From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 63965C433EF for ; Thu, 12 May 2022 09:16:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=8boCVdmq91+Z3N2jMWQ+NHJ6LaVBLZJrCKrZLy1F6m0=; b=Zz7e+3jJmZk4oN roqIH4zTiXBxtVbYTON/kW1KEhyYRZfeQ2UO8g+l9CbrxZRda9tC4AcN+F3+CyS495LwbgOkI6gFO 5yyOFVuC/KC32KXwftV+H/24Lo0+1QgzNf+xLb3FTT9y3vh75OPTe7tIt3OeMTa4KupJ1zwveeMJ/ 9Xhpinc0loppvramD7Zpz+UKawcg46RMEqKPW9CBl+azgoAQfaqJq8bCPAeHmLpi9A+3JMxUctXBp 7O++eYXpjPUX3vp1MXvh+sw6SbXTKMam4hpyQi9PuAvz9Lkiw6NKBghRaeeCrVMrSQlRA3oQKOT+d 12Dk3Jd2EMGl0PNgwCKQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1np4uc-00B7sf-2B; Thu, 12 May 2022 09:15:10 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1np4uY-00B7r0-OU for linux-arm-kernel@lists.infradead.org; Thu, 12 May 2022 09:15:08 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id BE739106F; Thu, 12 May 2022 02:15:01 -0700 (PDT) Received: from FVFF77S0Q05N (unknown [10.57.5.172]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 4A36F3F73D; Thu, 12 May 2022 02:15:00 -0700 (PDT) Date: Thu, 12 May 2022 10:14:53 +0100 From: Mark Rutland To: Kees Cook Cc: Alexander Popov , linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org, catalin.marinas@arm.com, linux-kernel@vger.kernel.org, luto@kernel.org, will@kernel.org Subject: Re: [PATCH v2 03/13] stackleak: remove redundant check Message-ID: References: <20220427173128.2603085-1-mark.rutland@arm.com> <20220427173128.2603085-4-mark.rutland@arm.com> <202205101958.2A33DE20@keescook> <33711C66-BB24-4A75-8756-3CDDA02BC0CD@chromium.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <33711C66-BB24-4A75-8756-3CDDA02BC0CD@chromium.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220512_021506_934334_9CACD997 X-CRM114-Status: GOOD ( 31.33 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed, May 11, 2022 at 07:44:41AM -0700, Kees Cook wrote: > > > On May 11, 2022 1:02:45 AM PDT, Mark Rutland wrote: > >On Tue, May 10, 2022 at 08:00:38PM -0700, Kees Cook wrote: > >> On Tue, May 10, 2022 at 12:46:48PM +0100, Mark Rutland wrote: > >> > On Sun, May 08, 2022 at 09:17:01PM +0300, Alexander Popov wrote: > >> > > On 27.04.2022 20:31, Mark Rutland wrote: > >> > > > In __stackleak_erase() we check that the `erase_low` value derived from > >> > > > `current->lowest_stack` is above the lowest legitimate stack pointer > >> > > > value, but this is already enforced by stackleak_track_stack() when > >> > > > recording the lowest stack value. > >> > > > > >> > > > Remove the redundant check. > >> > > > > >> > > > There should be no functional change as a result of this patch. > >> > > > >> > > Mark, I can't agree here. I think this check is important. > >> > > The performance profit from dropping it is less than the confidence decrease :) > >> > > > >> > > With this check, if the 'lowest_stack' value is corrupted, stackleak doesn't > >> > > overwrite some wrong kernel memory, but simply clears the whole thread > >> > > stack, which is safe behavior. > >> > > >> > If you feel strongly about it, I can restore the check, but I struggle to > >> > believe that it's worthwhile. The `lowest_stack` value lives in the > >> > task_struct, and if you have the power to corrupt that you have the power to do > >> > much more interesting things. > >> > > >> > If we do restore it, I'd like to add a big fat comment explaining the > >> > rationale (i.e. that it only matter if someone could corrupt > >> > `current->lowest_stack`, as otherwise that's guarnateed to be within bounds). > >> > >> Yeah, let's restore it and add the comment. While I do agree it's likely > >> that such an corruption would likely mean an attacker had significant > >> control over kernel memory already, it is not uncommon that an attack > >> only has a limited index from a given address, etc. Or some manipulation > >> is possible via weird gadgets, etc. It's unlikely, but not impossible, > >> and a bounds-check for that value is cheap compared to the rest of the > >> work happening. :) > > > >Fair enough; I can go spin a patch restoring this. I'm somewhat unhappy with > >silently fixing that up, though -- IMO it'd be better to BUG() or similar in > >that case. > > I share your desires, and this was exactly what Alexander originally proposed, but Linus rejected it violently. :( > https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/ I see. :/ Thinking about this some more, if we assume someone can corrupt *some* word of memory, then we need to consider that instead of corrupting task_struct::lowest_stack, they could corrupt task_struct::stack (or x86's cpu_current_top_of_stack prior to this series). With that in mind, if we detect that task_struct::lowest_stack is out-of-bounds, we have no idea whether it has been corrupted or the other bound values have been corrupted, and so we can't do the erase safely anyway. So AFAICT we must *avoid* erasing when that goes wrong. Maybe we could WARN() instead of BUG()? Thanks, Mark. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel