Google Git
Sign in
android-kvm / buildroot / refs/heads/2020.11.x / . / boot / grub2 / 0133-kern-efi-Add-initial-stack-protector-implementation.patch
blob: c0b6bf6a83561d0fbe59c01f5a47025282861819 [file] [log] [blame]
From 133d73079c5771bbf3d8311281b6772846357ec1 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Tue, 1 Dec 2020 23:03:39 +0000
Subject: [PATCH] kern/efi: Add initial stack protector implementation
It works only on UEFI platforms but can be quite easily extended to
others architectures and platforms if needed.
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Marco A Benatto <mbenatto@redhat.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Stefan SΓΈrensen <stefan.sorensen@spectralink.com>
---
acinclude.m4 | 38 ++++++++++++++++-
configure | 97 +++++++++++++++++++++++++++++++++++++++---
configure.ac | 44 ++++++++++++++++---
grub-core/Makefile.am | 1 +
grub-core/Makefile.in | 1 +
grub-core/kern/efi/init.c | 54 +++++++++++++++++++++++
include/grub/efi/api.h | 19 +++++++++
include/grub/stack_protector.h | 30 +++++++++++++
po/POTFILES.in | 1 +
9 files changed, 272 insertions(+), 13 deletions(-)
create mode 100644 include/grub/stack_protector.h
diff --git a/acinclude.m4 b/acinclude.m4
index 78cdf6e..6e14bb5 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -305,9 +305,9 @@ fi
])
-dnl Check if the C compiler supports `-fstack-protector'.
+dnl Check if the C compiler supports the stack protector
AC_DEFUN([grub_CHECK_STACK_PROTECTOR],[
-[# Smashing stack protector.
+[# Stack smashing protector.
ssp_possible=yes]
AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector'])
# Is this a reliable test case?
@@ -324,6 +324,40 @@ else
ssp_possible=no]
AC_MSG_RESULT([no])
[fi]
+[# Strong stack smashing protector.
+ssp_strong_possible=yes]
+AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector-strong'])
+# Is this a reliable test case?
+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
+void foo (void) { volatile char a[8]; a[3]; }
+]])])
+[# `$CC -c -o ...' might not be portable. But, oh, well... Is calling
+# `ac_compile' like this correct, after all?
+if eval "$ac_compile -S -fstack-protector-strong -o conftest.s" 2> /dev/null; then]
+ AC_MSG_RESULT([yes])
+ [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
+ rm -f conftest.s
+else
+ ssp_strong_possible=no]
+ AC_MSG_RESULT([no])
+[fi]
+[# Global stack smashing protector.
+ssp_global_possible=yes]
+AC_MSG_CHECKING([whether `$CC' accepts `-mstack-protector-guard=global'])
+# Is this a reliable test case?
+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
+void foo (void) { volatile char a[8]; a[3]; }
+]])])
+[# `$CC -c -o ...' might not be portable. But, oh, well... Is calling
+# `ac_compile' like this correct, after all?
+if eval "$ac_compile -S -fstack-protector -mstack-protector-guard=global -o conftest.s" 2> /dev/null; then]
+ AC_MSG_RESULT([yes])
+ [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
+ rm -f conftest.s
+else
+ ssp_global_possible=no]
+ AC_MSG_RESULT([no])
+[fi]
])
dnl Check if the C compiler supports `-mstack-arg-probe' (Cygwin).
diff --git a/configure b/configure
index 9290ae8..973f702 100755
--- a/configure
+++ b/configure
@@ -1778,6 +1778,7 @@ with_libintl_prefix
with_libpth_prefix
with_included_regex
enable_efiemu
+enable_stack_protector
enable_mm_debug
enable_cache_stats
enable_boot_time
@@ -2459,6 +2460,8 @@ Optional Features:
--disable-rpath do not hardcode runtime library paths
--enable-efiemu build and install the efiemu runtimes
(default=guessed)
+ --enable-stack-protector
+ enable the stack protector
--enable-mm-debug include memory manager debugging
--enable-cache-stats enable disk cache statistics collection
--enable-boot-time enable boot time statistics collection
@@ -32348,9 +32351,9 @@ fi
CFLAGS="$TARGET_CFLAGS"
-# Smashing stack protector.
