From: Alexander Popov <alex.popov@linux.com>
Date: Tue, 16 Jan 2024 19:57:47 +0000 (+0300)
Subject: Improve the check of SCHED_STACK_END_CHECK.
X-Git-Tag: v0.6.6~7
X-Git-Url: https://jxself.org/git/?p=kconfig-hardened-check.git;a=commitdiff_plain;h=c0fc9e89d7a21dfd734bc6c3b946f835493502ca

Improve the check of SCHED_STACK_END_CHECK.

SCHED_STACK_END_CHECK checks the magic value at the end
of the kernel thread stack, and VMAP_STACK adds guard pages near it.
So they do a bit different things, but VMAP_STACK is more reliable.

Thanks to @thestinger for the idea.

Refers to #98.
---

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index cf43f33..64ab9b0 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -57,8 +57,9 @@ def add_kconfig_checks(l, arch):
              KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y')]
+    vmap_stack_is_set = KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')
     if arch in ('X86_64', 'ARM64', 'ARM'):
-        l += [KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')]
+        l += [vmap_stack_is_set]
     if arch in ('X86_64', 'X86_32'):
         l += [KconfigCheck('self_protection', 'defconfig', 'SPECULATION_MITIGATIONS', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_WX', 'y')]
@@ -118,7 +119,6 @@ def add_kconfig_checks(l, arch):
 
     # 'self_protection', 'kspp'
     l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
-    l += [KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')]
     l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')]
     l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')]
     l += [KconfigCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y')]
@@ -131,6 +131,8 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')]
     l += [KconfigCheck('self_protection', 'kspp', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
     l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
+    l += [OR(KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y'),
+             vmap_stack_is_set)]
     kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')
     l += [kfence_is_set]
     l += [AND(KconfigCheck('self_protection', 'my', 'KFENCE_SAMPLE_INTERVAL', 'is not off'),