From fc5e40ccb8bfb3ad0aea6ef55caaaa14762ff3c0 Mon Sep 17 00:00:00 2001 From: Alistair Delva Date: Thu, 14 Nov 2019 10:54:26 -0800 Subject: [PATCH] ANDROID: Fix allmodconfig build with CC=clang When GCC_PLUGIN_STRUCTLEAK was backported, a prompt text mysteriously made its way into the Kconfig option. Because this option is not dependent on GCC_PLUGINS, it could become enabled even when building with "CC=clang allmodconfig", which is not correct. The option is correctly selected by GCC_PLUGIN_STRUCTLEAK_BYREF_ALL so this prompt text seems to be unnecessary. This change also aligns the help text to match upstream, to match the version that was claimed to have been backported. Fixes: e0c6791d049e9 ("BACKPORT: security: Create "kernel hardening" config area") Bug: 143965122 Test: make CC=clang allmodconfig && make -j Change-Id: Ia9dc88ec1bbfd3950eda5a3eb698ecd41c7e0c9a Signed-off-by: Alistair Delva --- security/Kconfig.hardening | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index c532516c557f..b0e9cc084506 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -2,13 +2,18 @@ menu "Kernel hardening options" config GCC_PLUGIN_STRUCTLEAK - bool "Force initialization of variables containing userspace addresses" + bool help - This plugin zero-initializes any structures containing a - __user attribute. This can prevent some classes of information - exposures. + While the kernel is built with warnings enabled for any missed + stack variable initializations, this warning is silenced for + anything passed by reference to another function, under the + occasionally misguided assumption that the function will do + the initialization. As this regularly leads to exploitable + flaws, this plugin is available to identify and zero-initialize + such variables, depending on the chosen level of coverage. - This plugin was ported from grsecurity/PaX. More information at: + This plugin was originally ported from grsecurity/PaX. More + information at: * https://grsecurity.net/ * https://pax.grsecurity.net/