[kernel-hardening] Re: [PATCH RFC v3 1/1] gcc-plugins: Add stackleak feature erasing the kernel stack at the end of syscalls

kernel-hardening.lists.openwall.com archive mirror
 help / color / mirror / Atom feed

From: Alexander Popov <alex.popov@linux.com>
To: Tycho Andersen <tycho@docker.com>, Kees Cook <keescook@chromium.org>
Cc: "kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>,
	PaX Team <pageexec@freemail.hu>,
	Brad Spengler <spender@grsecurity.net>,
	Laura Abbott <labbott@redhat.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	"x86@kernel.org" <x86@kernel.org>,
	Andy Lutomirski <luto@amacapital.net>
Subject: [kernel-hardening] Re: [PATCH RFC v3 1/1] gcc-plugins: Add stackleak feature erasing the kernel stack at the end of syscalls
Date: Fri, 29 Sep 2017 00:17:25 +0300	[thread overview]
Message-ID: <f1e8d1f3-a7fc-553c-f892-02a09e859248@linux.com> (raw)
In-Reply-To: <a2f61f3d-9c94-f44f-32e3-9563ecccee89@linux.com>

On 21.09.2017 16:26, Alexander Popov wrote:
> On 20.09.2017 17:13, Tycho Andersen wrote:
>> On Wed, Sep 20, 2017 at 02:27:05PM +0300, Alexander Popov wrote:
>>>> +/*
>>>> + * Note that the way this test fails is kind of ugly; it hits the BUG() in
>>>> + * track_stack, but then the BUG() handler blows the stack and hits the stack
>>>> + * guard page.
>>>> + */
>>>
>>> Yes, actually, the reason is deeper.
>>>
>>> When there are less than (THREAD_SIZE / 16) bytes left in the kernel stack, the
>>> BUG() in track_stack() is hit. But do_error_trap(), which handles the invalid
>>> opcode, has a big stack frame. So it is instrumented by the STACKLEAK gcc plugin
>>> and itself calls track_stack() at the beginning. Hence we have a recursive
>>> BUG(), which eventually hits the guard page.
>>>
>>> I banned the instrumentation of do_error_trap() in the plugin, but it didn't
>>> really help, since there are several other instrumented functions called during
>>> BUG() handling.
>>>
>>> So it seems to me that this BUG() in track_stack() is really useless and can be
>>> dropped. Moreover:
>>>  - it is not a part of the PaX patch;
>>>  - it never worked in Grsecurity kernel because of the error spotted by Tycho.
>>>
>>> What do you think about it?
>>
>> We'll only have a stack guard page in the case of vmap stack, so maybe
> 
> Thanks, that's an important aspect.
> 
>> we can do:
>>
>> diff --git a/fs/exec.c b/fs/exec.c
>> index 8333c4dce59b..8351369cd1e4 100644
>> --- a/fs/exec.c
>> +++ b/fs/exec.c
>> @@ -1960,7 +1960,8 @@ void __used track_stack(void)
>>  		current->thread.lowest_stack = sp;
>>  	}
>>  
>> -	if (unlikely((sp & (THREAD_SIZE - 1)) < (THREAD_SIZE / 16)))
>> +	if (!IS_ENABLED(CONFIG_VMAP_STACK) &&
>> +	    unlikely((sp & (THREAD_SIZE - 1)) < (THREAD_SIZE / 16)))
>>  		BUG();
>>  }
>>  EXPORT_SYMBOL(track_stack);
> 
> In that case the recursive BUG() in track_stack() will happen anyway. You know,
> I would better make CONFIG_GCC_PLUGIN_STACKLEAK depend on CONFIG_VMAP_STACK.

That turned out to be a bad idea. Unfortunately, VMAP_STACK is not available on
x86_32, but STACKLEAK works on that platform. So I'll put the check behind
#ifdef. Maybe having it is better than having a silent stack overflow.

Best regards,
Alexander

next prev parent reply	other threads:[~2017-09-28 21:17 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-12 18:17 [kernel-hardening] [PATCH RFC v3 1/1] gcc-plugins: Add stackleak feature erasing the kernel stack at the end of syscalls Alexander Popov
2017-07-14 21:44 ` [kernel-hardening] " Laura Abbott
2017-07-24 12:15   ` Alexander Popov
2017-08-15  3:38 ` Tycho Andersen
2017-08-16 20:47   ` Alexander Popov
2017-08-16 21:16     ` Tycho Andersen
2017-08-16 22:16       ` Kees Cook
2017-08-17 17:58         ` Tycho Andersen
2017-09-20 11:27           ` Alexander Popov
2017-09-20 14:13             ` Tycho Andersen
2017-09-21 13:26               ` Alexander Popov
2017-09-28 21:17                 ` Alexander Popov [this message]
2017-09-20 21:18             ` Tycho Andersen
2017-09-21 19:39               ` Alexander Popov
2017-09-25 16:17                 ` Alexander Popov
2017-09-25 17:23                   ` Tycho Andersen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f1e8d1f3-a7fc-553c-f892-02a09e859248@linux.com \
    --to=alex.popov@linux.com \
    --cc=ard.biesheuvel@linaro.org \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=labbott@redhat.com \
    --cc=luto@amacapital.net \
    --cc=mark.rutland@arm.com \
    --cc=pageexec@freemail.hu \
    --cc=spender@grsecurity.net \
    --cc=tycho@docker.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).