| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170714140605.GB16687@leverpostej>
Date: Fri, 14 Jul 2017 15:06:06 +0100
From: Mark Rutland <mark.rutland@....com>
To: Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc: Kernel Hardening <kernel-hardening@...ts.openwall.com>,
"linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Takahiro Akashi <akashi.takahiro@...aro.org>,
Catalin Marinas <catalin.marinas@....com>,
Dave Martin <dave.martin@....com>,
James Morse <james.morse@....com>,
Laura Abbott <labbott@...oraproject.org>,
Will Deacon <will.deacon@....com>,
Kees Cook <keescook@...omium.org>
Subject: Re: [kernel-hardening] Re: [RFC PATCH 6/6] arm64: add VMAP_STACK and
detect out-of-bounds SP
On Fri, Jul 14, 2017 at 01:27:14PM +0100, Ard Biesheuvel wrote:
> On 14 July 2017 at 11:48, Ard Biesheuvel <ard.biesheuvel@...aro.org> wrote:
> > On 14 July 2017 at 11:32, Mark Rutland <mark.rutland@....com> wrote:
> >> On Thu, Jul 13, 2017 at 07:28:48PM +0100, Ard Biesheuvel wrote:
> >>> OK, so here's a crazy idea: what if we
> >>> a) carve out a dedicated range in the VMALLOC area for stacks
> >>> b) for each stack, allocate a naturally aligned window of 2x the stack
> >>> size, and map the stack inside it, leaving the remaining space
> >>> unmapped
> >> The logical ops (TST) and conditional branches (TB(N)Z, CB(N)Z) operate
> >> on XZR rather than SP, so to do this we need to get the SP value into a
> >> GPR.
> >>
> >> Previously, I assumed this meant we needed to corrupt a GPR (and hence
> >> stash that GPR in a sysreg), so I started writing code to free sysregs.
> >>
> >> However, I now realise I was being thick, since we can stash the GPR
> >> in the SP:
> >>
> >> sub sp, sp, x0 // sp = orig_sp - x0
> >> add x0, sp, x0 // x0 = x0 - (orig_sp - x0) == orig_sp
That comment is off, and should say x0 = x0 + (orig_sp - x0) == orig_sp
> >> sub x0, x0, #S_FRAME_SIZE
> >> tb(nz) x0, #THREAD_SHIFT, overflow
> >> add x0, x0, #S_FRAME_SIZE
> >> sub x0, sp, x0
>
> You need a neg x0, x0 here I think
Oh, whoops. I'd mis-simplified things.
We can avoid that by storing orig_sp + orig_x0 in sp:
add sp, sp, x0 // sp = orig_sp + orig_x0
sub x0, sp, x0 // x0 = orig_sp
< check >
sub x0, sp, x0 // x0 = orig_x0
sub sp, sp, x0 // sp = orig_sp
... which works in a locally-built kernel where I've aligned all the
stacks.
> ... only, this requires a dedicated stack region, and so we'd need to
> check whether sp is inside that window as well.
>
> The easieast way would be to use a window whose start address is base2
> aligned, but that means the beginning of the kernel VA range (where
> KASAN currently lives, and cannot be moved afaik), or a window at the
> top of the linear region. Neither look very appealing
>
> So that means arbitrary low and high limits to compare against in this
> entry path. That means more GPRs I'm afraid.
Could you elaborate on that? I'm not sure that I follow.
My understanding was that the comprimise with this approach is that we
only catch overflow/underflow within THREAD_SIZE of the stack, and can
get false-negatives elsewhere. Otherwise, IIUC this is sufficient
Are you after a more stringent check (like those from the two existing
proposals that caught all out-of-bounds accesses)?
Or am I missing something else?
Thanks,
Mark.
Powered by blists - more mailing lists