lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 6 Feb 2022 18:57:59 -0800 From: Kees Cook <keescook@...omium.org> To: Peter Zijlstra <peterz@...radead.org> Cc: Alexander Popov <alex.popov@...ux.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Thomas Gleixner <tglx@...utronix.de>, Josh Poimboeuf <jpoimboe@...hat.com>, Borislav Petkov <bp@...en8.de>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH] gcc-plugins/stackleak: Use noinstr in favor of notrace On Sun, Feb 06, 2022 at 09:40:15PM +0100, Peter Zijlstra wrote: > On Sun, Feb 06, 2022 at 08:46:47AM -0800, Kees Cook wrote: > > On Sun, Feb 06, 2022 at 12:58:16PM +0100, Peter Zijlstra wrote: > > > On Tue, Feb 01, 2022 at 04:19:18PM -0800, Kees Cook wrote: > > > > Is it correct to exclude .noinstr.text here? That means any functions called in > > > > there will have their stack utilization untracked. This doesn't seem right to me, > > > > though. Shouldn't stackleak_track_stack() just be marked noinstr instead? > > > > > > This patch is right. stackleak_track_stack() cannot be marked noinstr > > > becaues it accesses things that might not be there. > > > > Hmm, as in "current()" may not be available/sane? > > Exactly the case; if we lift the PTI address space swizzle, we start > with C without having the kernel mapped or even the per-cpu segment > offset set. So things like current will explode. > > The whole noinstr thing was invented to get back to C as portable > Assembler, with the express purpose to lift a bunch of entry code to C. > > > > Consider what happens if we pull the PTI page-table swap into the > > > noinstr C part. > > > > Yeah, I see your point. I suspect the reason this all currently works > > is because stackleak is supposed to only instrument leaf functions that > > have sufficiently large (default 100 bytes) stack usage. > > > > What sorts of things may end up in .noinstr.text that are 100+ byte stack > > leaf functions that would be end up deeper in the call stack? (i.e. what > > could get missed from stack depth tracking?) Interrupt handling comes > > to mind, but I'd expect that to make further calls (i.e. not a leaf). > > All the syscall/exception/interrupt entry stuff is noinstr; I don't > think we have huge stackframes, but with all that in C that's much > easier to do than with then in asm. > > If you worry about this, it should be possible to have objtool warn > about excessive stack frames for noinstr code I suppose, it already > tracks the stack anyway. Yeah, I think we should be okay at least for now. Let me know what you think of https://lore.kernel.org/linux-hardening/20220206174508.2425076-1-keescook@chromium.org/ and if you like it I can send a v2 Linus's way... -Kees -- Kees Cook
Powered by blists - more mailing lists