| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 Jul 2020 08:23:02 +0100
From: Will Deacon <will@...nel.org>
To: Dave P Martin <dave.martin@....com>
Cc: linux-kernel@...r.kernel.org, Mark Rutland <mark.rutland@....com>,
"Michael S. Tsirkin" <mst@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Catalin Marinas <catalin.marinas@....com>,
Jason Wang <jasowang@...hat.com>,
virtualization@...ts.linux-foundation.org,
Arnd Bergmann <arnd@...db.de>,
Alan Stern <stern@...land.harvard.edu>,
Sami Tolvanen <samitolvanen@...gle.com>,
Matt Turner <mattst88@...il.com>, kernel-team@...roid.com,
Marco Elver <elver@...gle.com>,
Kees Cook <keescook@...omium.org>,
"Paul E. McKenney" <paulmck@...nel.org>,
Boqun Feng <boqun.feng@...il.com>,
Josh Triplett <josh@...htriplett.org>,
Ivan Kokshaysky <ink@...assic.park.msu.ru>,
linux-arm-kernel@...ts.infradead.org,
Richard Henderson <rth@...ddle.net>,
Nick Desaulniers <ndesaulniers@...gle.com>,
linux-alpha@...r.kernel.org
Subject: Re: [PATCH 18/18] arm64: lto: Strengthen READ_ONCE() to acquire when
CLANG_LTO=y
On Wed, Jul 01, 2020 at 06:07:25PM +0100, Dave P Martin wrote:
> On Tue, Jun 30, 2020 at 06:37:34PM +0100, Will Deacon wrote:
> > When building with LTO, there is an increased risk of the compiler
> > converting an address dependency headed by a READ_ONCE() invocation
> > into a control dependency and consequently allowing for harmful
> > reordering by the CPU.
> >
> > Ensure that such transformations are harmless by overriding the generic
> > READ_ONCE() definition with one that provides acquire semantics when
> > building with LTO.
> >
> > Signed-off-by: Will Deacon <will@...nel.org>
> > ---
> > arch/arm64/include/asm/rwonce.h | 63 +++++++++++++++++++++++++++++++
> > arch/arm64/kernel/vdso/Makefile | 2 +-
> > arch/arm64/kernel/vdso32/Makefile | 2 +-
> > 3 files changed, 65 insertions(+), 2 deletions(-)
> > create mode 100644 arch/arm64/include/asm/rwonce.h
> >
> > diff --git a/arch/arm64/include/asm/rwonce.h b/arch/arm64/include/asm/rwonce.h
> > new file mode 100644
> > index 000000000000..515e360b01a1
> > --- /dev/null
> > +++ b/arch/arm64/include/asm/rwonce.h
> > @@ -0,0 +1,63 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +/*
> > + * Copyright (C) 2020 Google LLC.
> > + */
> > +#ifndef __ASM_RWONCE_H
> > +#define __ASM_RWONCE_H
> > +
> > +#ifdef CONFIG_CLANG_LTO
>
> Don't we have a generic option for LTO that's not specific to Clang.
/me looks at the LTO series some more
Oh yeah, there's CONFIG_LTO which is selected by CONFIG_LTO_CLANG, which is
the non-typoed version of the above. I can switch this to CONFIG_LTO.
> Also, can you illustrate code that can only be unsafe with Clang LTO?
I don't have a concrete example, but it's an ongoing concern over on the LTO
thread [1], so I cooked this to show one way we could deal with it. The main
concern is that the whole-program optimisations enabled by LTO may allow the
compiler to enumerate possible values for a pointer at link time and replace
an address dependency between two loads with a control dependency instead,
defeating the dependency ordering within the CPU.
We likely won't realise if/when this goes wrong, other than impossible to
debug, subtle breakage that crops up seemingly randomly. Ideally, we'd be
able to detect this sort of thing happening at build time, and perhaps
even prevent it with compiler options or annotations, but none of that is
close to being available and I'm keen to progress the LTO patches in the
meantime because they are a requirement for CFI.
Will
[1] https://lore.kernel.org/r/20200624203200.78870-1-samitolvanen@google.com
Powered by blists - more mailing lists