From: Kees Cook <keescook@chromium.org>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: linux-hardening@vger.kernel.org, thomas.preudhomme@celest.fr,
adhemerval.zanella@linaro.org, Qing Zhao <qing.zhao@oracle.com>,
Richard Sandiford <richard.sandiford@arm.com>,
gcc-patches@gcc.gnu.org, Keith Packard <keithpac@amazon.com>
Subject: Re: [RFC PATCH 0/1] implement TLS register based stack canary for ARM
Date: Thu, 21 Oct 2021 09:46:13 -0700 [thread overview]
Message-ID: <202110210944.D977EBD@keescook> (raw)
In-Reply-To: <CAMj1kXEPRro8LeLhX46VHhbhoytzhu5tpW3T4Tjq5ya1GPOB4g@mail.gmail.com>
On Thu, Oct 21, 2021 at 06:34:04PM +0200, Ard Biesheuvel wrote:
> On Thu, 21 Oct 2021 at 12:23, Ard Biesheuvel <ardb@kernel.org> wrote:
> >
> > Bugzilla: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102352
> >
> > In the Linux kernel, user processes calling into the kernel are
> > essentially threads running in the same address space, of a program that
> > never terminates. This means that using a global variable for the stack
> > protector canary value is problematic on SMP systems, as we can never
> > change it unless we reboot the system. (Processes that sleep for any
> > reason will do so on a call into the kernel, which means that there will
> > always be live kernel stack frames carrying copies of the canary taken
> > when the function was entered)
> >
> > AArch64 implements -mstack-protector-guard=sysreg for this purpose, as
> > this permits the kernel to use different memory addresses for the stack
> > canary for each CPU, and context switch the chosen system register with
> > the rest of the process, allowing each process to use its own unique
> > value for the stack canary.
> >
> > This patch implements something similar, but for the 32-bit ARM kernel,
> > which will start using the user space TLS register TPIDRURO to index
> > per-process metadata while running in the kernel. This means we can just
> > add an offset to TPIDRURO to obtain the address from which to load the
> > canary value.
> >
> > The patch is a bit rough around the edges, but produces the correct
> > results as far as I can tell.
>
> This is a lie
LOL.
>
> > However, I couldn't quite figure out how
> > to modify the patterns so that the offset will be moved into the
> > immediate offset field of the LDR instructions, so currently, the ADD of
> > the offset is always a distinct instruction.
> >
>
> ... and this is no longer true now that I fixed the correctness
> problem. I will be sending out a v2 shortly, so please disregard this
> one for now.
Heh, I hadn't even had a chance to test it, so I'll hold off. :)
Thanks!
-Kees
--
Kees Cook
prev parent reply other threads:[~2021-10-21 16:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-21 10:23 [RFC PATCH 0/1] implement TLS register based stack canary for ARM Ard Biesheuvel
2021-10-21 10:23 ` [RFC PATCH 1/1] [ARM] Add support for TLS register based stack protector canary access Ard Biesheuvel
2021-10-21 16:34 ` [RFC PATCH 0/1] implement TLS register based stack canary for ARM Ard Biesheuvel
2021-10-21 16:46 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202110210944.D977EBD@keescook \
--to=keescook@chromium.org \
--cc=adhemerval.zanella@linaro.org \
--cc=ardb@kernel.org \
--cc=gcc-patches@gcc.gnu.org \
--cc=keithpac@amazon.com \
--cc=linux-hardening@vger.kernel.org \
--cc=qing.zhao@oracle.com \
--cc=richard.sandiford@arm.com \
--cc=thomas.preudhomme@celest.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox