| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Jun 2020 11:39:11 -0700
From: Kees Cook <keescook@...omium.org>
To: Alexander Popov <alex.popov@...ux.com>
Cc: Jann Horn <jannh@...gle.com>,
Elena Reshetova <elena.reshetova@...el.com>,
Emese Revfy <re.emese@...il.com>,
Miguel Ojeda <miguel.ojeda.sandonis@...il.com>,
Masahiro Yamada <masahiroy@...nel.org>,
Michal Marek <michal.lkml@...kovi.net>,
Andrew Morton <akpm@...ux-foundation.org>,
Masahiro Yamada <yamada.masahiro@...ionext.com>,
Thiago Jung Bauermann <bauerman@...ux.ibm.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Jessica Yu <jeyu@...nel.org>,
Sven Schnelle <svens@...ckframe.org>,
Iurii Zaikin <yzaikin@...gle.com>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
Vincenzo Frascino <vincenzo.frascino@....com>,
Thomas Gleixner <tglx@...utronix.de>,
Peter Collingbourne <pcc@...gle.com>,
Naohiro Aota <naohiro.aota@....com>,
Alexander Monakov <amonakov@...ras.ru>,
Mathias Krause <minipli@...glemail.com>,
PaX Team <pageexec@...email.hu>,
Brad Spengler <spender@...ecurity.net>,
Laura Abbott <labbott@...hat.com>,
Florian Weimer <fweimer@...hat.com>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
linux-kbuild@...r.kernel.org,
the arch/x86 maintainers <x86@...nel.org>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
kernel list <linux-kernel@...r.kernel.org>, gcc@....gnu.org,
notify@...nel.org
Subject: Re: [PATCH 1/5] gcc-plugins/stackleak: Exclude alloca() from the
instrumentation logic
On Thu, Jun 04, 2020 at 06:23:38PM +0300, Alexander Popov wrote:
> On 04.06.2020 17:01, Jann Horn wrote:
> > On Thu, Jun 4, 2020 at 3:51 PM Alexander Popov <alex.popov@...ux.com> wrote:
> >> Some time ago Variable Length Arrays (VLA) were removed from the kernel.
> >> The kernel is built with '-Wvla'. Let's exclude alloca() from the
> >> instrumentation logic and make it simpler. The build-time assertion
> >> against alloca() is added instead.
> > [...]
> >> + /* Variable Length Arrays are forbidden in the kernel */
> >> + gcc_assert(!is_alloca(stmt));
> >
> > There is a patch series from Elena and Kees on the kernel-hardening
> > list that deliberately uses __builtin_alloca() in the syscall entry
> > path to randomize the stack pointer per-syscall - see
> > <https://lore.kernel.org/kernel-hardening/20200406231606.37619-4-keescook@chromium.org/>.
>
> Thanks, Jann.
>
> At first glance, leaving alloca() handling in stackleak instrumentation logic
> would allow to integrate stackleak and this version of random_kstack_offset.
Right, it seems there would be a need for this coverage to remain,
otherwise the depth of stack erasure might be incorrect.
It doesn't seem like the other patches strictly depend on alloca()
support being removed, though?
> Kees, Elena, did you try random_kstack_offset with upstream stackleak?
I didn't try that combination yet, no. It seemed there would likely
still be further discussion about the offset series first (though the
thread has been silent -- I'll rebase and resend it after rc2).
> It looks to me that without stackleak erasing random_kstack_offset can be
> weaker. I mean, if next syscall has a bigger stack randomization gap, the data
> on thread stack from the previous syscall is not overwritten and can be used. Am
> I right?
That's correct. I think the combination is needed, but I don't think
they need to be strictly tied together.
> Another aspect: CONFIG_STACKLEAK_METRICS can be used for guessing kernel stack
> offset, which is bad. It should be disabled if random_kstack_offset is on.
Agreed.
--
Kees Cook
Powered by blists - more mailing lists