search

anthraxx / linux-hardened

Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening
Other
567 stars 56 forks source link

SLAB_MERGE_DEFAULT prevents definition of check_canary #54

Closed sempervictus closed 3 years ago

sempervictus commented 3 years ago

When enabling SLAB_MERGE_DEFAULT, CONFIG_SLAB_CANARY cannot be defined, and check_canary depends on it. Since non ifdefd code references the check_canary function, this breaks the build:

mm/slub.c:1607:3: error: implicit declaration of function ‘check_canary’ [-Werror=implicit-function-declaration]
mm/slub.c:1607:28: error: ‘struct kmem_cache’ has no member named ‘random_active’
mm/slub.c:1623:3: error: implicit declaration of function ‘set_canary’; did you mean ‘set_capacity’? [-Werror=implicit-function-declaration]
mm/slub.c:1623:26: error: ‘struct kmem_cache’ has no member named ‘random_inactive’
mm/slub.c:1657:25: error: ‘struct kmem_cache’ has no member named ‘random_inactive’
mm/slub.c:2966:28: error: ‘struct kmem_cache’ has no member named ‘random_inactive’
mm/slub.c:2967:26: error: ‘struct kmem_cache’ has no member named ‘random_active’
mm/slub.c:3433:26: error: ‘struct kmem_cache’ has no member named ‘random_inactive’
mm/slub.c:3434:24: error: ‘struct kmem_cache’ has no member named ‘random_active’
mm/slub.c:3638:48: error: ‘struct kmem_cache’ has no member named ‘random_active’
mm/slub.c:4172:41: error: ‘struct kmem_cache’ has no member named ‘random_active’
anthraxx commented 3 years ago

You shouldn't use SLAB_MERGE_DEFAULT for a hardened kernel, but its obviously a bug when compilation breaks.

anthraxx commented 3 years ago

This is supposed to worked from the macro defined functions which should simply be optimized out all together. Which exact compiler and version of it are you using?

sempervictus commented 3 years ago

GCC 10.2 (Arch Linux). Thanks for digging into this

anthraxx commented 3 years ago

@sempervictus can you post your kconfig file, also did you do anything special or define specific flags? the defines must be in place when the real functions are not declared. I also couldn't make my POC fail whatever i did in a similar way.

anthraxx commented 3 years ago

@sempervictus let me make a guess: you do not have CONFIG_SLUB_DEBUG enabled, right?

sempervictus commented 3 years ago

@anthraxx: it is enabled:

$ grep CONFIG_SLUB_DEBUG config.sv 
CONFIG_SLUB_DEBUG=y
# CONFIG_SLUB_DEBUG_ON is not set

There's a bunch of other patches atop it, including UKSM which is why its being enabled in the config. The majority of the patch stack can be found here

anthraxx commented 3 years ago

please post your Kconfig

anthraxx commented 3 years ago

https://github.com/anthraxx/linux-hardened/commit/9642d52d1dfbf2de9a01cec6e4a42114693ea868