From: Miko Larsson <mikoxyzzz@gmail.com>
To: "Maciej W. Rozycki" <macro@orcam.me.uk>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>,
Kees Cook <keescook@chromium.org>,
x86@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] x86: Use `get_random_u8' for kernel stack offset randomization
Date: Tue, 31 Jan 2023 22:01:55 +0100 [thread overview]
Message-ID: <3bccbead128d5bbc699cd092b79bf8d61e6cb373.camel@gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.21.2301302011150.55843@angie.orcam.me.uk>
On Mon, 2023-01-30 at 21:30 +0000, Maciej W. Rozycki wrote:
> For x86 kernel stack offset randomization uses the RDTSC instruction,
> which according to H. Peter Anvin is not a secure source of entropy:
>
> "RDTSC isn't a super fast instruction either, but what is *way* more
> significant is that this use of RDTSC is NOT safe: in certain power
> states
> it may very well be that stone number of lower bits of TSC contain no
> entropy at all."
>
> It also causes an invalid opcode exception with hardware that does
> not
> implement this instruction:
>
> process '/sbin/init' started with executable stack
> invalid opcode: 0000 [#1]
> CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc4+ #1
> EIP: exit_to_user_mode_prepare+0x90/0xe1
> Code: 30 02 00 75 ad 0f ba e3 16 73 05 e8 a7 a5 fc ff 0f ba e3 0e 73
> 05 e8 3e af fc ff a1 c4 c6 51 c0 85 c0 7e 13 8b 0d ac 01 53 c0 <0f>
> 31 0f b6 c0 31 c1 89 0d ac 01 53 c0 83 3d 30 ed 62 c0 00 75 33
> EAX: 00000001 EBX: 00004000 ECX: 00000000 EDX: 000004ff
> ESI: c10253c0 EDI: 00000000 EBP: c1027f98 ESP: c1027f8c
> DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010002
> CR0: 80050033 CR2: bfe8659b CR3: 012e0000 CR4: 00000000
> Call Trace:
> ? rest_init+0x72/0x72
> syscall_exit_to_user_mode+0x15/0x27
> ret_from_fork+0x10/0x30
> EIP: 0xb7f74800
> Code: Unable to access opcode bytes at 0xb7f747d6.
> EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
> ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: bfe864b0
> DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 007b EFLAGS: 00000200
> ---[ end trace 0000000000000000 ]---
> EIP: exit_to_user_mode_prepare+0x90/0xe1
> Code: 30 02 00 75 ad 0f ba e3 16 73 05 e8 a7 a5 fc ff 0f ba e3 0e 73
> 05 e8 3e af fc ff a1 c4 c6 51 c0 85 c0 7e 13 8b 0d ac 01 53 c0 <0f>
> 31 0f b6 c0 31 c1 89 0d ac 01 53 c0 83 3d 30 ed 62 c0 00 75 33
> EAX: 00000001 EBX: 00004000 ECX: 00000000 EDX: 000004ff
> ESI: c10253c0 EDI: 00000000 EBP: c1027f98 ESP: c1027f8c
> DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010002
> CR0: 80050033 CR2: b7f747d6 CR3: 012e0000 CR4: 00000000
> Kernel panic - not syncing: Fatal exception
>
> Therefore switch to our generic entropy source and use
> `get_random_u8'
> instead, which according to Jason A. Donenfeld is supposed to be fast
> enough:
>
> "Generally it's very very fast, as most cases wind up being only a
> memcpy -- in this case, a single byte copy. So by and large it should
> be suitable. It's fast enough now that most networking things are
> able
> to use it. And lots of other places where you'd want really high
> performance. So I'd expect it's okay to use here too. And if it is
> too
> slow, we should figure out how to make it faster. But I don't suspect
> it'll be too slow."
>
> Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
> Suggested-by: Jason A. Donenfeld <Jason@zx2c4.com>
> Fixes: fe950f602033 ("x86/entry: Enable random_kstack_offset
> support")
> Cc: stable@vger.kernel.org # v5.13+
> ---
> Changes from v2:
>
> - Use `get_random_u8' rather than `rdtsc', universally; update the
> heading
> (was: "x86: Disable kernel stack offset randomization for !TSC")
> and the
> description accordingly.
>
> - As a security concern mark for backporting.
>
> Changes from v1:
>
> - Disable randomization at run time rather than in configuration.
> ---
> arch/x86/include/asm/entry-common.h | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> linux-x86-randomize-kstack-offset-random-u8.diff
> Index: linux-macro/arch/x86/include/asm/entry-common.h
> ===================================================================
> --- linux-macro.orig/arch/x86/include/asm/entry-common.h
> +++ linux-macro/arch/x86/include/asm/entry-common.h
> @@ -2,6 +2,7 @@
> #ifndef _ASM_X86_ENTRY_COMMON_H
> #define _ASM_X86_ENTRY_COMMON_H
>
> +#include <linux/random.h>
> #include <linux/randomize_kstack.h>
> #include <linux/user-return-notifier.h>
>
> @@ -85,7 +86,7 @@ static inline void arch_exit_to_user_mod
> * Therefore, final stack offset entropy will be 5 (x86_64)
> or
> * 6 (ia32) bits.
> */
> - choose_random_kstack_offset(rdtsc() & 0xFF);
> + choose_random_kstack_offset(get_random_u8());
> }
> #define arch_exit_to_user_mode_prepare
> arch_exit_to_user_mode_prepare
>
Tested-by: Miko Larsson <mikoxyzzz@gmail.com>
--
~miko
next prev parent reply other threads:[~2023-01-31 21:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-30 21:30 [PATCH v3] x86: Use `get_random_u8' for kernel stack offset randomization Maciej W. Rozycki
2023-01-31 19:34 ` Jason A. Donenfeld
2023-01-31 20:52 ` H. Peter Anvin
2023-01-31 21:01 ` Miko Larsson [this message]
2023-02-12 23:17 ` [PING][PATCH " Maciej W. Rozycki
2023-02-13 19:01 ` Thomas Gleixner
2023-02-14 4:54 ` Maciej W. Rozycki
2023-02-14 20:43 ` H. Peter Anvin
2023-02-22 16:44 ` Jason A. Donenfeld
2023-02-13 19:03 ` [PATCH " Thomas Gleixner
2023-02-14 5:12 ` Maciej W. Rozycki
2023-02-14 13:39 ` Jason A. Donenfeld
2023-02-22 12:05 ` Maciej W. Rozycki
2023-06-05 15:45 ` Maciej W. Rozycki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3bccbead128d5bbc699cd092b79bf8d61e6cb373.camel@gmail.com \
--to=mikoxyzzz@gmail.com \
--cc=Jason@zx2c4.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=macro@orcam.me.uk \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.