Re: [PATCH] kstack_erase: Disable kstack_erase for all of arm compressed boot code

Sun, 27 Jul 2025 08:51:48 -0700 

On Sat, Jul 26, 2025 at 02:29:45PM -0700, Kees Cook wrote:
> When building with CONFIG_KSTACK_ERASE=y and CONFIG_ARM_ATAG_DTB_COMPAT=y,
> the compressed boot environment encounters an undefined symbol error:
> 
>     ld.lld: error: undefined symbol: __sanitizer_cov_stack_depth
>     >>> referenced by atags_to_fdt.c:135
> 
> This occurs because the compiler instruments the atags_to_fdt() function
> with sanitizer coverage calls, but the minimal compressed boot environment
> lacks access to sanitizer runtime support.
> 
> The compressed boot environment already disables stack protector with
> -fno-stack-protector. Similarly disable sanitizer coverage by adding
> $(DISABLE_KSTACK_ERASE) to the general compiler flags (and remove it
> from the one place it was noticed before), which contains the appropriate
> flags to prevent sanitizer instrumentation.
> 
> This follows the same pattern used in other early boot contexts where
> sanitizer runtime support is unavailable.
> 
> Reported-by: Linux Kernel Functional Testing <l...@linaro.org>
> Closes: 
> https://lore.kernel.org/all/CA+G9fYtBk8qnpWvoaFwymCx5s5i-5KXtPGpmf=_+ukjddco...@mail.gmail.com
> Reported-by: Nathan Chancellor <nat...@kernel.org>
> Closes: https://lore.kernel.org/all/20250726004313.GA3650901@ax162
> Suggested-by: Nathan Chancellor <nat...@kernel.org>
> Signed-off-by: Kees Cook <k...@kernel.org>

Tested-by: Nathan Chancellor <nat...@kernel.org>

> ---
>  arch/arm/boot/compressed/Makefile | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/arm/boot/compressed/Makefile 
> b/arch/arm/boot/compressed/Makefile
> index f9075edfd773..a159120d1e42 100644
> --- a/arch/arm/boot/compressed/Makefile
> +++ b/arch/arm/boot/compressed/Makefile
> @@ -9,7 +9,6 @@ OBJS          =
>  
>  HEAD = head.o
>  OBJS += misc.o decompress.o
> -CFLAGS_decompress.o += $(DISABLE_KSTACK_ERASE)
>  ifeq ($(CONFIG_DEBUG_UNCOMPRESS),y)
>  OBJS += debug.o
>  AFLAGS_head.o += -DDEBUG
> @@ -96,6 +95,7 @@ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
>  
>  ccflags-y := -fpic $(call cc-option,-mno-single-pic-base,) -fno-builtin \
>            -I$(srctree)/scripts/dtc/libfdt -fno-stack-protector \
> +          $(DISABLE_KSTACK_ERASE) \
>            -I$(obj)
>  ccflags-remove-$(CONFIG_FUNCTION_TRACER) += -pg
>  asflags-y := -DZIMAGE
> -- 
> 2.34.1
>

Reply via email to