From: Alexander Popov <alex.popov@linux.com>
To: Kees Cook <keescook@chromium.org>
Cc: Laura Abbott <labbott@redhat.com>,
Mark Rutland <mark.rutland@arm.com>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Tycho Andersen <tycho@docker.com>,
PaX Team <pageexec@freemail.hu>
Subject: [kernel-hardening] Re: [RFC][PATCH 2/2] arm64: Clear the stack
Date: Fri, 18 Aug 2017 11:07:08 +0300 [thread overview]
Message-ID: <b8be6867-40aa-86bb-dc9b-ad591f2026f5@linux.com> (raw)
In-Reply-To: <CAGXu5jKp0J_6+upysRXbc1Khjzr20DrdM6As8ZS=QcccN7jpfg@mail.gmail.com>
Hello Kees and Laura,
On 25.07.2017 06:34, Kees Cook wrote:
> On Mon, Jul 24, 2017 at 1:19 AM, Alexander Popov <alex.popov@linux.com> wrote:
>> On 22.07.2017 03:23, Laura Abbott wrote:
>>> On 07/21/2017 09:56 AM, Alexander Popov wrote:
>>>> So let's keep it not to break CONFIG_SCHED_STACK_END_CHECK.
>>>
>>> That makes sense, good find! I wonder if CONFIG_SCHED_STACK_END_CHECK
>>> should go on the list of hardening options and/or if we can enhance
>>> it somehow?
>>
>> Do you mean this list?
>> http://www.kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
>>
>>> I'm not sure why it requires two words though since the
>>> poison only seems to be 32-bits?
>>
>> On x86_64 end_of_stack() returns the pointer to unsigned long, so we need at
>> least 8 bytes to avoid breaking CONFIG_SCHED_STACK_END_CHECK. Don't know about 8
>> more bytes.
>
> Seems like this should be a random value like the per-frame stack
> canary, but it looks like a relatively cheap check. It's probably not
> in the cache, though, since most stack operations should be pretty far
> from the end of the stack...
It seems that the idea you describe is not implemented in Grsecurity/PaX patch.
On x86_64 the bottom of the stack for the mainline kernel looks like that:
0xffffc900004c8000: 0x57ac6e9d 0x00000000 0x00000000 0x00000000
0xffffc900004c8010: 0xffff4111 0xffffffff 0xffff4111 0xffffffff
...
But for the Grsecurity kernel it looks like that:
0xffffc90000324000: 0x00000000 0x00000000 0x57ac6e9d 0x00000000
0xffffc90000324010: 0xffff4111 0xffffffff 0xffff4111 0xffffffff
...
Because Grsecurity/PaX patch has that change:
static inline unsigned long *end_of_stack(const struct task_struct *task)
{
- return task->stack;
+ return (unsigned long *)task->stack + 1;
}
So that is their reason of having 16 bytes reserved at the bottom of the kernel
stack.
However, right now I don't understand the purpose of patching end_of_stack().
What do you think? Should mainline have it?
Best regards,
Alexander
next prev parent reply other threads:[~2017-08-18 8:07 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-09 14:30 [kernel-hardening] [PATCH RFC v2 1/1] gcc-plugins: Add stackleak feature erasing the kernel stack at the end of syscalls Alexander Popov
2017-06-09 17:28 ` [kernel-hardening] " Kees Cook
2017-06-09 23:00 ` Alexander Popov
2017-06-20 19:20 ` Kees Cook
2017-06-13 21:51 ` Laura Abbott
2017-06-20 11:20 ` Mark Rutland
2017-06-20 14:13 ` Ard Biesheuvel
2017-06-20 19:11 ` Kees Cook
2017-06-21 9:24 ` Mark Rutland
2017-06-21 15:54 ` Laura Abbott
2017-07-10 22:04 ` [kernel-hardening] [RFC][PATCH 0/2] draft of stack clearing for arm64 Laura Abbott
2017-07-10 22:04 ` [kernel-hardening] [RFC][PATCH 1/2] stackleak: Update " Laura Abbott
2017-07-10 22:04 ` [kernel-hardening] [RFC][PATCH 2/2] arm64: Clear the stack Laura Abbott
2017-07-11 19:51 ` [kernel-hardening] " Mark Rutland
2017-07-11 20:04 ` Mark Rutland
2017-07-12 6:01 ` Alexander Popov
2017-07-14 20:51 ` Laura Abbott
2017-07-21 16:56 ` Alexander Popov
2017-07-22 0:23 ` Laura Abbott
2017-07-24 8:19 ` Alexander Popov
2017-07-25 3:34 ` Kees Cook
2017-08-18 8:07 ` Alexander Popov [this message]
2017-07-11 22:56 ` [kernel-hardening] Re: [RFC][PATCH 0/2] draft of stack clearing for arm64 Alexander Popov
2017-06-23 22:48 ` [kernel-hardening] Re: [PATCH RFC v2 1/1] gcc-plugins: Add stackleak feature erasing the kernel stack at the end of syscalls Tycho Andersen
2017-06-29 21:33 ` Kees Cook
2017-06-29 22:13 ` Tycho Andersen
2017-06-20 9:06 ` [kernel-hardening] " Hector Martin "marcan"
2017-06-20 19:07 ` Kees Cook
2017-06-20 20:22 ` Hector Martin "marcan"
2017-06-20 19:14 ` [kernel-hardening] " Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b8be6867-40aa-86bb-dc9b-ad591f2026f5@linux.com \
--to=alex.popov@linux.com \
--cc=ard.biesheuvel@linaro.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=mark.rutland@arm.com \
--cc=pageexec@freemail.hu \
--cc=tycho@docker.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.