| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGXu5j+zeCU083g6fDEcXM-CYEHYfbkd1cbWoUTJP_0WtyYRpA@mail.gmail.com>
Date: Wed, 19 Jul 2017 15:50:14 -0700
From: Kees Cook <keescook@...omium.org>
To: Josh Poimboeuf <jpoimboe@...hat.com>
Cc: Ingo Molnar <mingo@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Christoph Hellwig <hch@...radead.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Jann Horn <jannh@...gle.com>,
Eric Biggers <ebiggers3@...il.com>,
Elena Reshetova <elena.reshetova@...el.com>,
Hans Liljestrand <ishkamiel@...il.com>,
Greg KH <gregkh@...uxfoundation.org>,
Alexey Dobriyan <adobriyan@...il.com>,
"Serge E. Hallyn" <serge@...lyn.com>, arozansk@...hat.com,
Davidlohr Bueso <dave@...olabs.net>,
Manfred Spraul <manfred@...orfullife.com>,
"axboe@...nel.dk" <axboe@...nel.dk>,
James Bottomley <James.Bottomley@...senpartnership.com>,
"x86@...nel.org" <x86@...nel.org>, Arnd Bergmann <arnd@...db.de>,
"David S. Miller" <davem@...emloft.net>,
Rik van Riel <riel@...hat.com>,
LKML <linux-kernel@...r.kernel.org>,
linux-arch <linux-arch@...r.kernel.org>,
"kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH v6 2/2] x86/refcount: Implement fast refcount overflow protection
On Wed, Jul 19, 2017 at 12:52 PM, Josh Poimboeuf <jpoimboe@...hat.com> wrote:
> On Wed, Jul 19, 2017 at 12:45:19PM -0700, Kees Cook wrote:
>> > diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h
>> > index 13b91e850a02..e7587db3487c 100644
>> > --- a/arch/x86/include/asm/refcount.h
>> > +++ b/arch/x86/include/asm/refcount.h
>> > @@ -15,6 +15,7 @@
>> > ".pushsection .text.unlikely\n" \
>> > "111:\tlea %[counter], %%" _ASM_CX "\n" \
>> > "112:\t" ASM_UD0 "\n" \
>> > + ASM_UNREACHABLE \
>> > ".popsection\n" \
>> > "113:\n" \
>> > _ASM_EXTABLE_REFCOUNT(112b, 113b)
>> > diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
>> > index cd4bbe8242bd..85e0b8f42ca0 100644
>> > --- a/include/linux/compiler-gcc.h
>> > +++ b/include/linux/compiler-gcc.h
>> > @@ -202,15 +202,25 @@
>> > #endif
>> >
>> > #ifdef CONFIG_STACK_VALIDATION
>> > +
>> > #define annotate_unreachable() ({ \
>> > asm("%c0:\t\n" \
>> > - ".pushsection .discard.unreachable\t\n" \
>> > - ".long %c0b - .\t\n" \
>> > - ".popsection\t\n" : : "i" (__LINE__)); \
>> > + ".pushsection .discard.unreachable\n\t" \
>> > + ".long %c0b - .\n\t" \
>> > + ".popsection\n\t" : : "i" (__LINE__)); \
>>
>> Is this just an indentation change?
>
> This was sneaking in a fix to put the tab after the newline instead of
> before it. I figured it's not worth its own commit.
Ah! Now I see it. Gotcha.
>> > })
>> > +
>> > +#define ASM_UNREACHABLE \
>> > + "999: .pushsection .discard.unreachable\n\t" \
>> > + ".long 999b - .\n\t" \
>> > + ".popsection\n\t"
>>
>> Just so I understand, we'll get a single byte added for each exception
>> case, but it'll get discarded during final link?
>
> I think it's four bytes actually, but yeah, the section gets stripped at
> vmlinux link time.
Right, yes.
BTW, I think this needs compiler.h coverage instead of the #else in
compiler-gcc.h (since it's different from how annotate_unreachable is
used only in compiler-gcc.h. I'll adjust.
Also, in looking at CONFIG_STACK_VALIDATION, do you want it to just
warn and skip, or do you want to error out the build if validation
isn't available but it's in the .config?
-Kees
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists