Navigation: Linux Kernel Driver DataBase - web LKDDB: Main index - G index

CONFIG_GCC_PLUGIN_STACKLEAK: Poison kernel stack before returning from syscalls

General informations

The Linux kernel configuration item CONFIG_GCC_PLUGIN_STACKLEAK has multiple definitions:

Poison kernel stack before returning from syscalls found in `security/Kconfig.hardening`

The configuration item CONFIG_GCC_PLUGIN_STACKLEAK:

prompt: Poison kernel stack before returning from syscalls
type: bool
depends on: ( CONFIG_GCC_PLUGINS ) && ( CONFIG_HAVE_ARCH_STACKLEAK )
defined in security/Kconfig.hardening
found in Linux kernels: 5.2–5.19, 6.0–6.8, 6.9-rc+HEAD

Help text

This option makes the kernel erase the kernel stack before returning from system calls. This has the effect of leaving the stack initialized to the poison value, which both reduces the lifetime of any sensitive stack contents and reduces potential for uninitialized stack variable exploits or information exposures (it does not cover functions reaching the same stack depth as prior functions during the same syscall). This blocks most uninitialized stack variable attacks, with the performance impact being driven by the depth of the stack usage, rather than the function calling complexity.

The performance impact on a single CPU system kernel compilation sees a 1% slowdown, other systems and workloads may vary and you are advised to test this feature on your expected workload before deploying it.

This plugin was ported from grsecurity/PaX. More information at: * https://grsecurity.net/ * https://pax.grsecurity.net/

Erase the kernel stack before returning from syscalls found in `scripts/gcc-plugins/Kconfig`

The configuration item CONFIG_GCC_PLUGIN_STACKLEAK:

prompt: Erase the kernel stack before returning from syscalls
type: bool
depends on: ( CONFIG_GCC_PLUGINS ) && ( CONFIG_HAVE_ARCH_STACKLEAK )
defined in scripts/gcc-plugins/Kconfig
found in Linux kernels: 4.20, 5.0–5.1

Help text

This option makes the kernel erase the kernel stack before returning from system calls. That reduces the information which kernel stack leak bugs can reveal and blocks some uninitialized stack variable attacks.

The tradeoff is the performance impact: on a single CPU system kernel compilation sees a 1% slowdown, other systems and workloads may vary and you are advised to test this feature on your expected workload before deploying it.

This plugin was ported from grsecurity/PaX. More information at: * https://grsecurity.net/ * https://pax.grsecurity.net/

Hardware

LKDDb

Raw data from LKDDb:

(none)

Sources

This page is automaticly generated with free (libre, open) software lkddb(see lkddb-sources).

The data is retrived from:

Linux kernel
Linux Kernel Driver DataBase (LKDDb)

Automatic links from Google (and ads)

Custom Search

Popular queries:

Navigation: Linux Kernel Driver DataBase - web LKDDB: main index - G index

Automatically generated (in year 2024). See also LKDDb sources on GitLab

CONFIG_GCC_PLUGIN_STACKLEAK: Poison kernel stack before returning from syscalls

General informations

Poison kernel stack before returning from syscalls found in security/Kconfig.hardening

Help text

Erase the kernel stack before returning from syscalls found in scripts/gcc-plugins/Kconfig

Help text

Hardware

LKDDb

Sources

Automatic links from Google (and ads)

Poison kernel stack before returning from syscalls found in `security/Kconfig.hardening`

Erase the kernel stack before returning from syscalls found in `scripts/gcc-plugins/Kconfig`