lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180919132618.GX23155@gate.crashing.org>
Date:   Wed, 19 Sep 2018 08:26:18 -0500
From:   Segher Boessenkool <segher@...nel.crashing.org>
To:     Christophe Leroy <christophe.leroy@....fr>
Cc:     Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Paul Mackerras <paulus@...ba.org>,
        Michael Ellerman <mpe@...erman.id.au>,
        Ingo Molnar <mingo@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        linux-kernel@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org
Subject: Re: [PATCH v2 2/2] powerpc/32: add stack protector support

On Wed, Sep 19, 2018 at 11:14:45AM +0000, Christophe Leroy wrote:
> --- a/arch/powerpc/Makefile
> +++ b/arch/powerpc/Makefile
> @@ -112,6 +112,10 @@ KBUILD_LDFLAGS	+= -m elf$(BITS)$(LDEMULATION)
>  KBUILD_ARFLAGS	+= --target=elf$(BITS)-$(GNUTARGET)
>  endif
>  
> +cflags-$(CONFIG_STACKPROTECTOR)	+= -mstack-protector-guard=tls
> +cflags-$(CONFIG_STACKPROTECTOR)	+= -mstack-protector-guard-reg=r2
> +cflags-$(CONFIG_STACKPROTECTOR)	+= -mstack-protector-guard-offset=4

This last line is only correct if !CONFIG_THREAD_INFO_IN_TASK; is that
always true?  Add an assert somewhere maybe?

> +	/*
> +	 * The stack_canary must be located at the offset given to
> +	 * -mstack-protector-guard-offset in the Makefile
> +	 */
> +	BUILD_BUG_ON(offsetof(struct task_struct, stack_canary) != sizeof(long));

Well this will help :-)

It looks like it will be easy to enable on 64 bit as well.

> +	/* Try to get a semi random initial value. */
> +	get_random_bytes(&canary, sizeof(canary));
> +	canary ^= mftb();
> +	canary ^= LINUX_VERSION_CODE;

These last two lines are useless (or worse, they may give people the idea
that they are not!)

You should use wait_for_random_bytes I think.


Segher

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