From: "PaX Team" <pageexec@freemail.hu>
To: kernel-hardening@lists.openwall.com, Kees Cook <keescook@chromium.org>
Cc: Emese Revfy <re.emese@gmail.com>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>,
Mark Rutland <mark.rutland@arm.com>,
park jinbum <jinb.park7@gmail.com>,
Daniel Micay <danielmicay@gmail.com>,
linux-kernel@vger.kernel.org, spender@grsecurity.net
Subject: [kernel-hardening] Re: [PATCH] gcc-plugins: Add structleak for more stack initialization
Date: Sat, 14 Jan 2017 11:03:14 +0100 [thread overview]
Message-ID: <5879F762.32059.37092152@pageexec.freemail.hu> (raw)
In-Reply-To: <20170113220256.GA57663@beast>
On 13 Jan 2017 at 14:02, Kees Cook wrote:
> This plugin detects any structures that contain __user attributes and
> makes sure it is being fulling initialized so that a specific class of
> information exposure is eliminated. (For example, the exposure of siginfo
> in CVE-2013-2141 would have been blocked by this plugin.)
why the conditional? the plugin was specifically written to block that bug
and block it did ;).
> +config GCC_PLUGIN_STRUCTLEAK
> + bool "Force initialization of variables containing userspace addresses"
> + depends on GCC_PLUGINS
> + help
> + This plugin zero-initializes any structures that containing a
> + __user attribute. This can prevent some classes of information
> + exposures.
i see that you completely ditched the description in PaX, is there a reason
for it? your text isn't correct as is because
- the __user attribute (which is an implementation choice, see below) doesn't
apply to structures but pointers only (as it does for sparse IIRC)
- a structure is a type, but the plugin initializes variables, not types
(the latter makes little sense)
- the plugin doesn't initialize 'any structures' (well, variables), only locals
and only at function scope (subject to further evolution as discussed earlier).
> +config GCC_PLUGIN_STRUCTLEAK_VERBOSE
> + bool "Report initialized variables"
> + depends on GCC_PLUGIN_STRUCTLEAK
> + depends on !COMPILE_TEST
> + help
> + This option will cause a warning to be printed each time the
> + structleak plugin finds a variable it thinks needs to be
> + initialized. Since not all existing initializers are detected
> + by the plugin, this can produce false positive warnings.
there are no false positives, a variable either has a constructor or it does not ;)
> +/* unused C type flag in all versions 4.5-6 */
> +#define TYPE_USERSPACE(TYPE) TYPE_LANG_FLAG_5(TYPE)
FYI, this is a sort of abuse/hack of tree flags and should not be implemented this
way in the upstream kernel as it's a finite resource and needs careful verification
against all supported gcc versions (these flags are meant for language fronteds, i
kinda got lucky to have a few of them unusued but it's not a robust future-proof
approach). instead an attribute should be used to mark these types. whether that
can/should be __user itself is a good question since that's another hack where the
plugin 'hijacks' a sparse address space atttribute (for which gcc 4.6+ has its own
facilities and that the checker gcc plugin makes use of thus it's not compatible
with structleak as is).
WARNING: multiple messages have this Message-ID (diff)
From: "PaX Team" <pageexec@freemail.hu>
To: kernel-hardening@lists.openwall.com, Kees Cook <keescook@chromium.org>
Cc: Emese Revfy <re.emese@gmail.com>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>,
Mark Rutland <mark.rutland@arm.com>,
park jinbum <jinb.park7@gmail.com>,
Daniel Micay <danielmicay@gmail.com>,
linux-kernel@vger.kernel.org, spender@grsecurity.net
Subject: Re: [PATCH] gcc-plugins: Add structleak for more stack initialization
Date: Sat, 14 Jan 2017 11:03:14 +0100 [thread overview]
Message-ID: <5879F762.32059.37092152@pageexec.freemail.hu> (raw)
In-Reply-To: <20170113220256.GA57663@beast>
On 13 Jan 2017 at 14:02, Kees Cook wrote:
> This plugin detects any structures that contain __user attributes and
> makes sure it is being fulling initialized so that a specific class of
> information exposure is eliminated. (For example, the exposure of siginfo
> in CVE-2013-2141 would have been blocked by this plugin.)
why the conditional? the plugin was specifically written to block that bug
and block it did ;).
> +config GCC_PLUGIN_STRUCTLEAK
> + bool "Force initialization of variables containing userspace addresses"
> + depends on GCC_PLUGINS
> + help
> + This plugin zero-initializes any structures that containing a
> + __user attribute. This can prevent some classes of information
> + exposures.
i see that you completely ditched the description in PaX, is there a reason
for it? your text isn't correct as is because
- the __user attribute (which is an implementation choice, see below) doesn't
apply to structures but pointers only (as it does for sparse IIRC)
- a structure is a type, but the plugin initializes variables, not types
(the latter makes little sense)
- the plugin doesn't initialize 'any structures' (well, variables), only locals
and only at function scope (subject to further evolution as discussed earlier).
> +config GCC_PLUGIN_STRUCTLEAK_VERBOSE
> + bool "Report initialized variables"
> + depends on GCC_PLUGIN_STRUCTLEAK
> + depends on !COMPILE_TEST
> + help
> + This option will cause a warning to be printed each time the
> + structleak plugin finds a variable it thinks needs to be
> + initialized. Since not all existing initializers are detected
> + by the plugin, this can produce false positive warnings.
there are no false positives, a variable either has a constructor or it does not ;)
> +/* unused C type flag in all versions 4.5-6 */
> +#define TYPE_USERSPACE(TYPE) TYPE_LANG_FLAG_5(TYPE)
FYI, this is a sort of abuse/hack of tree flags and should not be implemented this
way in the upstream kernel as it's a finite resource and needs careful verification
against all supported gcc versions (these flags are meant for language fronteds, i
kinda got lucky to have a few of them unusued but it's not a robust future-proof
approach). instead an attribute should be used to mark these types. whether that
can/should be __user itself is a good question since that's another hack where the
plugin 'hijacks' a sparse address space atttribute (for which gcc 4.6+ has its own
facilities and that the checker gcc plugin makes use of thus it's not compatible
with structleak as is).
next prev parent reply other threads:[~2017-01-14 10:03 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-13 22:02 [kernel-hardening] [PATCH] gcc-plugins: Add structleak for more stack initialization Kees Cook
2017-01-13 22:02 ` Kees Cook
2017-01-14 10:03 ` PaX Team [this message]
2017-01-14 10:03 ` PaX Team
2017-01-16 15:24 ` [kernel-hardening] " Mark Rutland
2017-01-16 15:24 ` Mark Rutland
2017-01-16 19:08 ` [kernel-hardening] " Daniel Micay
2017-01-16 19:08 ` Daniel Micay
2017-01-16 19:30 ` [kernel-hardening] " PaX Team
2017-01-16 19:30 ` PaX Team
2017-01-17 17:48 ` [kernel-hardening] " Mark Rutland
2017-01-17 17:48 ` Mark Rutland
2017-01-17 18:54 ` [kernel-hardening] " PaX Team
2017-01-17 18:54 ` PaX Team
2017-01-18 10:48 ` [kernel-hardening] " Mark Rutland
2017-01-18 10:48 ` Mark Rutland
2017-01-17 17:48 ` [kernel-hardening] " Kees Cook
2017-01-17 17:48 ` Kees Cook
2017-01-16 11:54 ` [kernel-hardening] " Mark Rutland
2017-01-16 11:54 ` Mark Rutland
2017-01-16 12:26 ` [kernel-hardening] " Mark Rutland
2017-01-16 19:22 ` PaX Team
2017-01-16 19:22 ` PaX Team
2017-01-17 10:42 ` [kernel-hardening] " Dave P Martin
2017-01-17 10:42 ` Dave P Martin
2017-01-17 17:09 ` [kernel-hardening] " PaX Team
2017-01-17 18:07 ` Dave P Martin
2017-01-17 18:07 ` Dave P Martin
2017-01-17 19:25 ` [kernel-hardening] " PaX Team
2017-01-17 19:25 ` PaX Team
2017-01-17 22:04 ` [kernel-hardening] " Dave P Martin
2017-01-17 22:04 ` Dave P Martin
2017-01-17 17:56 ` [kernel-hardening] " Kees Cook
2017-01-17 17:56 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5879F762.32059.37092152@pageexec.freemail.hu \
--to=pageexec@freemail.hu \
--cc=danielmicay@gmail.com \
--cc=jinb.park7@gmail.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=re.emese@gmail.com \
--cc=spender@grsecurity.net \
--cc=takahiro.akashi@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.