importance: Undecided → Medium
Revision history for this message
Andy Whitcroft (apw) wrote :

It seems that this support is currently not enablable. It is currently marked as broken:

    config CC_STACKPROTECTOR
        bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
        depends on X86_64 && EXPERIMENTAL
        depends on X86_64 && EXPERIMENTAL && BROKEN

This was done under the following commit, so it doesn't appear we will be able to enable it currently.

  commit 2c020a99e058cdfc3a073cbfbfcc6ff55d3bfc43
  Author: Linus Torvalds <email address hidden>
  Date: Fri Feb 22 08:21:38 2008 -0800

    Mark CC_STACKPROTECTOR as being BROKEN

    It's always been broken, but recent fixes actually made it do something,
    and now the brokenness shows up as the resulting kernel simply not
    working at all.

    So it used to be that you could enable this config option, and it just
    didn't do anything. Now we'd better stop people from enabling it by
    mistake, since it _does_ do something, but does it so badly as to be
    unusable.

    Code to actually make it work is pending, but incomplete and won't be
    merged into 2.6.25 in any case.

Revision history for this message
Kees Cook (kees) wrote :

This is okay in the current (karmic) kernel, IIUC. Ingo's fixes have been merged, and there is x86_32 support for it too now.

Revision history for this message
Andy Whitcroft (apw) wrote :

Ahh yes. However currently enabling the stack protector occurs on all functions which may have performance ramifications:

  config CC_STACKPROTECTOR_ALL
        bool

  config CC_STACKPROTECTOR
        bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
        select CC_STACKPROTECTOR_ALL
        ---help---

Revision history for this message
Kees Cook (kees) wrote :

Here's the rationale for _ALL from lkml. If _ALL is needed to catch vmsplice-like stuff, we should use it. As for performance, it seems that only limited situations on already slow x86 hardware would even notice the effect on the icache. We should obviously make sure it actually works, of course. :)

---
* Kees Cook <email address hidden> wrote:
> What is the rationale for why CC_STACKPROTECTOR_ALL is forced when
> using CC_STACKPROTECTOR? I would have expected _ALL to be a
> separate option (as it was in earlier versions), but it seems it
> is forced on by commit 113c5413cf9051cc50b88befdc42e3402bb92115.

it used to be a separate option. I merged them into one, because we
had too many options really, and because the vmsplice exploit would
only have been caught by the _ALL variant. So the 'light' variant
never really worked well IMO.

        Ingo

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.30-2.3

---------------
linux (2.6.30-2.3) karmic; urgency=low

  [ Tim Gardner ]

  * [Config] Enabled CC_STACKPROTECTOR=y for all x86en
    - LP: #369152
  * SAUCE: Default to i915_modeset=0 if CONFIG_DRM_I915_KMS=y
  * [Config] CONFIG_DRM_I915_KMS=y
  * [Config] Set CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR to appropriate ARCH
    minimums

  [ Upstream Kernel Changes ]

  * rebased to 2.6.30-rc4

 -- Tim Gardner <email address hidden> Thu, 30 Apr 2009 09:17:05 -0600

Changed in linux (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Tim Gardner (timg-tpi) wrote :

linux (2.6.30-2.3) karmic; urgency=low

  [ Tim Gardner ]

  * [Config] Enabled CC_STACKPROTECTOR=y for all x86en
    - LP: #369152
  * SAUCE: Default to i915_modeset=0 if CONFIG_DRM_I915_KMS=y
  * [Config] CONFIG_DRM_I915_KMS=y
  * [Config] Set CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR to appropriate ARCH
    minimums

  [ Upstream Kernel Changes ]

  * rebased to 2.6.30-rc4

 -- Tim Gardner < <email address hidden>> Thu, 30 Apr 2009 09:17:05 -0600

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.