lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 15 Aug 2018 13:18:57 -0700
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Kees Cook <keescook@...omium.org>
Cc:     Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Alexander Popov <alex.popov@...ux.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Ingo Molnar <mingo@...nel.org>,
        Masahiro Yamada <yamada.masahiro@...ionext.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Tycho Andersen <tycho@...ho.ws>,
        Mark Rutland <mark.rutland@....com>,
        Laura Abbott <labbott@...hat.com>,
        Will Deacon <will.deacon@....com>
Subject: Re: [GIT PULL] gcc-plugin updates for v4.19-rc1

On Wed, Aug 15, 2018 at 12:45 PM Kees Cook <keescook@...omium.org> wrote:
>
> I feel like we're talking cross purposes. The BUG() cases were for
> places where we detect that we're executing with an impossible stack
> pointer. It seems like trying to recover from that would just hide the
> corruption for a later time that would be much harder to debug. These
> weren't left in here to upset you. :) I have tried to take your "make
> it debuggable" declaration to heart.

The thing is, BUG() is not debuggable.

I absolutely refuse to take any hardening patches at all that have
BUG() or panic() or similar machine-killing in it.

I care not one whit about the reason for them. In fact, if the reason
is stated as "it makes debugging easiler", then I fart in your general
direction and call your mother a hamster.

Dammit, I suspect you guys are "testing" this by running things in a
VM, and then a BUG() looks like a good thing to do.

But if people run things on real machines, then BUG() is absolutely
the last thing you EVER want to do for "debugging".

This is why I scanned your pull request for BUG() and similar. Because
I simply will not take "hardening" that kills the machine. That's a
hard requirement. No excuses, and absolutely zero exceptions.

After a year or two, when the hardening has actually been in place,
and you can say "hey, look, none of the warnings happened", I may be
ok with turning them into BUG() calls.

> It also handles VLA abuse, since those could (and have in past
> exploits) been used to jump over guard pages.

I really don't think that's a valid model at all. We need to get rid
of the VLA abuse, not make complex compiler plugins for it.

I thought VLA's were mostly gone. I think we can at this point almost
just mark them broken, or disable any code that uses them when people
enable the stack options.

Adding a few

        depends on !SAFE_STACK

to the drivers or code that still uses VLA's and then making the stack plugin do

        select SAFE_STACK

and simply refuse to compile alloca sounds reasonable to me.

People who then want some stack validation or clearing can either
decide they don't care about those pieces, or fix them one by one.

               Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