lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160219113556.GA7797@leverpostej>
Date:	Fri, 19 Feb 2016 11:35:57 +0000
From:	Mark Rutland <mark.rutland@....com>
To:	Catalin Marinas <catalin.marinas@....com>
Cc:	Will Deacon <will.deacon@....com>,
	Lorenzo Pieralisi <lorenzo.pieralisi@....com>,
	Ard Biesheuvel <ard.biesheuvel@...aro.org>,
	linux-kernel@...r.kernel.org, tglx@...utronix.de,
	Andrey Ryabinin <aryabinin@...tuozzo.com>,
	akpm@...ux-foundation.org, hpa@...ux.intel.com, mingo@...nel.org,
	linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH] arm64: kasan: clear stale stack poison

On Thu, Feb 18, 2016 at 06:13:57PM +0000, Catalin Marinas wrote:
> On Thu, Feb 18, 2016 at 06:03:54PM +0000, Will Deacon wrote:
> > On Thu, Feb 18, 2016 at 05:54:47PM +0000, Catalin Marinas wrote:
> > > On Thu, Feb 18, 2016 at 05:27:38PM +0000, Mark Rutland wrote:
> > > > @@ -145,6 +146,7 @@ ENTRY(cpu_resume_mmu)
> > > >  ENDPROC(cpu_resume_mmu)
> > > >  	.popsection
> > > >  cpu_resume_after_mmu:
> > > > +	kasan_unpoison_stack 96
> > > 
> > > I don't think the 96 here is needed since we populate the stack in
> > > assembly (__cpu_suspend_enter) and unwind it again still in assembly
> > > (cpu_resume_after_mmu), so no KASAN shadow writes/reads.
> > > 
> > > Otherwise the patch looks fine.
> > 
> > I'd much rather it was written in C -- is there a reason we can't do
> > that if we use a separate compilation unit where the compiler will
> > honour the fno-sanitize flag?
> 
> A simple, non-sanitised C wrapper around __cpu_suspend_enter() would
> probably work. We need to make sure it is static inline when !KASAN to
> avoid an unnecessary function call.

I think this could work, but I don't see a way that we can get a safe
value of the SP. Using current_stack_pointer() only gives us a snapshot,
and the real SP value may move before/after. So that snaphot, even if
taken in cpu_suspend, is not guaranteed to be above all the shadow
poison.

> Or we just move cpu_suspend() to a different compilation unit, though
> that's a slightly larger function which we may want to track under
> KASAN.

If we're going to force something into another compilation unit, that
may as well be the functions on the critical path:
psci_suspend_finisher, psci_cpu_suspend, and invoke_psci_fn_*.

Then we don't need to bother with the clearing on the return path at
all, as there should never be any stale shadow to begin with.

Thanks,
Mark.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