From: Alexander Popov <alex.popov@linux.com>
To: Shivappa Vikas <vikas.shivappa@linux.intel.com>,
kernel-hardening@lists.openwall.com,
Kees Cook <keescook@chromium.org>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Ingo Molnar <mingo@kernel.org>, Andy Lutomirski <luto@kernel.org>,
Tycho Andersen <tycho@tycho.ws>,
Laura Abbott <labbott@redhat.com>,
Mark Rutland <mark.rutland@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Borislav Petkov <bp@alien8.de>,
Richard Sandiford <richard.sandiford@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H . Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
"Dmitry V . Levin" <ldv@altlinux.org>,
Emese Revfy <re.emese@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
Thomas Garnier <thgarnie@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>, Josef Bacik <jbacik@fb.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Nicholas Piggin <npiggin@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
"David S . Miller" <davem@davemloft.net>,
Ding Tianhong <dingtianhong@huawei.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>,
Dominik Brodowski <linux@dominikbrodowski.net>,
Juergen Gross <jgross@suse.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Mathias Krause <minipli@googlemail.com>,
Vikas Shivappa <vikas.shivappa@linux.intel.com>,
Kyle Huey <me@kylehuey.com>,
Dmitry Safonov <dsafonov@virtuozzo.com>,
Will Deacon <will.deacon@arm.com>, Arnd Bergmann <arnd@arndb.de>,
Florian Weimer <fweimer@redhat.com>,
Boris Lukashev <blukashev@sempervictus.com>,
x86@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH RFC v10 2/6] x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls
Date: Fri, 30 Mar 2018 00:34:21 +0300 [thread overview]
Message-ID: <bd2c220b-f449-afbb-0b00-a868c8b33afe@linux.com> (raw)
In-Reply-To: <alpine.DEB.2.10.1803291137150.27913@vshiva-Udesk>
On 29.03.2018 21:38, Shivappa Vikas wrote:
> On Wed, 28 Mar 2018, Alexander Popov wrote:
>
>> + const unsigned long check_depth = STACKLEAK_POISON_CHECK_DEPTH /
>> + sizeof(unsigned long);
>> +
>> + /*
>> + * Let's search for the poison value in the stack.
>> + * Start from the lowest_stack and go to the bottom.
>> + */
>> + while (p > boundary && poison <= check_depth) {
>> + if (*(unsigned long *)p == STACKLEAK_POISON)
>> + poison++;
>> + else
>> + poison = 0;
>> +
>> + p -= sizeof(unsigned long);
>> + }
>> +
>> + /*
>> + * One long int at the bottom of the thread stack is reserved and
>> + * should not be poisoned (see CONFIG_SCHED_STACK_END_CHECK).
>> + */
>> + if (p == boundary)
>> + p += sizeof(unsigned long);
>> +
>> + /*
>> + * So let's write the poison value to the kernel stack.
>> + * Start from the address in p and move up till the new boundary.
>> + */
>> + if (on_thread_stack())
>> + boundary = current_stack_pointer;
>> + else
>> + boundary = current_top_of_stack();
>> +
>> + BUG_ON(boundary - p >= THREAD_SIZE);
>> +
>> + while (p < boundary) {
>> + *(unsigned long *)p = STACKLEAK_POISON;
>> + p += sizeof(unsigned long);
>> + }
>
> Sorry catching up late on this.
Hello Vikas,
You are just in time! Thank you for looking at the code.
> can we use a stosq or something here ? wondering
> if that helps get more performance. since you seem to copy the whole stack with
> the poison value. If that was already discussed sorry for the spam :)
Yes, the previous version of the patch series had this function written in
assembly. It used scasq for the poison searching and then stosq for writing:
http://www.openwall.com/lists/kernel-hardening/2018/03/03/9
That amount of assembly was blamed by the maintainers. So I've done my best to
rework it in C bypassing the pitfalls:
http://www.openwall.com/lists/kernel-hardening/2018/03/21/4
In fact, this implementation is not much slower than the assembly one, since we
erase only the used part of the thread stack. This is achieved by the
lowest_stack variable, which is updated during the syscall (please see the next
patch of the series).
Best regards,
Alexander
next prev parent reply other threads:[~2018-03-29 21:34 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-28 19:57 [PATCH RFC v10 0/6] Introduce the STACKLEAK feature and a test for it Alexander Popov
2018-03-28 19:57 ` [PATCH RFC v10 1/6] gcc-plugins: Clean up the cgraph_create_edge* macros Alexander Popov
2018-03-28 19:57 ` [PATCH RFC v10 2/6] x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls Alexander Popov
2018-03-28 22:55 ` Dave Hansen
2018-03-29 6:58 ` Alexander Popov
2018-03-29 13:51 ` Dave Hansen
[not found] ` <CAFUG7Cd7cSqSHCrqxKUFwBBQLuix0Mi5-=V6pq_U7KtFh20Kqg@mail.gmail.com>
2018-03-29 20:56 ` Alexander Popov
2018-03-29 21:00 ` Dave Hansen
[not found] ` <alpine.DEB.2.10.1803291137150.27913@vshiva-Udesk>
2018-03-29 21:34 ` Alexander Popov [this message]
2018-03-28 19:57 ` [PATCH RFC v10 3/6] gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack Alexander Popov
2018-03-28 19:57 ` [PATCH RFC v10 4/6] lkdtm: Add a test for STACKLEAK Alexander Popov
2018-03-28 19:57 ` [PATCH RFC v10 5/6] fs/proc: Show STACKLEAK metrics in the /proc file system Alexander Popov
2018-03-28 19:57 ` [PATCH RFC v10 6/6] doc: self-protection: Add information about STACKLEAK feature Alexander Popov
2018-03-28 20:13 ` [PATCH RFC v10 0/6] Introduce the STACKLEAK feature and a test for it Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bd2c220b-f449-afbb-0b00-a868c8b33afe@linux.com \
--to=alex.popov@linux.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=ast@kernel.org \
--cc=blukashev@sempervictus.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=dingtianhong@huawei.com \
--cc=dsafonov@virtuozzo.com \
--cc=dwmw@amazon.co.uk \
--cc=fweimer@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jbacik@fb.com \
--cc=jgross@suse.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=labbott@redhat.com \
--cc=ldv@altlinux.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=me@kylehuey.com \
--cc=mhiramat@kernel.org \
--cc=mingo@kernel.org \
--cc=minipli@googlemail.com \
--cc=npiggin@gmail.com \
--cc=pageexec@freemail.hu \
--cc=re.emese@gmail.com \
--cc=richard.sandiford@arm.com \
--cc=rostedt@goodmis.org \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
--cc=tycho@tycho.ws \
--cc=vikas.shivappa@linux.intel.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox