| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <mhng-32bb45f6-c7eb-4afb-a42a-a167a83ca760@palmer-ri-x1c9>
Date: Wed, 08 Nov 2023 19:47:49 -0800 (PST)
From: Palmer Dabbelt <palmer@...belt.com>
To: keescook@...omium.org
CC: songshuaishuai@...ylab.org, Paul Walmsley <paul.walmsley@...ive.com>,
aou@...s.berkeley.edu, guoren@...nel.org, Bjorn Topel <bjorn@...osinc.com>, jszhang@...nel.org,
Conor Dooley <conor.dooley@...rochip.com>, andy.chiu@...ive.com, samitolvanen@...gle.com, coelacanthushex@...il.com,
linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] riscv: Support RANDOMIZE_KSTACK_OFFSET
On Wed, 08 Nov 2023 15:52:34 PST (-0800), keescook@...omium.org wrote:
> On Wed, Nov 01, 2023 at 02:44:23PM +0800, Song Shuai wrote:
>> Inspired from arm64's implement -- commit 70918779aec9
>> ("arm64: entry: Enable random_kstack_offset support")
>>
>> Add support of kernel stack offset randomization while handling syscall,
>> the offset is defaultly limited by KSTACK_OFFSET_MAX() (i.e. 10 bits).
>>
>> In order to avoid trigger stack canaries (due to __builtin_alloca) and
>> slowing down the entry path, use __no_stack_protector attribute to
>> disable stack protector for do_trap_ecall_u() at the function level.
>>
>> Signed-off-by: Song Shuai <songshuaishuai@...ylab.org>
>
> I can't speak to the correctness of the entropy level, but the usage of
> the helpers looks correct to me.
As far as I can tell the comment matches how the system behaves. I'm
not sure if that much entropy is useful. I was poking around for a bit
to try and figure that out, but after reading that comment at the top of
include/linux/randomize_kstack.h I decided to stop ;)
So aside from those whitespace errors Damien pointed out,
Reviewed-by: Palmer Dabbelt <palmer@...osinc.com>
It's too late for the merge window for me, but
Acked-by: Palmer Dabbelt <palmer@...osinc.com>
in case someone else wants to take it still. Otherwise I'll try and
remember to pick it up right after the merge window, but with Plumbers
things might be a bit clunky.
> Reviewed-by: Kees Cook <keescook@...omium.org>
>
> -Kees
>
>> ---
>> Testing with randomize_kstack_offset=y cmdline, lkdtm/stack-entropy.sh
>> showed appropriate stack offset instead of zero.
>> ---
>> arch/riscv/Kconfig | 1 +
>> arch/riscv/kernel/traps.c | 18 +++++++++++++++++-
>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> index d607ab0f7c6d..0e843de33f0c 100644
>> --- a/arch/riscv/Kconfig
>> +++ b/arch/riscv/Kconfig
>> @@ -100,6 +100,7 @@ config RISCV
>> select HAVE_ARCH_KGDB_QXFER_PKT
>> select HAVE_ARCH_MMAP_RND_BITS if MMU
>> select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
>> + select HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
>> select HAVE_ARCH_SECCOMP_FILTER
>> select HAVE_ARCH_THREAD_STRUCT_WHITELIST
>> select HAVE_ARCH_TRACEHOOK
>> diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
>> index 19807c4d3805..3f869b2d47c3 100644
>> --- a/arch/riscv/kernel/traps.c
>> +++ b/arch/riscv/kernel/traps.c
>> @@ -6,6 +6,7 @@
>> #include <linux/cpu.h>
>> #include <linux/kernel.h>
>> #include <linux/init.h>
>> +#include <linux/randomize_kstack.h>
>> #include <linux/sched.h>
>> #include <linux/sched/debug.h>
>> #include <linux/sched/signal.h>
>> @@ -296,9 +297,11 @@ asmlinkage __visible __trap_section void do_trap_break(struct pt_regs *regs)
>> }
>> }
>>
>> -asmlinkage __visible __trap_section void do_trap_ecall_u(struct pt_regs *regs)
>> +asmlinkage __visible __trap_section __no_stack_protector
>> +void do_trap_ecall_u(struct pt_regs *regs)
>> {
>> if (user_mode(regs)) {
>> +
>> long syscall = regs->a7;
>>
>> regs->epc += 4;
>> @@ -308,10 +311,23 @@ asmlinkage __visible __trap_section void do_trap_ecall_u(struct pt_regs *regs)
>>
>> syscall = syscall_enter_from_user_mode(regs, syscall);
>>
>> + add_random_kstack_offset();
>> +
>> if (syscall >= 0 && syscall < NR_syscalls)
>> syscall_handler(regs, syscall);
>> else if (syscall != -1)
>> regs->a0 = -ENOSYS;
>> + /*
>> + * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(),
>> + * so the maximum stack offset is 1k bytes (10 bits).
>> + *
>> + * The actual entropy will be further reduced by the compiler when
>> + * applying stack alignment constraints: 16-byte (i.e. 4-bit) aligned
>> + * for RV32I or RV64I.
>> + *
>> + * The resulting 6 bits of entropy is seen in SP[9:4].
>> + */
>> + choose_random_kstack_offset(get_random_u16());
>>
>> syscall_exit_to_user_mode(regs);
>> } else {
>> --
>> 2.20.1
>>
Powered by blists - more mailing lists