Blame SOURCES/0429-kern-efi-Add-initial-stack-protector-implementation.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b1bcb2
From: Chris Coulson <chris.coulson@canonical.com>
b1bcb2
Date: Fri, 19 Feb 2021 13:53:45 +0100
b1bcb2
Subject: [PATCH] kern/efi: Add initial stack protector implementation
b1bcb2
b1bcb2
It works only on UEFI platforms but can be quite easily extended to
b1bcb2
others architectures and platforms if needed.
b1bcb2
b1bcb2
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
b1bcb2
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
b1bcb2
Reviewed-by: Marco A Benatto <mbenatto@redhat.com>
b1bcb2
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
b1bcb2
---
b1bcb2
 configure.ac                   | 44 ++++++++++++++++++++++++++++++----
b1bcb2
 grub-core/kern/efi/init.c      | 54 ++++++++++++++++++++++++++++++++++++++++++
b1bcb2
 include/grub/efi/api.h         | 19 +++++++++++++++
b1bcb2
 include/grub/stack_protector.h | 30 +++++++++++++++++++++++
b1bcb2
 acinclude.m4                   | 38 +++++++++++++++++++++++++++--
b1bcb2
 grub-core/Makefile.am          |  1 +
b1bcb2
 6 files changed, 179 insertions(+), 7 deletions(-)
b1bcb2
 create mode 100644 include/grub/stack_protector.h
b1bcb2
b1bcb2
diff --git a/configure.ac b/configure.ac
b1bcb2
index 936cfa0ce5a..0edae0f5926 100644
b1bcb2
--- a/configure.ac
b1bcb2
+++ b/configure.ac
b1bcb2
@@ -1006,12 +1006,41 @@ fi]
b1bcb2
 
b1bcb2
 CFLAGS="$TARGET_CFLAGS"
b1bcb2
 
b1bcb2
-# Smashing stack protector.
b1bcb2
+# Stack smashing protector.
b1bcb2
 grub_CHECK_STACK_PROTECTOR
b1bcb2
-# Need that, because some distributions ship compilers that include
b1bcb2
-# `-fstack-protector' in the default specs.
b1bcb2
-if test "x$ssp_possible" = xyes; then
b1bcb2
-  TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
b1bcb2
+AC_ARG_ENABLE([stack-protector],
b1bcb2
+	      AS_HELP_STRING([--enable-stack-protector],
b1bcb2
+			     [enable the stack protector]),
b1bcb2
+	      [],
b1bcb2
+	      [enable_stack_protector=no])
b1bcb2
+if test "x$enable_stack_protector" = xno; then
b1bcb2
+  if test "x$ssp_possible" = xyes; then
b1bcb2
+    # Need that, because some distributions ship compilers that include
b1bcb2
+    # `-fstack-protector' in the default specs.
b1bcb2
+    TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
b1bcb2
+  fi
b1bcb2
+elif test "x$platform" != xefi; then
b1bcb2
+  AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms])
b1bcb2
+elif test "x$ssp_global_possible" != xyes; then
b1bcb2
+  AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -mstack-protector-guard=global)])
b1bcb2
+else
b1bcb2
+  TARGET_CFLAGS="$TARGET_CFLAGS -mstack-protector-guard=global"
b1bcb2
+  if test "x$enable_stack_protector" = xyes; then
b1bcb2
+    if test "x$ssp_possible" != xyes; then
b1bcb2
+      AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -fstack-protector)])
b1bcb2
+    fi
b1bcb2
+    TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector"
b1bcb2
+  elif test "x$enable_stack_protector" = xstrong; then
b1bcb2
+    if test "x$ssp_strong_possible" != xyes; then
b1bcb2
+      AC_MSG_ERROR([--enable-stack-protector=strong is not supported (compiler doesn't support -fstack-protector-strong)])
b1bcb2
+    fi
b1bcb2
+    TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector-strong"
b1bcb2
+  else
b1bcb2
+    # Note, -fstack-protector-all requires that the protector is disabled for
b1bcb2
+    # functions that appear in the call stack when the canary is initialized.
b1bcb2
+    AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector])
b1bcb2
+  fi
b1bcb2
+  TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
b1bcb2
 fi
b1bcb2
 
