[lfs-dev] Kernel memory initializaton

Kevin Buckley kevin.m.buckley at gmail.com
Sun Aug 11 01:17:45 PDT 2019


On Fri, 9 Aug 2019 at 20:55, Riccardo Corsi via lfs-dev
<lfs-dev at lists.linuxfromscratch.org> wrote:
>
> Hello, I have a question about a 5.2.7 kernel parameter.
> Initialize kernel stack variables at function entry: (1...4)
>
> This is the related part of config kernel file:
>
> # Memory initialization
> #
> # CONFIG_INIT_STACK_NONE is not set
> CONFIG_GCC_PLUGIN_STRUCTLEAK_USER=y
> # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
> # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
> # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
> # CONFIG_GCC_PLUGIN_STACKLEAK is not set
>
> What is the best selection?

You may already have found this Riccardo but, just in case,
looking at the Linux Kernel Driver DataBase data hosted here

https://cateee.net/lkddb/web-lkddb/GCC_PLUGIN_STRUCTLEAK.html

says

> While the kernel is built with warnings enabled for any missed stack variable initializations, this warning is silenced for anything passed by reference to another function, under the occasionally misguided assumption that the function will do the initialization. As this regularly leads to exploitable flaws, this plugin is available to identify and zero-initialize such variables, depending on the chosen level of coverage.

and suggests, as you might have expected, what with this being a "hardening"
feature, that

> This plugin was originally ported from grsecurity/PaX. More information at: * https://grsecurity.net/ * https://pax.grsecurity.net/

so maybe there's a better write up on the options at the grsecurity
site or within its mailing lists.

Then again, was it in the kernel when the last "Hardened LFS" version
was produced,
back in 2011

http://www.linuxfromscratch.org/hlfs/view/development/


More information about the lfs-dev mailing list