diff options
-rw-r--r-- | .SRCINFO | 6 | ||||
-rw-r--r-- | PKGBUILD | 11 | ||||
-rw-r--r-- | config.x86_64 | 3 | ||||
-rw-r--r-- | stackcanary.patch | 65 |
4 files changed, 80 insertions, 5 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-amd pkgver = 5.6.v.13 - pkgrel = 2 + pkgrel = 3 url = https://www.kernel.org/ arch = x86_64 license = GPL2 @@ -17,11 +17,13 @@ pkgbase = linux-amd source = linux-amd.preset source = 5012_enable-cpu-optimizations-for-gcc91.patch source = gcc10.patch + source = stackcanary.patch sha256sums = SKIP - sha256sums = 57e1a2f3cdc11595adb3766d598feb4a7170a9135eac862916d78648af3ecbf9 + sha256sums = 056fa9712eaf1f442a208519e6308f847be1a6a519bc9e03059beb95cb7069d4 sha256sums = 71caf34adf69e9e2567a38cfc951d1c60b13dbe87f58a9acfeb3fe48ffdc9d08 sha256sums = cc739c9c9f7ce08e6bbc161b8232208bbc00820342a32fb1f69bff6326ae1370 sha256sums = 97ac1bff7beb5205b89b5199c471ca076023718e52be3d77e219128811337301 + sha256sums = 74ac43843b60805cc21cdadf6f4768281a61106107154f6830f26d6c142343e6 pkgname = linux-amd pkgdesc = Linux kernel for AMD CPU based hardware @@ -4,7 +4,7 @@ pkgbase=linux-amd _srcname=linux gitver=v5.6.13 pkgver=5.6.v.13 -pkgrel=2 +pkgrel=3 arch=('x86_64') url="https://www.kernel.org/" license=('GPL2') @@ -23,16 +23,20 @@ source=('git+https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git' 5012_enable-cpu-optimizations-for-gcc91.patch # dear-gcc10-please-ignore-the-mess patch gcc10.patch + # stackprotection fix + 'stackcanary.patch' ) sha256sums=('SKIP' #config.x86_64 - '57e1a2f3cdc11595adb3766d598feb4a7170a9135eac862916d78648af3ecbf9' + '056fa9712eaf1f442a208519e6308f847be1a6a519bc9e03059beb95cb7069d4' #.preset file '71caf34adf69e9e2567a38cfc951d1c60b13dbe87f58a9acfeb3fe48ffdc9d08' #patch gentoo 'cc739c9c9f7ce08e6bbc161b8232208bbc00820342a32fb1f69bff6326ae1370' # dear-gcc10-please-ignore-the-mess patch '97ac1bff7beb5205b89b5199c471ca076023718e52be3d77e219128811337301' + #stackprotection fix + '74ac43843b60805cc21cdadf6f4768281a61106107154f6830f26d6c142343e6' ) _kernelname=${pkgbase#linux} @@ -61,6 +65,9 @@ prepare() { # ask gcc10 for forgiveness in these early times patch git apply ../gcc10.patch + # Fix the source for stack canaries to work + git apply ../stackcanary.patch + # get kernel version yes "" | make prepare diff --git a/config.x86_64 b/config.x86_64 index 5eaf9e91bfed..1aa9423fcba2 100644 --- a/config.x86_64 +++ b/config.x86_64 @@ -800,7 +800,8 @@ CONFIG_SECCOMP_FILTER=y CONFIG_HAVE_ARCH_STACKLEAK=y CONFIG_HAVE_STACKPROTECTOR=y CONFIG_CC_HAS_STACKPROTECTOR_NONE=y -# CONFIG_STACKPROTECTOR is not set +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y CONFIG_HAVE_CONTEXT_TRACKING=y CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y diff --git a/stackcanary.patch b/stackcanary.patch new file mode 100644 index 000000000000..50e58c8cb371 --- /dev/null +++ b/stackcanary.patch @@ -0,0 +1,65 @@ +diff --git a/arch/x86/include/asm/stackprotector.h b/arch/x86/include/asm/stackprotector.h +index 91e29b6a86a5..9804a7957f4e 100644 +--- a/arch/x86/include/asm/stackprotector.h ++++ b/arch/x86/include/asm/stackprotector.h +@@ -55,8 +55,13 @@ + /* + * Initialize the stackprotector canary value. + * +- * NOTE: this must only be called from functions that never return, ++ * NOTE: this must only be called from functions that never return + * and it must always be inlined. ++ * ++ * In addition, it should be called from a compilation unit for which ++ * stack protector is disabled. Alternatively, the caller should not end ++ * with a function call which gets tail-call optimized as that would ++ * lead to checking a modified canary value. + */ + static __always_inline void boot_init_stack_canary(void) + { +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index 69881b2d446c..9674321ce3a3 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -262,6 +262,14 @@ static void notrace start_secondary(void *unused) + + wmb(); + cpu_startup_entry(CPUHP_AP_ONLINE_IDLE); ++ ++ /* ++ * Prevent tail call to cpu_startup_entry() because the stack protector ++ * guard has been changed a couple of function calls up, in ++ * boot_init_stack_canary() and must not be checked before tail calling ++ * another function. ++ */ ++ prevent_tail_call_optimization(); + } + + /** +diff --git a/arch/x86/xen/smp_pv.c b/arch/x86/xen/smp_pv.c +index 802ee5bba66c..0cebe5db691d 100644 +--- a/arch/x86/xen/smp_pv.c ++++ b/arch/x86/xen/smp_pv.c +@@ -92,6 +92,7 @@ asmlinkage __visible void cpu_bringup_and_idle(void) + cpu_bringup(); + boot_init_stack_canary(); + cpu_startup_entry(CPUHP_AP_ONLINE_IDLE); ++ prevent_tail_call_optimization(); + } + + void xen_smp_intr_free_pv(unsigned int cpu) +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index 034b0a644efc..732754d96039 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -356,4 +356,10 @@ static inline void *offset_to_ptr(const int *off) + /* &a[0] degrades to a pointer: a different type from an array */ + #define __must_be_array(a) BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0])) + ++/* ++ * This is needed in functions which generate the stack canary, see ++ * arch/x86/kernel/smpboot.c::start_secondary() for an example. ++ */ ++#define prevent_tail_call_optimization() asm("") ++ + #endif /* __LINUX_COMPILER_H */ |