lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171004151312.GA20938@kroah.com>
Date:   Wed, 4 Oct 2017 17:13:12 +0200
From:   Greg KH <greg@...ah.com>
To:     Masahiro Yamada <yamada.masahiro@...ionext.com>
Cc:     Kees Cook <keescook@...omium.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Michal Marek <mmarek@...e.com>, Ingo Molnar <mingo@...nel.org>,
        Laura Abbott <labbott@...hat.com>,
        Nicholas Piggin <npiggin@...il.com>,
        Al Viro <viro@...iv.linux.org.uk>,
        Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>,
        Yoshinori Sato <ysato@...rs.sourceforge.jp>,
        Rich Felker <dalias@...c.org>,
        "David S. Miller" <davem@...emloft.net>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-sh@...r.kernel.org, kernel-hardening@...ts.openwall.com,
        Mark Rutland <mark.rutland@....com>
Subject: Re: [kernel-hardening] Re: [PATCH 2/3] Makefile: Move stackprotector
 availability out of Kconfig

On Wed, Oct 04, 2017 at 11:33:38PM +0900, Masahiro Yamada wrote:
> Hi Kees,
> 
> 
> 2017-10-03 4:20 GMT+09:00 Kees Cook <keescook@...omium.org>:
> > Various portions of the kernel, especially per-architecture pieces,
> > need to know if the compiler is building it with the stack protector.
> > This was done in the arch/Kconfig with 'select', but this doesn't
> > allow a way to do auto-detected compiler support. In preparation for
> > creating an on-if-available default, move the logic for the definition of
> > CONFIG_CC_STACKPROTECTOR into the Makefile.
> >
> > Cc: Masahiro Yamada <yamada.masahiro@...ionext.com>
> > Cc: Michal Marek <mmarek@...e.com>
> > Cc: Andrew Morton <akpm@...ux-foundation.org>
> > Cc: Ingo Molnar <mingo@...nel.org>
> > Cc: Laura Abbott <labbott@...hat.com>
> > Cc: Nicholas Piggin <npiggin@...il.com>
> > Cc: Al Viro <viro@...iv.linux.org.uk>
> > Cc: linux-kbuild@...r.kernel.org
> > Signed-off-by: Kees Cook <keescook@...omium.org>
> > ---
> >  Makefile     | 7 +++++--
> >  arch/Kconfig | 8 --------
> >  2 files changed, 5 insertions(+), 10 deletions(-)
> >
> > diff --git a/Makefile b/Makefile
> > index d1119941261c..e122a9cf0399 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -688,8 +688,11 @@ else
> >    stackp-flag := $(call cc-option, -fno-stack-protector)
> >  endif
> >  endif
> > -# Find arch-specific stack protector compiler sanity-checking script.
> > -ifdef CONFIG_CC_STACKPROTECTOR
> > +ifdef stackp-name
> > +  # If the stack protector has been selected, inform the rest of the build.
> > +  KBUILD_CFLAGS += -DCONFIG_CC_STACKPROTECTOR
> > +  KBUILD_AFLAGS += -DCONFIG_CC_STACKPROTECTOR
> > +  # Find arch-specific stack protector compiler sanity-checking script.
> >    stackp-path := $(srctree)/scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh
> >    stackp-check := $(wildcard $(stackp-path))
> >  endif
> 
> 
> I have not tested this series,
> but I think this commit is bad (with the follow-up patch applied).
> 
> 
> I thought of this scenario:
> 
> [1] Kernel is configured with CONFIG_CC_STACKPROTECTOR_AUTO
> 
> [2] Kernel is built with a compiler without stack protector support.
> 
> [3] CONFIG_CC_STACKPROTECTOR is not defined,
>     so __stack_chk_fail() is not compiled.
> 
> [4] Out-of-tree modules are compiled with a compiler with
>     stack protector support.
>     __stack_chk_fail() is inserted to functions of the modules.

We don't ever support the system of loading a module built with anything
other than the _exact_ same compiler than the kernel was.  So this will
not happen (well, if someone tries it, they get to keep the pieces their
kernel image is now in...)

> [5] insmod fails because reference to __stack_chk_fail()
>     can not be resolved.

Even nicer, we failed "cleanly" :)

This isn't a real-world issue, sorry.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