+# Stack smashing protector.
-# Smashing stack protector.
+# Stack smashing protector.
ssp_possible=yes
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`$CC' accepts \`-fstack-protector'" >&5
$as_echo_n "checking whether \`$CC' accepts \`-fstack-protector'... " >&6; }
@@ -32373,11 +32376,88 @@ else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
+# Strong stack smashing protector.
+ssp_strong_possible=yes
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`$CC' accepts \`-fstack-protector-strong'" >&5
+$as_echo_n "checking whether \`$CC' accepts \`-fstack-protector-strong'... " >&6; }
+# Is this a reliable test case?
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
-# Need that, because some distributions ship compilers that include
-# `-fstack-protector' in the default specs.
-if test "x$ssp_possible" = xyes; then
- TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
+void foo (void) { volatile char a[8]; a[3]; }
+
+_ACEOF
+# `$CC -c -o ...' might not be portable. But, oh, well... Is calling
+# `ac_compile' like this correct, after all?
+if eval "$ac_compile -S -fstack-protector-strong -o conftest.s" 2> /dev/null; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ # Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
+ rm -f conftest.s
+else
+ ssp_strong_possible=no
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+# Global stack smashing protector.
+ssp_global_possible=yes
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`$CC' accepts \`-mstack-protector-guard=global'" >&5
+$as_echo_n "checking whether \`$CC' accepts \`-mstack-protector-guard=global'... " >&6; }
+# Is this a reliable test case?
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+void foo (void) { volatile char a[8]; a[3]; }
+
+_ACEOF
+# `$CC -c -o ...' might not be portable. But, oh, well... Is calling
+# `ac_compile' like this correct, after all?
+if eval "$ac_compile -S -fstack-protector -mstack-protector-guard=global -o conftest.s" 2> /dev/null; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ # Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
+ rm -f conftest.s
+else
+ ssp_global_possible=no
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+# Check whether --enable-stack-protector was given.
+if test "${enable_stack_protector+set}" = set; then :
+ enableval=$enable_stack_protector;
+else
+ enable_stack_protector=no
+fi
+
+if test "x$enable_stack_protector" = xno; then
+ if test "x$ssp_possible" = xyes; then
+ # Need that, because some distributions ship compilers that include
+ # `-fstack-protector' in the default specs.
+ TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
+ fi
+elif test "x$platform" != xefi; then
+ as_fn_error $? "--enable-stack-protector is only supported on EFI platforms" "$LINENO" 5
+elif test "x$ssp_global_possible" != xyes; then
+ as_fn_error $? "--enable-stack-protector is not supported (compiler doesn't support -mstack-protector-guard=global)" "$LINENO" 5
+else
+ TARGET_CFLAGS="$TARGET_CFLAGS -mstack-protector-guard=global"
+ if test "x$enable_stack_protector" = xyes; then
+ if test "x$ssp_possible" != xyes; then
+ as_fn_error $? "--enable-stack-protector is not supported (compiler doesn't support -fstack-protector)" "$LINENO" 5
+ fi
+ TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector"
+ elif test "x$enable_stack_protector" = xstrong; then
+ if test "x$ssp_strong_possible" != xyes; then
+ as_fn_error $? "--enable-stack-protector=strong is not supported (compiler doesn't support -fstack-protector-strong)" "$LINENO" 5
+ fi
+ TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector-strong"
+ else
+ # Note, -fstack-protector-all requires that the protector is disabled for
+ # functions that appear in the call stack when the canary is initialized.
+ as_fn_error $? "invalid value $enable_stack_protector for --enable-stack-protector" "$LINENO" 5
+ fi
+ TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
fi
CFLAGS="$TARGET_CFLAGS"
@@ -37054,5 +37134,10 @@ echo "Without liblzma (no support for XZ-compressed mips images) ($liblzma_excus
else
echo "With liblzma from $LIBLZMA (support for XZ-compressed mips images)"
fi
+if test "x$enable_stack_protector" != xno; then
+echo "With stack smashing protector: Yes"
+else
+echo "With stack smashing protector: No"
+fi
echo "*******************************************************"
diff --git a/configure.ac b/configure.ac
index 7656f24..bb6b02a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1285,12 +1285,41 @@ fi]
CFLAGS="$TARGET_CFLAGS"
-# Smashing stack protector.
+# Stack smashing protector.
grub_CHECK_STACK_PROTECTOR
-# Need that, because some distributions ship compilers that include
-# `-fstack-protector' in the default specs.
-if test "x$ssp_possible" = xyes; then
- TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
+AC_ARG_ENABLE([stack-protector],
+ AS_HELP_STRING([--enable-stack-protector],
+ [enable the stack protector]),
+ [],
+ [enable_stack_protector=no])
+if test "x$enable_stack_protector" = xno; then
+ if test "x$ssp_possible" = xyes; then
+ # Need that, because some distributions ship compilers that include
+ # `-fstack-protector' in the default specs.
+ TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
+ fi
+elif test "x$platform" != xefi; then
+ AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms])
+elif test "x$ssp_global_possible" != xyes; then
+ AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -mstack-protector-guard=global)])
+else
+ TARGET_CFLAGS="$TARGET_CFLAGS -mstack-protector-guard=global"
+ if test "x$enable_stack_protector" = xyes; then
+ if test "x$ssp_possible" != xyes; then
+ AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -fstack-protector)])
+ fi
+ TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector"
+ elif test "x$enable_stack_protector" = xstrong; then
+ if test "x$ssp_strong_possible" != xyes; then
+ AC_MSG_ERROR([--enable-stack-protector=strong is not supported (compiler doesn't support -fstack-protector-strong)])
+ fi
+ TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector-strong"
+ else
+ # Note, -fstack-protector-all requires that the protector is disabled for
+ # functions that appear in the call stack when the canary is initialized.
+ AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector])
+ fi
+ TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
fi
CFLAGS="$TARGET_CFLAGS"
@@ -2103,5 +2132,10 @@ echo "Without liblzma (no support for XZ-compressed mips images) ($liblzma_excus
else
echo "With liblzma from $LIBLZMA (support for XZ-compressed mips images)"
fi
+if test "x$enable_stack_protector" != xno; then
+echo "With stack smashing protector: Yes"
+else
+echo "With stack smashing protector: No"
+fi
echo "*******************************************************"
]
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index 30e23ad..ee88e44 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -90,6 +90,7 @@ endif
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
diff --git a/grub-core/Makefile.in b/grub-core/Makefile.in
index 1f8133b..50c70b5 100644
--- a/grub-core/Makefile.in
+++ b/grub-core/Makefile.in
@@ -16425,6 +16425,7 @@ KERNEL_HEADER_FILES = $(top_srcdir)/include/grub/cache.h \
$(am__append_5795) $(top_srcdir)/include/grub/mm.h \
$(top_srcdir)/include/grub/parser.h \
$(top_srcdir)/include/grub/partition.h \
+ $(top_srcdir)/include/grub/stack_protector.h \
$(top_srcdir)/include/grub/term.h \
$(top_srcdir)/include/grub/time.h \
$(top_srcdir)/include/grub/verify.h \
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
index 1333465..7facacf 100644
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@@ -27,6 +27,58 @@
#include <grub/env.h>
#include <grub/mm.h>
#include <grub/kernel.h>
+#include <grub/stack_protector.h>
+
+#ifdef GRUB_STACK_PROTECTOR
+
+static grub_efi_guid_t rng_protocol_guid = GRUB_EFI_RNG_PROTOCOL_GUID;
+
+/*
+ * Don't put this on grub_efi_init()'s local stack to avoid it
+ * getting a stack check.
