[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ac52fecf-99f7-3b29-ff7f-912b495e9c91@redhat.com>
Date: Fri, 19 Jan 2018 11:16:04 -0800
From: Laura Abbott <labbott@...hat.com>
To: Michal Hocko <mhocko@...nel.org>, Kees Cook <keescook@...omium.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Andy Lutomirski <luto@...nel.org>,
Jann Horn <jannh@...gle.com>, Ingo Molnar <mingo@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Al Viro <viro@...iv.linux.org.uk>,
Sahara <keun-o.park@...kmatter.ae>,
"Levin, Alexander (Sasha Levin)" <alexander.levin@...izon.com>,
Andrea Arcangeli <aarcange@...hat.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH] fork: Allow stack to be wiped on fork
On 01/17/2018 01:17 AM, Michal Hocko wrote:
> On Tue 16-01-18 21:50:15, Kees Cook wrote:
>> One of the classes of kernel stack content leaks is exposing the contents
>> of prior heap or stack contents when a new process stack is allocated.
>> Normally, those stacks are not zeroed, and the old contents remain in
>> place. With some types of stack content exposure flaws, those contents
>> can leak to userspace. Kernels built with CONFIG_CLEAR_STACK_FORK will
>> no longer be vulnerable to this, as the stack will be wiped each time
>> a stack is assigned to a new process. There's not a meaningful change
>> in runtime performance; it almost looks like it provides a benefit.
>
> Have you tried something as simple as /bin/true in a loop. kbuild will
> certainly amortize few cycles for the clearing and I would expect, most
> reasonable applications would do as well. But it would be better to know
> the worst case scenario IMHO.
>
I tried /bin/true in a loop in my QEMU setup and didn't see a difference
there.
>> Performing back-to-back kernel builds before:
>> Run times: 157.86 157.09 158.90 160.94 160.80
>> Mean: 159.12
>> Std Dev: 1.54
>>
>> With CONFIG_CLEAR_STACK_FORK=y:
>> Run times: 159.31 157.34 156.71 158.15 160.81
>> Mean: 158.46
>> Std Dev: 1.46
>>
>> Signed-off-by: Kees Cook <keescook@...omium.org>
>
> The change seems reasonable to me. Although it would be better to extend
> on the types of attacks this prevents from, with some examples ideally.
> How many attacks of that kind we had in the past and how often they
> appear. That might help people to decide whether to deserve few cycles
> on each fork. Also the config option sounds rather limiting. Consider
> distros, should they enable it just to be on the safe side? This is kind
> of generic concern with other hardening options though.
>
Agreed this could use a few more words, but it looks good to me overall.
Thanks,
Laura
Powered by blists - more mailing lists