b1bcb2
 CFLAGS="$TARGET_CFLAGS"
b1bcb2
@@ -1912,5 +1941,10 @@ echo "Without liblzma (no support for XZ-compressed mips images) ($liblzma_excus
b1bcb2
 else
b1bcb2
 echo "With liblzma from $LIBLZMA (support for XZ-compressed mips images)"
b1bcb2
 fi
b1bcb2
+if test "x$enable_stack_protector" != xno; then
b1bcb2
+echo "With stack smashing protector: Yes"
b1bcb2
+else
b1bcb2
+echo "With stack smashing protector: No"
b1bcb2
+fi
b1bcb2
 echo "*******************************************************"
b1bcb2
 ]
b1bcb2
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
b1bcb2
index ed33201f12a..2071eaa9997 100644
b1bcb2
--- a/grub-core/kern/efi/init.c
b1bcb2
+++ b/grub-core/kern/efi/init.c
b1bcb2
@@ -28,6 +28,58 @@
b1bcb2
 #include <grub/mm.h>
b1bcb2
 #include <grub/kernel.h>
b1bcb2
 #include <grub/lib/envblk.h>
b1bcb2
+#include <grub/stack_protector.h>
b1bcb2
+
b1bcb2
+#ifdef GRUB_STACK_PROTECTOR
b1bcb2
+
b1bcb2
+static grub_efi_guid_t rng_protocol_guid = GRUB_EFI_RNG_PROTOCOL_GUID;
b1bcb2
+
b1bcb2
+/*
b1bcb2
+ * Don't put this on grub_efi_init()'s local stack to avoid it
b1bcb2
+ * getting a stack check.
b1bcb2
+ */
b1bcb2
+static grub_efi_uint8_t stack_chk_guard_buf[32];
b1bcb2
+
b1bcb2
+grub_addr_t __stack_chk_guard;
b1bcb2
+
b1bcb2
+void __attribute__ ((noreturn))
b1bcb2
+__stack_chk_fail (void)
b1bcb2
+{
b1bcb2
+  /*
b1bcb2
+   * Assume it's not safe to call into EFI Boot Services. Sorry, that
b1bcb2
+   * means no console message here.
b1bcb2
+   */
b1bcb2
+  do
b1bcb2
+    {
b1bcb2
+      /* Do not optimize out the loop. */
b1bcb2
+      asm volatile ("");
b1bcb2
+    }
b1bcb2
+  while (1);
b1bcb2
+}
b1bcb2
+
b1bcb2
+static void
b1bcb2
+stack_protector_init (void)
b1bcb2
+{
b1bcb2
+  grub_efi_rng_protocol_t *rng;
b1bcb2
+
b1bcb2
+  /* Set up the stack canary. Make errors here non-fatal for now. */
b1bcb2
+  rng = grub_efi_locate_protocol (&rng_protocol_guid, NULL);
b1bcb2
+  if (rng != NULL)
b1bcb2
+    {
b1bcb2
+      grub_efi_status_t status;
b1bcb2
+
b1bcb2
+      status = efi_call_4 (rng->get_rng, rng, NULL, sizeof (stack_chk_guard_buf),
b1bcb2
+			   stack_chk_guard_buf);
b1bcb2
+      if (status == GRUB_EFI_SUCCESS)
b1bcb2
+	grub_memcpy (&__stack_chk_guard, stack_chk_guard_buf, sizeof (__stack_chk_guard));
b1bcb2
+    }
b1bcb2
+}
b1bcb2
+#else
b1bcb2
+static void
b1bcb2
+stack_protector_init (void)
b1bcb2
+{
b1bcb2
+}
b1bcb2
+#endif
b1bcb2
 
b1bcb2
 grub_addr_t grub_modbase;
b1bcb2
 
b1bcb2
@@ -69,6 +121,8 @@ grub_efi_init (void)
b1bcb2
      messages.  */
b1bcb2
   grub_console_init ();
b1bcb2
 
