From: "Dmitry V. Levin" <ldv@altlinux.org>
To: Alexander Popov <alex.popov@linux.com>
Cc: kernel-hardening@lists.openwall.com,
KeesCook <keescook@chromium.org>, Ingo Molnar <mingo@kernel.org>,
Andy Lutomirski <luto@kernel.org>,
Tycho Andersen <tycho@tycho.ws>,
Laura Abbott <labbott@redhat.com>,
Mark Rutland <mark.rutland@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: Re: [kernel-hardening] [PATCH RFC v6 2/6] gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack
Date: Tue, 12 Dec 2017 03:09:12 +0300 [thread overview]
Message-ID: <20171212000912.GA10256@altlinux.org> (raw)
In-Reply-To: <1512516827-29797-3-git-send-email-alex.popov@linux.com>
On Wed, Dec 06, 2017 at 02:33:43AM +0300, Alexander Popov wrote:
> The STACKLEAK feature erases the kernel stack before returning from
> syscalls. That reduces the information which kernel stack leak bugs can
> reveal and blocks some uninitialized stack variable attacks. Moreover,
> STACKLEAK provides runtime checks for kernel stack overflow detection.
>
> This commit introduces the STACKLEAK gcc plugin. It is needed for:
> - tracking the lowest border of the kernel stack, which is important
> for the code erasing the used part of the kernel stack at the end
> of syscalls (comes in a separate commit);
> - checking that alloca calls don't cause stack overflow.
>
> So this plugin instruments the kernel code inserting:
> - the check_alloca() call before alloca and the track_stack() call
> after it;
> - the track_stack() call for the functions with a stack frame size
> greater than or equal to CONFIG_STACKLEAK_TRACK_MIN_SIZE.
>
> The STACKLEAK feature is ported from grsecurity/PaX. More information at:
> https://grsecurity.net/
> https://pax.grsecurity.net/
>
> This code is modified from Brad Spengler/PaX Team's code in the last
> public patch of grsecurity/PaX based on our understanding of the code.
> Changes or omissions from the original code are ours and don't reflect
> the original grsecurity/PaX code.
>
> Signed-off-by: Alexander Popov <alex.popov@linux.com>
> ---
> arch/Kconfig | 15 ++
> arch/x86/kernel/dumpstack.c | 15 ++
> fs/exec.c | 25 ++
> scripts/Makefile.gcc-plugins | 3 +
> scripts/gcc-plugins/stackleak_plugin.c | 470 +++++++++++++++++++++++++++++++++
> 5 files changed, 528 insertions(+)
> create mode 100644 scripts/gcc-plugins/stackleak_plugin.c
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 721fdae..ba8e67b 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -528,6 +528,8 @@ config GCC_PLUGIN_STACKLEAK
> bool "Erase the kernel stack before returning from syscalls"
> depends on GCC_PLUGINS
> depends on HAVE_ARCH_STACKLEAK
> + imply VMAP_STACK
> + imply SCHED_STACK_END_CHECK
> help
> This option makes the kernel erase the kernel stack before it
> returns from a system call. That reduces the information which
> @@ -544,6 +546,19 @@ config GCC_PLUGIN_STACKLEAK
> * https://grsecurity.net/
> * https://pax.grsecurity.net/
>
> +config STACKLEAK_TRACK_MIN_SIZE
> + int "Minimum stack frame size of functions tracked by STACKLEAK"
> + default 100
> + range 0 4096
> + depends on GCC_PLUGIN_STACKLEAK
> + help
> + The STACKLEAK gcc plugin instruments the kernel code for tracking
> + the lowest border of the kernel stack (and for some other purposes).
> + It inserts the track_stack() call for the functions with a stack
> + frame size greater than or equal to this parameter. Be careful with
> + this setting, don't break the poison search in erase_kstack.
> + If unsure, leave the default value 100.
> +
I don't think the warning is scaring enough. As erase_kstack (both 64-bit
and 32-bit versions) checks for 128 consequent bytes of STACKLEAK_POISON,
it would be a bad idea to raise STACKLEAK_TRACK_MIN_SIZE to a value higher
than 120. Perhaps there has to be a consistency check that
STACKLEAK_TRACK_MIN_SIZE does not break assumptions made in erase_kstack.
> config HAVE_CC_STACKPROTECTOR
> bool
> help
> diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
> index f13b4c0..5a9b6cc 100644
> --- a/arch/x86/kernel/dumpstack.c
> +++ b/arch/x86/kernel/dumpstack.c
> @@ -315,3 +315,18 @@ static int __init code_bytes_setup(char *s)
> return 1;
> }
> __setup("code_bytes=", code_bytes_setup);
> +
> +#ifdef CONFIG_GCC_PLUGIN_STACKLEAK
> +void __used check_alloca(unsigned long size)
> +{
> + unsigned long sp = (unsigned long)&sp;
> + struct stack_info stack_info = {0};
> + unsigned long visit_mask = 0;
> + unsigned long stack_left;
> +
> + BUG_ON(get_stack_info(&sp, current, &stack_info, &visit_mask));
> + stack_left = sp - (unsigned long)stack_info.begin;
> + BUG_ON(stack_left < 256 || size >= stack_left - 256);
> +}
> +EXPORT_SYMBOL(check_alloca);
> +#endif
I think some rationale has to be given why 256 was chosen as the minimal
size of stack space left after alloca.
--
ldv
next prev parent reply other threads:[~2017-12-12 0:09 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-05 23:33 [kernel-hardening] [PATCH RFC v6 0/6] Introduce the STACKLEAK feature and a test for it Alexander Popov
2017-12-05 23:33 ` [kernel-hardening] [PATCH RFC v6 1/6] x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls Alexander Popov
2017-12-08 11:44 ` [kernel-hardening] " Peter Zijlstra
2017-12-08 21:54 ` Alexander Popov
2017-12-11 9:26 ` Peter Zijlstra
2017-12-05 23:33 ` [kernel-hardening] [PATCH RFC v6 2/6] gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack Alexander Popov
2017-12-06 18:57 ` [kernel-hardening] " Laura Abbott
2017-12-07 23:05 ` Alexander Popov
2017-12-12 0:09 ` Dmitry V. Levin [this message]
2017-12-15 15:28 ` [kernel-hardening] " Alexander Popov
2017-12-05 23:33 ` [kernel-hardening] [PATCH RFC v6 3/6] x86/entry: Erase kernel stack in syscall_trace_enter() Alexander Popov
2017-12-06 21:12 ` Dmitry V. Levin
2017-12-11 22:38 ` Alexander Popov
2017-12-05 23:33 ` [kernel-hardening] [PATCH RFC v6 4/6] lkdtm: Add a test for STACKLEAK Alexander Popov
2017-12-05 23:33 ` [kernel-hardening] [PATCH RFC v6 5/6] fs/proc: Show STACKLEAK metrics in the /proc file system Alexander Popov
2017-12-06 19:22 ` [kernel-hardening] " Laura Abbott
2017-12-06 20:40 ` Kees Cook
2017-12-06 23:06 ` Laura Abbott
2017-12-07 22:58 ` Alexander Popov
2017-12-07 7:09 ` Alexander Popov
2017-12-07 20:47 ` Tobin C. Harding
2017-12-05 23:33 ` [kernel-hardening] [PATCH RFC v6 6/6] doc: self-protection: Add information about STACKLEAK feature Alexander Popov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171212000912.GA10256@altlinux.org \
--to=ldv@altlinux.org \
--cc=a.p.zijlstra@chello.nl \
--cc=alex.popov@linux.com \
--cc=ard.biesheuvel@linaro.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=tycho@tycho.ws \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox