| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Dec 2021 22:40:42 +0100
From: Marco Elver <elver@...gle.com>
To: Jann Horn <jannh@...gle.com>
Cc: Peter Zijlstra <peterz@...radead.org>,
Alexander Potapenko <glider@...gle.com>,
Kees Cook <keescook@...omium.org>,
Thomas Gleixner <tglx@...utronix.de>,
Nathan Chancellor <nathan@...nel.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Elena Reshetova <elena.reshetova@...el.com>,
Mark Rutland <mark.rutland@....com>,
Peter Collingbourne <pcc@...gle.com>,
kasan-dev@...glegroups.com, linux-kernel@...r.kernel.org,
llvm@...ts.linux.dev, linux-toolchains@...r.kernel.org
Subject: Re: randomize_kstack: To init or not to init?
On Thu, 9 Dec 2021 at 22:16, Jann Horn <jannh@...gle.com> wrote:
>
> On Thu, Dec 9, 2021 at 10:58 AM Marco Elver <elver@...gle.com> wrote:
> > Clang supports CONFIG_INIT_STACK_ALL_ZERO, which appears to be the
> > default since dcb7c0b9461c2, which is why this came on my radar. And
> > Clang also performs auto-init of allocas when auto-init is on
> > (https://reviews.llvm.org/D60548), with no way to skip. As far as I'm
> > aware, GCC 12's upcoming -ftrivial-auto-var-init= doesn't yet auto-init
> > allocas.
> >
> > add_random_kstack_offset() uses __builtin_alloca() to add a stack
> > offset. This means, when CONFIG_INIT_STACK_ALL_{ZERO,PATTERN} is
> > enabled, add_random_kstack_offset() will auto-init that unused portion
> > of the stack used to add an offset.
> >
> > There are several problems with this:
> >
> > 1. These offsets can be as large as 1023 bytes. Performing
> > memset() on them isn't exactly cheap, and this is done on
> > every syscall entry.
> >
> > 2. Architectures adding add_random_kstack_offset() to syscall
> > entry implemented in C require them to be 'noinstr' (e.g. see
> > x86 and s390). The potential problem here is that a call to
> > memset may occur, which is not noinstr.
>
> This doesn't just affect alloca(), right? According to godbolt.org
> (https://godbolt.org/z/jYrWEx7o8):
>
> void bar(char *p);
> void foo() {
> char arr[512];
> bar(arr);
> }
>
> when compiled with "-ftrivial-auto-var-init=pattern -O2 -mno-sse"
> gives this result:
>
> foo: # @foo
> push rbx
> sub rsp, 512
> mov rbx, rsp
> mov edx, 512
> mov rdi, rbx
> mov esi, 170
> call memset@PLT
> mov rdi, rbx
> call bar
> add rsp, 512
> pop rbx
> ret
>
> So I think to fix this properly in a way that doesn't conflict with
> noinstr validation, I think you'll have to add a compiler flag that
> lets you specify a noinstr-safe replacement for memset() that should
> be used here?
Yeah, this story isn't over with __builtin_alloca().
A workaround would be to use __attribute__((uninitialized)). Of course
that implies there are no uninit bugs. ;-)
To initialize in noinstr, __memset can be used explicitly.
Maybe there's some guidance on what is and what isn't ok in noinstr
code so we can actually decide what is the right thing to do. I found
this: https://lore.kernel.org/all/878rx5b7i5.ffs@tglx/
Thanks,
-- Marco
Powered by blists - more mailing lists