lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Tue, 21 Aug 2018 11:06:17 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-kernel@...r.kernel.org,
        Alexander Popov <alex.popov@...ux.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Ingo Molnar <mingo@...nel.org>,
        Laura Abbott <labbott@...hat.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Tycho Andersen <tycho@...ho.ws>
Subject: [GIT PULL] stackleak plugin for v4.19-rc1 (take 2)

Hi Linus,

Please pull this corrected stackleak plugin for v4.19-rc1. The appropriate
Monty Python quote for this could be: "pull the other one"[1]. :)

This version has all the alloca() detection/checking code removed (which
removes both the x86 and arm64 BUG() usage) since we have almost finished
eradicating VLAs from the kernel. Additionally, the stack_erase() BUG()
has been removed by shifting the test to an earlier and recoverable
location.

The earlier plugin has been in -next for about two development cycles,
and this reduced version has had a further 5 days.


Notes edited down from the first pull request: this is the STACKLEAK
plugin ported by Alexander Popov. It provides efficient stack content
poisoning at syscall exit. This creates a defense against at least two
classes of flaws:

- uninitialized stack usage (while we continue to work on improving the
  compiler to do this in other ways: e.g. unconditional zero init was
  proposed to gcc and clang, and more plugin work has started too)

- stack content exposure (by greatly reducing the lifetime of valid stack
  contents, exposures via either direct read bugs or unknown cache
  side-channels become much more difficult to exploit. This complements
  the existing buddy and heap poisoning options, but provides the coverage
  for stacks)

The x86 hooks are included in this series (which have been reviewed by
Ingo, Dave Hansen, and Thomas Gleixner), and have hopefully addressed
your concerns with regard to the size of assembly changes which are now
minimal. The arm64 hooks have already been merged through the arm64 tree
(written by Laura Abbott and reviewed by Mark Rutland and Will Deacon).

Thanks!

-Kees

[1] https://www.youtube.com/watch?v=JHFXG3r_0B8#t=27

The following changes since commit 5c60a7389d795e001c8748b458eb76e3a5b6008c:

  Merge tag 'for-linus-4.19-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux (2018-08-16 10:53:45 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/stackleak-plugin-v4.19-rc1

for you to fetch changes up to de75c4d4bdfc84b07c597239edd3f26117a841e8:

  arm64: Drop unneeded stackleak_check_alloca() (2018-08-21 10:40:52 -0700)

----------------------------------------------------------------
Stackleak GCC plugin:

- Stackleak GCC plugin, x86 support, test, docs, knob (Alexander Popov)

----------------------------------------------------------------
Alexander Popov (7):
      x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls
      gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack
      lkdtm: Add a test for STACKLEAK
      fs/proc: Show STACKLEAK metrics in the /proc file system
      doc: self-protection: Add information about STACKLEAK feature
      stackleak: Allow runtime disabling of kernel stack erasing
      arm64: Drop unneeded stackleak_check_alloca()

 Documentation/security/self-protection.rst |  10 +-
 Documentation/sysctl/kernel.txt            |  18 ++
 Documentation/x86/x86_64/mm.txt            |   2 +
 arch/Kconfig                               |   7 +
 arch/arm64/kernel/process.c                |  22 --
 arch/x86/Kconfig                           |   1 +
 arch/x86/entry/calling.h                   |  14 +
 arch/x86/entry/entry_32.S                  |   7 +
 arch/x86/entry/entry_64.S                  |   3 +
 arch/x86/entry/entry_64_compat.S           |   5 +
 drivers/misc/lkdtm/Makefile                |   2 +
 drivers/misc/lkdtm/core.c                  |   1 +
 drivers/misc/lkdtm/lkdtm.h                 |   3 +
 drivers/misc/lkdtm/stackleak.c             |  73 +++++
 fs/proc/base.c                             |  18 ++
 include/linux/sched.h                      |   5 +
 include/linux/stackleak.h                  |  35 +++
 kernel/Makefile                            |   4 +
 kernel/fork.c                              |   3 +
 kernel/stackleak.c                         | 132 +++++++++
 kernel/sysctl.c                            |  15 +-
 scripts/Makefile.gcc-plugins               |  10 +
 scripts/gcc-plugins/Kconfig                |  51 ++++
 scripts/gcc-plugins/stackleak_plugin.c     | 427 +++++++++++++++++++++++++++++
 24 files changed, 840 insertions(+), 28 deletions(-)
 create mode 100644 drivers/misc/lkdtm/stackleak.c
 create mode 100644 include/linux/stackleak.h
 create mode 100644 kernel/stackleak.c
 create mode 100644 scripts/gcc-plugins/stackleak_plugin.c

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists