[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2fd303f1-cb5b-c1d9-b046-e8394dc22859@linux.com>
Date: Wed, 15 Aug 2018 22:43:12 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
Kees Cook <keescook@...omium.org>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Ingo Molnar <mingo@...nel.org>,
Masahiro Yamada <yamada.masahiro@...ionext.com>,
Thomas Gleixner <tglx@...utronix.de>,
Tycho Andersen <tycho@...ho.ws>,
Mark Rutland <mark.rutland@....com>,
Laura Abbott <labbott@...hat.com>,
Will Deacon <will.deacon@....com>
Subject: Re: [GIT PULL] gcc-plugin updates for v4.19-rc1
Hello Linus,
On 15.08.2018 22:04, Linus Torvalds wrote:
> On Wed, Aug 15, 2018 at 11:35 AM Kees Cook <keescook@...omium.org> wrote:
>>
>> I swear I'm doing my best. Are you speaking of
>> stackleak_check_alloca() or stackleak_erase()? These were both
>> discussed on the list, and we weren't able to come up with
>> alternatives: in both cases we're off the stack, and recovery is
>> seemingly impossible.
>
> Why do you even *test* that thing? Why don't you just allocate stack
> and clear it.
>
> Dammit, the whole f*cking point of this patch-set is to clear the
> stack used. It is *not* supposed to do anything else. If the process
> runs out of stack, that's caught by the vmalloc'ed stack.
>
> And if you don't have vmalloc'ed stack, then clearly you don't care.
>
> I refuse to take this kind of code that does stupid things, and then
> *because* it does those initial stupid things it does even more stupid
> things to correct for it.
Could you please have a look at the commit messages (or at the code)? You are
really arguing with wrong things! Let me correct Kees and give you the details.
Please don't be angry.
Again, this plugin provides two features: kernel stack erasing and blocking
Stack Clash (ability to jump over the guard page provided by VMAP_STACK).
So:
1. stackleak_erase() erases the stack. It has a BUG_ON() to detect
'task_struct.lowest_stack' corruption. It's not a security violation BUG(),
which you hate. We just don't want to erase wrong memory. We have discussed that
with Ingo and others.
2. stackleak_check_alloca() detects 'Stack Clash' and it does absolutely similar
things with VMAP_STACK and SCHED_STACK_END_CHECK. Having VMAP_STACK + STACKLEAK
+ THREAD_INFO_IN_TASK together protects us from all known stack depth overflows.
Yes, one day we will remove all VLA's from the mainline kernel. But STACKLEAK
plugin protects un-upstreamed code as well.
I've put so much effort (1.5 years) to polish it and make you, Ingo and others
satisfied!
Best regards,
Alexander
Powered by blists - more mailing lists