| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200406231606.37619-1-keescook@chromium.org>
Date: Mon, 6 Apr 2020 16:16:01 -0700
From: Kees Cook <keescook@...omium.org>
To: Thomas Gleixner <tglx@...utronix.de>
Cc: Kees Cook <keescook@...omium.org>,
Elena Reshetova <elena.reshetova@...el.com>, x86@...nel.org,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Alexander Potapenko <glider@...gle.com>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Jann Horn <jannh@...gle.com>,
kernel-hardening@...ts.openwall.com,
linux-arm-kernel@...ts.infradead.org, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: [PATCH v3 0/5] Optionally randomize kernel stack offset each syscall
v3:
- added review/ack tags (peterz, glider)
- further clarified commit logs and public attack references
- added -fstack-protector downgrades and details
v2: https://lore.kernel.org/lkml/20200324203231.64324-1-keescook@chromium.org/
rfc: https://lore.kernel.org/kernel-hardening/20190329081358.30497-1-elena.reshetova@intel.com/
Hi,
This is a continuation and refactoring of Elena's earlier effort to add
kernel stack base offset randomization. In the time since the previous
discussions, two attacks[1][2] were made public that depended on stack
determinism, so we're no longer in the position of "this is a good idea
but we have no examples of attacks". :)
Earlier discussions also devolved into debates on entropy sources, which
is mostly a red herring, given the already low entropy available due
to stack size. Regardless, entropy can be changed/improved separately
from this series as needed.
Earlier discussions also got stuck debating how much syscall overhead
was too much, but this is also a red herring since the feature itself
needs to be selectable at boot with no cost for those that don't want it:
this is solved here with static branches.
So, here is an improved version, made as arch-agnostic as possible,
with usage added for x86 and arm64. It also includes some small static
branch clean ups, and addresses some surprise performance issues due to
the stack canary[3].
Thanks!
-Kees
[1] https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
[2] https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf
[3] https://lore.kernel.org/lkml/202003281520.A9BFF461@keescook/
Kees Cook (5):
jump_label: Provide CONFIG-driven build state defaults
init_on_alloc: Unpessimize default-on builds
stack: Optionally randomize kernel stack offset each syscall
x86/entry: Enable random_kstack_offset support
arm64: entry: Enable random_kstack_offset support
Makefile | 4 ++++
arch/Kconfig | 23 ++++++++++++++++++
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/Makefile | 4 ++++
arch/arm64/kernel/syscall.c | 10 ++++++++
arch/x86/Kconfig | 1 +
arch/x86/entry/Makefile | 9 +++++++
arch/x86/entry/common.c | 12 +++++++++-
include/linux/jump_label.h | 19 +++++++++++++++
include/linux/mm.h | 18 +++++---------
include/linux/randomize_kstack.h | 40 ++++++++++++++++++++++++++++++++
init/main.c | 23 ++++++++++++++++++
mm/page_alloc.c | 12 ++--------
13 files changed, 153 insertions(+), 23 deletions(-)
create mode 100644 include/linux/randomize_kstack.h
--
2.20.1
Powered by blists - more mailing lists