Re: [PATCH] ARM: stackprotector: prefer compiler for TLS based per-task protector

Re: [PATCH] ARM: stackprotector: prefer compiler for TLS based per-task protector

[Nathan Chancellor]

On Thu, Oct 21, 2021 at 04:25:16PM +0200, Ard Biesheuvel wrote:
> Currently, we implement the per-task stack protector for ARM using a GCC
> plugin, due to lack of native compiler support. However, work is
> underway to get this implemented in the compiler, which means we will be
> able to deprecate the GCC plugin at some point.
> 
> In the meantime, we will need to support both, where the native compiler
> implementation is obviously preferred. So let's wire this up in Kconfig
> and the Makefile.
> 
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

I see this patch in the KSPP tree as commit 151bbc8be85e ("ARM:
stackprotector: prefer compiler for TLS based per-task protector"),
which breaks booting aspeed_g5_defconfig in QEMU with clang-14. It seems
like this patch depends on Ard's patch "ARM: decompressor: disable stack
protector" [1]; applying that on top of next-20220125 allows me to boot
again.

This patch is still queued up in Russell's devel-stable branch as
commit f05eb1d24eb5 ("ARM: stackprotector: prefer compiler for TLS based
per-task protector") so perhaps this patch should be dropped from the
KSPP tree? I assume once Ard's recent fixes series [2] is applied to
devel-stable, it will be added back to for-next?

[1]: https://lore.kernel.org/r/20220124174744.1054712-9-ardb@kernel.org/
[2]: https://lore.kernel.org/r/20220125091453.1475246-1-ardb@kernel.org/

Cheers,
Nathan

Re: [PATCH] ARM: stackprotector: prefer compiler for TLS based per-task protector

[Ard Biesheuvel]

On Tue, 25 Jan 2022 at 19:50, Nathan Chancellor <nathan@kernel.org> wrote:
>
> On Thu, Oct 21, 2021 at 04:25:16PM +0200, Ard Biesheuvel wrote:
> > Currently, we implement the per-task stack protector for ARM using a GCC
> > plugin, due to lack of native compiler support. However, work is
> > underway to get this implemented in the compiler, which means we will be
> > able to deprecate the GCC plugin at some point.
> >
> > In the meantime, we will need to support both, where the native compiler
> > implementation is obviously preferred. So let's wire this up in Kconfig
> > and the Makefile.
> >
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Nick Desaulniers <ndesaulniers@google.com>
> > Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
>
> I see this patch in the KSPP tree as commit 151bbc8be85e ("ARM:
> stackprotector: prefer compiler for TLS based per-task protector"),
> which breaks booting aspeed_g5_defconfig in QEMU with clang-14. It seems
> like this patch depends on Ard's patch "ARM: decompressor: disable stack
> protector" [1]; applying that on top of next-20220125 allows me to boot
> again.
>
> This patch is still queued up in Russell's devel-stable branch as
> commit f05eb1d24eb5 ("ARM: stackprotector: prefer compiler for TLS based
> per-task protector") so perhaps this patch should be dropped from the
> KSPP tree? I assume once Ard's recent fixes series [2] is applied to
> devel-stable, it will be added back to for-next?
>
> [1]: https://lore.kernel.org/r/20220124174744.1054712-9-ardb@kernel.org/
> [2]: https://lore.kernel.org/r/20220125091453.1475246-1-ardb@kernel.org/
>

Yeah. better drop it from KSPP.

The problem is that the compiler version of the per-task
stackprotector feature does not get disabled when building the
decompressor, which means it ends up dereferencing bogus TLS register
values.

Re: [PATCH] ARM: stackprotector: prefer compiler for TLS based per-task protector

[Kees Cook]

On Tue, Jan 25, 2022 at 07:55:37PM +0100, Ard Biesheuvel wrote:
> On Tue, 25 Jan 2022 at 19:50, Nathan Chancellor <nathan@kernel.org> wrote:
> >
> > On Thu, Oct 21, 2021 at 04:25:16PM +0200, Ard Biesheuvel wrote:
> > > Currently, we implement the per-task stack protector for ARM using a GCC
> > > plugin, due to lack of native compiler support. However, work is
> > > underway to get this implemented in the compiler, which means we will be
> > > able to deprecate the GCC plugin at some point.
> > >
> > > In the meantime, we will need to support both, where the native compiler
> > > implementation is obviously preferred. So let's wire this up in Kconfig
> > > and the Makefile.
> > >
> > > Cc: Kees Cook <keescook@chromium.org>
> > > Cc: Nick Desaulniers <ndesaulniers@google.com>
> > > Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> >
> > I see this patch in the KSPP tree as commit 151bbc8be85e ("ARM:
> > stackprotector: prefer compiler for TLS based per-task protector"),
> > which breaks booting aspeed_g5_defconfig in QEMU with clang-14. It seems
> > like this patch depends on Ard's patch "ARM: decompressor: disable stack
> > protector" [1]; applying that on top of next-20220125 allows me to boot
> > again.
> >
> > This patch is still queued up in Russell's devel-stable branch as
> > commit f05eb1d24eb5 ("ARM: stackprotector: prefer compiler for TLS based
> > per-task protector") so perhaps this patch should be dropped from the
> > KSPP tree? I assume once Ard's recent fixes series [2] is applied to
> > devel-stable, it will be added back to for-next?
> >
> > [1]: https://lore.kernel.org/r/20220124174744.1054712-9-ardb@kernel.org/
> > [2]: https://lore.kernel.org/r/20220125091453.1475246-1-ardb@kernel.org/
> >
> 
> Yeah. better drop it from KSPP.
> 
> The problem is that the compiler version of the per-task
> stackprotector feature does not get disabled when building the
> decompressor, which means it ends up dereferencing bogus TLS register
> values.

Ooh! Whoops, sorry. Dropping.

-- 
Kees Cook