b1bcb2
+  stack_protector_init ();
b1bcb2
+
b1bcb2
   /* Initialize the memory management system.  */
b1bcb2
   grub_efi_mm_init ();
b1bcb2
 
b1bcb2
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
b1bcb2
index 9860fd16189..4a8d7031b70 100644
b1bcb2
--- a/include/grub/efi/api.h
b1bcb2
+++ b/include/grub/efi/api.h
b1bcb2
@@ -299,6 +299,11 @@
b1bcb2
       { 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
b1bcb2
   }
b1bcb2
 
b1bcb2
+#define GRUB_EFI_RNG_PROTOCOL_GUID \
b1bcb2
+  { 0x3152bca5, 0xeade, 0x433d, \
b1bcb2
+    { 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44 } \
b1bcb2
+  }
b1bcb2
+
b1bcb2
 struct grub_efi_sal_system_table
b1bcb2
 {
b1bcb2
   grub_uint32_t signature;
b1bcb2
@@ -2009,6 +2014,20 @@ struct grub_efi_ip6_config_manual_address {
b1bcb2
 };
b1bcb2
 typedef struct grub_efi_ip6_config_manual_address grub_efi_ip6_config_manual_address_t;
b1bcb2
 
b1bcb2
+typedef grub_efi_guid_t grub_efi_rng_algorithm_t;
b1bcb2
+
b1bcb2
+struct grub_efi_rng_protocol
b1bcb2
+{
b1bcb2
+  grub_efi_status_t (*get_info) (struct grub_efi_rng_protocol *this,
b1bcb2
+				 grub_efi_uintn_t *rng_algorithm_list_size,
b1bcb2
+				 grub_efi_rng_algorithm_t *rng_algorithm_list);
b1bcb2
+  grub_efi_status_t (*get_rng) (struct grub_efi_rng_protocol *this,
b1bcb2
+				grub_efi_rng_algorithm_t *rng_algorithm,
b1bcb2
+				grub_efi_uintn_t rng_value_length,
b1bcb2
+				grub_efi_uint8_t *rng_value);
b1bcb2
+};
b1bcb2
+typedef struct grub_efi_rng_protocol grub_efi_rng_protocol_t;
b1bcb2
+
b1bcb2
 #if (GRUB_TARGET_SIZEOF_VOID_P == 4) || defined (__ia64__) \
b1bcb2
   || defined (__aarch64__) || defined (__MINGW64__) || defined (__CYGWIN__)
b1bcb2
 
b1bcb2
diff --git a/include/grub/stack_protector.h b/include/grub/stack_protector.h
b1bcb2
new file mode 100644
b1bcb2
index 00000000000..c88dc00b5f9
b1bcb2
--- /dev/null
b1bcb2
+++ b/include/grub/stack_protector.h
b1bcb2
@@ -0,0 +1,30 @@
b1bcb2
+/*
b1bcb2
+ *  GRUB  --  GRand Unified Bootloader
b1bcb2
+ *  Copyright (C) 2021  Free Software Foundation, Inc.
b1bcb2
+ *
b1bcb2
+ *  GRUB is free software: you can redistribute it and/or modify
b1bcb2
+ *  it under the terms of the GNU General Public License as published by
b1bcb2
+ *  the Free Software Foundation, either version 3 of the License, or
b1bcb2
+ *  (at your option) any later version.
b1bcb2
+ *
b1bcb2
+ *  GRUB is distributed in the hope that it will be useful,
b1bcb2
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
b1bcb2
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
b1bcb2
+ *  GNU General Public License for more details.
b1bcb2
+ *
b1bcb2
+ *  You should have received a copy of the GNU General Public License
b1bcb2
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
b1bcb2
+ */
b1bcb2
+
b1bcb2
+#ifndef GRUB_STACK_PROTECTOR_H
b1bcb2
+#define GRUB_STACK_PROTECTOR_H	1
b1bcb2
+
b1bcb2
+#include <grub/symbol.h>
b1bcb2
+#include <grub/types.h>
b1bcb2
+
b1bcb2
+#ifdef GRUB_STACK_PROTECTOR
b1bcb2
+extern grub_addr_t EXPORT_VAR (__stack_chk_guard);
b1bcb2
+extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void);
b1bcb2
+#endif
b1bcb2
+
b1bcb2
+#endif /* GRUB_STACK_PROTECTOR_H */
b1bcb2
diff --git a/acinclude.m4 b/acinclude.m4
b1bcb2
index b2bb88d838e..ca720b0c453 100644
b1bcb2
--- a/acinclude.m4
b1bcb2
+++ b/acinclude.m4
b1bcb2
@@ -379,9 +379,9 @@ fi
b1bcb2
 ])
b1bcb2
 
b1bcb2
 
b1bcb2
-dnl Check if the C compiler supports `-fstack-protector'.
b1bcb2
+dnl Check if the C compiler supports the stack protector
b1bcb2
 AC_DEFUN([grub_CHECK_STACK_PROTECTOR],[
b1bcb2
-[# Smashing stack protector.
b1bcb2
+[# Stack smashing protector.
b1bcb2
 ssp_possible=yes]
b1bcb2
 AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector'])
b1bcb2
 # Is this a reliable test case?
b1bcb2
@@ -398,6 +398,40 @@ else
b1bcb2
   ssp_possible=no]
b1bcb2
   AC_MSG_RESULT([no])
b1bcb2
 [fi]
b1bcb2
+[# Strong stack smashing protector.
b1bcb2
+ssp_strong_possible=yes]
b1bcb2
+AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector-strong'])
b1bcb2
+# Is this a reliable test case?
b1bcb2
+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
b1bcb2
+void foo (void) { volatile char a[8]; a[3]; }
b1bcb2
+]])])
b1bcb2
+[# `$CC -c -o ...' might not be portable.  But, oh, well...  Is calling
b1bcb2
+# `ac_compile' like this correct, after all?
b1bcb2
+if eval "$ac_compile -S -fstack-protector-strong -o conftest.s" 2> /dev/null; then]
b1bcb2
+  AC_MSG_RESULT([yes])
b1bcb2
+  [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
b1bcb2
+  rm -f conftest.s
b1bcb2
+else
b1bcb2
+  ssp_strong_possible=no]
b1bcb2
+  AC_MSG_RESULT([no])
b1bcb2
+[fi]
b1bcb2
+[# Global stack smashing protector.
b1bcb2
+ssp_global_possible=yes]
b1bcb2
+AC_MSG_CHECKING([whether `$CC' accepts `-mstack-protector-guard=global'])
b1bcb2
+# Is this a reliable test case?
b1bcb2
+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
b1bcb2
+void foo (void) { volatile char a[8]; a[3]; }
b1bcb2
+]])])
b1bcb2
+[# `$CC -c -o ...' might not be portable.  But, oh, well...  Is calling
b1bcb2
+# `ac_compile' like this correct, after all?
b1bcb2
+if eval "$ac_compile -S -fstack-protector -mstack-protector-guard=global -o conftest.s" 2> /dev/null; then]
b1bcb2
+  AC_MSG_RESULT([yes])
b1bcb2
+  [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
b1bcb2
+  rm -f conftest.s
b1bcb2
+else
b1bcb2
+  ssp_global_possible=no]
b1bcb2
+  AC_MSG_RESULT([no])
b1bcb2
+[fi]
b1bcb2
 ])
b1bcb2
 
b1bcb2
 dnl Check if the C compiler supports `-mstack-arg-probe' (Cygwin).
b1bcb2
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
b1bcb2
index e15846ba75b..2acd02cd188 100644
b1bcb2
--- a/grub-core/Makefile.am
b1bcb2
+++ b/grub-core/Makefile.am
b1bcb2
@@ -85,6 +85,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
b1bcb2
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
b1bcb2
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
b1bcb2
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
b1bcb2
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
b1bcb2
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
b1bcb2
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
b1bcb2
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h