On Fri, 9 Aug 2019 at 20:55, Riccardo Corsi via lfs-dev <[email protected]> wrote: > > Hello, I have a question about a 5.2.7 kernel parameter. > Initialize kernel stack variables at function entry: (1...4) > > This is the related part of config kernel file: > > # Memory initialization > # > # CONFIG_INIT_STACK_NONE is not set > CONFIG_GCC_PLUGIN_STRUCTLEAK_USER=y > # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set > # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set > # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set > # CONFIG_GCC_PLUGIN_STACKLEAK is not set > > What is the best selection?
You may already have found this Riccardo but, just in case, looking at the Linux Kernel Driver DataBase data hosted here https://cateee.net/lkddb/web-lkddb/GCC_PLUGIN_STRUCTLEAK.html says > While the kernel is built with warnings enabled for any missed stack variable > initializations, this warning is silenced for anything passed by reference to > another function, under the occasionally misguided assumption that the > function will do the initialization. As this regularly leads to exploitable > flaws, this plugin is available to identify and zero-initialize such > variables, depending on the chosen level of coverage. and suggests, as you might have expected, what with this being a "hardening" feature, that > This plugin was originally ported from grsecurity/PaX. More information at: * > https://grsecurity.net/ * https://pax.grsecurity.net/ so maybe there's a better write up on the options at the grsecurity site or within its mailing lists. Then again, was it in the kernel when the last "Hardened LFS" version was produced, back in 2011 http://www.linuxfromscratch.org/hlfs/view/development/ -- http://lists.linuxfromscratch.org/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
