Bug#998653: linux: Please enable ZERO_CALL_USED_REGS to reduce ROP probability

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#998653: linux: Please enable ZERO_CALL_USED_REGS to reduce ROP probability
From: Christoffer Jerkeby <christoffer@jerkeby.se>
Date: Fri, 05 Nov 2021 17:56:01 +0100
Message-id: <[🔎] 163613136128.885232.691004355608604173.reportbug@lab>
Reply-to: Christoffer Jerkeby <christoffer@jerkeby.se>, 998653@bugs.debian.org

Source: linux
Version: 5.15-1~exp1
Severity: wishlist

Hi, the option ZERO_CALL_USED_REGS will improve kernel security by
reducing the amount of available ROP gadgets by 20% on average in
the Linux kernel. Currently the option is not enabled in Debians
experimental kernel config. Please enable it if you consider build
size to be reasonable on all architectures.

The option requires building with GCC11 or a compiler that support
-fzero-call-user-regs.

Here is a comparison between the amount of unique ROP gadgets found
compared between a kernel build without CALL_USED_REGS in two 
different ROP gadget scanning tools.

rp++ is a popular ROP scanning tool due to its ability to find many
different gadgets.

$ wc -l vmlinux-5.15-zero-regs-rp++-rop
249527 vmlinux-5.15-zero-regs-rp++-rop

$ wc -l vmlinux-5.15-skip-rp++-rop
326214 vmlinux-5.15-skip-rp++-rop

The tool ROPgadget is popular due to its ability to automatically 
build ROP chains for a statically linked target.

vmlinux-5.15-zero-regs:
Unique gadgets found: 136014
No automatic chain building possible.

vmlinux-5.15-skip:
Unique gadgets found: 214104
Automatich chain building of gadgets possible.

Thank you!

Best regards Christoffer Kugg Jerkeby

Reply to:

Prev by Date: PTE Write access is not set
Next by Date: Bug#985632: firmware-brcm80211 1:20210315-3+rpt3
Previous by thread: PTE Write access is not set
Next by thread: Bug#985632: firmware-brcm80211 1:20210315-3+rpt3
Index(es):
- Date
- Thread