+ */
+static grub_efi_uint8_t stack_chk_guard_buf[32];
+
+grub_addr_t __stack_chk_guard;
+
+void __attribute__ ((noreturn))
+__stack_chk_fail (void)
+{
+ /*
+ * Assume it's not safe to call into EFI Boot Services. Sorry, that
+ * means no console message here.
+ */
+ do
+ {
+ /* Do not optimize out the loop. */
+ asm volatile ("");
+ }
+ while (1);
+}
+
+static void
+stack_protector_init (void)
+{
+ grub_efi_rng_protocol_t *rng;
+
+ /* Set up the stack canary. Make errors here non-fatal for now. */
+ rng = grub_efi_locate_protocol (&rng_protocol_guid, NULL);
+ if (rng != NULL)
+ {
+ grub_efi_status_t status;
+
+ status = efi_call_4 (rng->get_rng, rng, NULL, sizeof (stack_chk_guard_buf),
+ stack_chk_guard_buf);
+ if (status == GRUB_EFI_SUCCESS)
+ grub_memcpy (&__stack_chk_guard, stack_chk_guard_buf, sizeof (__stack_chk_guard));
+ }
+}
+#else
+static void
+stack_protector_init (void)
+{
+}
+#endif
grub_addr_t grub_modbase;
@@ -38,6 +90,8 @@ grub_efi_init (void)
messages. */
grub_console_init ();
+ stack_protector_init ();
+
/* Initialize the memory management system. */
grub_efi_mm_init ();
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
index 13e5715..5517f7e 100644
--- a/include/grub/efi/api.h
+++ b/include/grub/efi/api.h
@@ -339,6 +339,11 @@
{ 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
}
+#define GRUB_EFI_RNG_PROTOCOL_GUID \
+ { 0x3152bca5, 0xeade, 0x433d, \
+ { 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44 } \
+ }
+
struct grub_efi_sal_system_table
{
grub_uint32_t signature;
@@ -1700,6 +1705,20 @@ struct grub_efi_shim_lock_protocol
};
typedef struct grub_efi_shim_lock_protocol grub_efi_shim_lock_protocol_t;
+typedef grub_efi_guid_t grub_efi_rng_algorithm_t;
+
+struct grub_efi_rng_protocol
+{
+ grub_efi_status_t (*get_info) (struct grub_efi_rng_protocol *this,
+ grub_efi_uintn_t *rng_algorithm_list_size,
+ grub_efi_rng_algorithm_t *rng_algorithm_list);
+ grub_efi_status_t (*get_rng) (struct grub_efi_rng_protocol *this,
+ grub_efi_rng_algorithm_t *rng_algorithm,
+ grub_efi_uintn_t rng_value_length,
+ grub_efi_uint8_t *rng_value);
+};
+typedef struct grub_efi_rng_protocol grub_efi_rng_protocol_t;
+
#if (GRUB_TARGET_SIZEOF_VOID_P == 4) || defined (__ia64__) \
|| defined (__aarch64__) || defined (__MINGW64__) || defined (__CYGWIN__) \
|| defined(__riscv)
diff --git a/include/grub/stack_protector.h b/include/grub/stack_protector.h
new file mode 100644
index 0000000..c88dc00
--- /dev/null
+++ b/include/grub/stack_protector.h
@@ -0,0 +1,30 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2021 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_STACK_PROTECTOR_H
+#define GRUB_STACK_PROTECTOR_H 1
+
+#include <grub/symbol.h>
+#include <grub/types.h>
+
+#ifdef GRUB_STACK_PROTECTOR
+extern grub_addr_t EXPORT_VAR (__stack_chk_guard);
+extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void);
+#endif
+
+#endif /* GRUB_STACK_PROTECTOR_H */
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 7753ab4..ef42c7d 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -1319,6 +1319,7 @@
./include/grub/sparc64/time.h
./include/grub/sparc64/types.h
./include/grub/speaker.h
+./include/grub/stack_protector.h
./include/grub/symbol.h
./include/grub/syslinux_parse.h
./include/grub/term.h
--
2.14.2