lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 6 Feb 2022 21:40:15 +0100
From:   Peter Zijlstra <>
To:     Kees Cook <>
Cc:     Alexander Popov <>,
        Linus Torvalds <>,
        Thomas Gleixner <>,
        Josh Poimboeuf <>,
        Borislav Petkov <>,,
Subject: Re: [PATCH] gcc-plugins/stackleak: Use noinstr in favor of notrace

On Sun, Feb 06, 2022 at 08:46:47AM -0800, Kees Cook wrote:
> On Sun, Feb 06, 2022 at 12:58:16PM +0100, Peter Zijlstra wrote:
> > On Tue, Feb 01, 2022 at 04:19:18PM -0800, Kees Cook wrote:
> > > Is it correct to exclude .noinstr.text here? That means any functions called in
> > > there will have their stack utilization untracked. This doesn't seem right to me,
> > > though. Shouldn't stackleak_track_stack() just be marked noinstr instead?
> > 
> > This patch is right. stackleak_track_stack() cannot be marked noinstr
> > becaues it accesses things that might not be there.
> Hmm, as in "current()" may not be available/sane?

Exactly the case; if we lift the PTI address space swizzle, we start
with C without having the kernel mapped or even the per-cpu segment
offset set. So things like current will explode.

The whole noinstr thing was invented to get back to C as portable
Assembler, with the express purpose to lift a bunch of entry code to C.

> > Consider what happens if we pull the PTI page-table swap into the
> > noinstr C part.
> Yeah, I see your point. I suspect the reason this all currently works
> is because stackleak is supposed to only instrument leaf functions that
> have sufficiently large (default 100 bytes) stack usage.
> What sorts of things may end up in .noinstr.text that are 100+ byte stack
> leaf functions that would be end up deeper in the call stack? (i.e. what
> could get missed from stack depth tracking?) Interrupt handling comes
> to mind, but I'd expect that to make further calls (i.e. not a leaf).

All the syscall/exception/interrupt entry stuff is noinstr; I don't
think we have huge stackframes, but with all that in C that's much
easier to do than with then in asm.

If you worry about this, it should be possible to have objtool warn
about excessive stack frames for noinstr code I suppose, it already
tracks the stack anyway.

Powered by blists - more mailing lists