From: Alexander Popov <alex.popov@linux.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Laura Abbott <labbott@redhat.com>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Kees Cook <keescook@chromium.org>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Tycho Andersen <tycho@docker.com>,
Mark Rutland <mark.rutland@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
X86 ML <x86@kernel.org>, Ingo Molnar <mingo@kernel.org>,
Borislav Petkov <bp@alien8.de>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: [kernel-hardening] Re: [PATCH RFC v4 0/3] Introduce the STACKLEAK feature and a test for it
Date: Sun, 22 Oct 2017 00:56:44 +0300 [thread overview]
Message-ID: <4ec7b323-1de5-0de0-d196-4cb7f2d09ef4@linux.com> (raw)
In-Reply-To: <CALCETrVF0-bz3A_8T-nghD_h8rs0N6NJBOM04scjMJdQq9ZLCA@mail.gmail.com>
On 13.10.2017 20:26, Andy Lutomirski wrote:
> On Wed, Oct 11, 2017 at 9:29 AM, Alexander Popov <alex.popov@linux.com> wrote:
>> On 11.10.2017 05:31, Andy Lutomirski wrote:
>>> On Oct 10, 2017, at 6:19 PM, Laura Abbott <labbott@redhat.com> wrote:
>>>> I tried this series with CVE-2017-14954 . That particular bug
>>>> is not helped here because the poisoning has already been
>>>> overwritten by other leaf functions. Given the call stack this
>>>> may be a particularly bad case but I'm wondering how common
>>>> this might be if we're only erasing at the end of a system
>>>> call. One previous copy_to_user which has to go through the
>>>> fault path can get fairly deep.
>>
>> Laura, thanks for your observation. I've tested Brad's PoC with STACKLEAK too
>> and see similar results. There is only one STACKLEAK_POISON value in the leaked
>> data. Other leaked data is put on the stack by the current syscall.
>>
>> I don't know any statistics on infoleaks and I can't say how many of them would
>> be neutralized by STACKLEAK. But, anyway, it is be better than nothing for those
>> who accept the STACKLEAK performance penalty.
>>
>>> On x86, the bad guys can force this is using 32-bit fast syscalls for *any*
>>> syscall. I suppose we could wipe the stack on the way out of exception
>>> handlers, too...
>>
>> Andy, excuse me, could you elaborate on that? Do you mean that there are some
>> more cases when erase_kstack() should be called?
>
> Kinda. I was thinking that certain exception handlers should erase
> their portion of the stack (i.e. from their entry frame to the bottom)
> when they return back to *kernel* mode.
Andy, if we return to the kernel mode, which profit would we make out of
cleaning exception stacks?
I've spent some time learning arch/x86/entry/. But, honestly, I need help with
checking that erase_kstack() is called at the right places.
Anyway, I'll shortly send the 5-th version of the STACKLEAK patch series. And
I'll include your idea into the "further work" section in the cover letter.
Thank you.
Best regards,
Alexander
prev parent reply other threads:[~2017-10-21 21:56 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-04 22:55 [kernel-hardening] [PATCH RFC v4 0/3] Introduce the STACKLEAK feature and a test for it Alexander Popov
2017-10-04 22:55 ` [kernel-hardening] [PATCH RFC v4 1/3] gcc-plugins: Add STACKLEAK erasing the kernel stack at the end of syscalls Alexander Popov
2017-10-04 23:31 ` [kernel-hardening] " Kees Cook
2017-10-05 7:27 ` Ingo Molnar
2017-10-05 12:31 ` Alexander Popov
2017-10-10 22:33 ` Laura Abbott
2017-10-13 17:03 ` Alexander Popov
2017-10-04 22:55 ` [kernel-hardening] [PATCH RFC v4 2/3] lkdtm: Add a test for STACKLEAK Alexander Popov
2017-10-04 22:55 ` [kernel-hardening] [PATCH RFC v4 3/3] doc: self-protection: Add information about STACKLEAK feature Alexander Popov
2017-10-05 4:40 ` [kernel-hardening] Re: [PATCH RFC v4 0/3] Introduce the STACKLEAK feature and a test for it Andy Lutomirski
2017-10-11 1:19 ` Laura Abbott
2017-10-11 2:31 ` Andy Lutomirski
2017-10-11 16:29 ` Alexander Popov
2017-10-13 17:26 ` Andy Lutomirski
2017-10-21 21:56 ` Alexander Popov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ec7b323-1de5-0de0-d196-4cb7f2d09ef4@linux.com \
--to=alex.popov@linux.com \
--cc=a.p.zijlstra@chello.nl \
--cc=ard.biesheuvel@linaro.org \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=luto@amacapital.net \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=pageexec@freemail.hu \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=tycho@docker.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.