From: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
Julien Grall <julien@xen.org>,
Stefano Stabellini <sstabellini@kernel.org>,
"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH v3 2/3] xen: common: add ability to enable stack protector
Date: Thu, 12 Dec 2024 00:47:38 +0000 [thread overview]
Message-ID: <87bjxh3exi.fsf@epam.com> (raw)
In-Reply-To: <0d04abb1-dae1-47d1-93e3-23d88399fa64@suse.com> (Jan Beulich's message of "Wed, 11 Dec 2024 09:16:47 +0100")
Hello Jan,
Jan Beulich <jbeulich@suse.com> writes:
> On 11.12.2024 03:04, Volodymyr Babchuk wrote:
[...]
>
>> @@ -213,6 +216,18 @@ config SPECULATIVE_HARDEN_LOCK
>>
>> endmenu
>>
>> +menu "Compiler options"
>> +
>> +config STACK_PROTECTOR
>> + bool "Stack protector"
>> + depends on HAS_STACK_PROTECTOR
>> + help
>> + Enable the Stack Protector compiler hardening option. This inserts a
>> + canary value in the stack frame of functions, and performs an integrity
>> + check on exit.
>> +
>> +endmenu
>
> "Compiler options" reads a little odd to me as a menu title. The preceding one
> is "Speculative hardening"; how about making this one "Other hardening" or some
> such?
It was on of the Andrew's suggestion. Other was "Hardening". So yes, I
can rename it to "Other hardening", hope Andrew will be okay with this.
[...]
>> +/* This function should be called from ASM only */
>
> And with no (stack-protector enabled) C functions up the call stack. This
> may be as easy to express in the comment as by simply adding "early".
Like "This function should be called from early ASM only" ?
> However, considering the so far hypothetical case of offering the feature
> also on x86: What about xen.efi, which from the very start uses C code?
>
It depends on what other services are available. If RNG can be used
already, we don't need to call this function at all and can use
boot_stack_chk_guard_setup() right away.
>> +void __init asmlinkage boot_stack_chk_guard_setup_early(void)
>> +{
[...]
>> +void asmlinkage __stack_chk_fail(void)
>> +{
>> + panic("Stack Protector integrity violation identified in %ps\n",
>> + __builtin_return_address(0));
>
> Again.
>
> Is panic() really the right construct to use here, though?
> __builtin_return_address() will merely identify the immediate caller. A
> full stack trace (from BUG()) would likely be more useful in identifying
> the offender.
Okay, I'll put just plain BUG(); here.
>
>> --- a/xen/include/asm-generic/random.h
>> +++ b/xen/include/asm-generic/random.h
>> @@ -2,6 +2,11 @@
>> #ifndef __ASM_GENERIC_RANDOM_H__
>> #define __ASM_GENERIC_RANDOM_H__
>>
>> +/*
>> + * When implementing arch_get_random(), please make sure that
>> + * it can provide random data before stack protector is initialized
>> + * (i.e. before boot_stack_chk_guard_setup() is called).
>> + */
>> static inline unsigned int arch_get_random(void)
>> {
>> return 0;
>
> What exactly will go (entirely) wrong if the comment isn't followed?
This will not cause immediate harm, but it will give false confidence to
anyone who enables stack protector.
I'd prefer more substantial protection, but we can't even check if
random generator is available in runtime. Taking into account that we
potential can get 0 as result of RNG, we can't even put
WARN_ON(!arch_get_random()) check.
> (I'm afraid anyway that the comment living here is easy to miss.)
I didn't found a better place for it. Maybe you can suggest one?
[...]
Thank you for the review. I'll address all your other comments.
--
WBR, Volodymyr
next prev parent reply other threads:[~2024-12-12 0:48 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-11 2:04 [PATCH v3 0/3] Add stack protector Volodymyr Babchuk
2024-12-11 2:04 ` [PATCH v3 3/3] xen: arm: enable stack protector feature Volodymyr Babchuk
2024-12-11 2:04 ` [PATCH v3 2/3] xen: common: add ability to enable stack protector Volodymyr Babchuk
2024-12-11 8:16 ` Jan Beulich
2024-12-12 0:47 ` Volodymyr Babchuk [this message]
2024-12-12 10:58 ` Jan Beulich
2024-12-12 0:52 ` Andrew Cooper
2024-12-12 10:45 ` Jan Beulich
2025-01-15 12:49 ` Yann Dirson
2024-12-11 2:04 ` [PATCH v3 1/3] common: remove -fno-stack-protector from EMBEDDED_EXTRA_CFLAGS Volodymyr Babchuk
2024-12-11 7:49 ` Jan Beulich
2024-12-12 1:08 ` Andrew Cooper
2024-12-11 7:46 ` [PATCH v3 0/3] Add stack protector Jan Beulich
2024-12-12 0:13 ` Volodymyr Babchuk
2024-12-12 1:17 ` Andrew Cooper
2024-12-12 1:19 ` Andrew Cooper
2024-12-12 14:30 ` Jan Beulich
2024-12-12 16:52 ` Jan Beulich
2024-12-19 0:20 ` Andrew Cooper
2024-12-19 7:39 ` Jan Beulich
2025-01-14 13:22 ` Jan Beulich
2025-01-14 13:28 ` Andrew Cooper
2025-01-14 13:47 ` Jan Beulich
2025-01-14 14:15 ` Andrew Cooper
2024-12-12 10:30 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bjxh3exi.fsf@epam.com \
--to=volodymyr_babchuk@epam.com \
--cc=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.