From: Alexander Popov <alex.popov@linux.com>
To: kernel-hardening@lists.openwall.com,
Kees Cook <keescook@chromium.org>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Ingo Molnar <mingo@kernel.org>, Andy Lutomirski <luto@kernel.org>,
Tycho Andersen <tycho@tycho.ws>,
Laura Abbott <labbott@redhat.com>,
Mark Rutland <mark.rutland@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Borislav Petkov <bp@alien8.de>,
Richard Sandiford <richard.sandiford@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H . Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
"Dmitry V . Levin" <ldv@altlinux.org>,
Emese Revfy <re.emese@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
Thomas Garnier <thgarnie@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>, Josef Bacik <jbacik@fb.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Nicholas Piggin <npiggin@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
"David S . Miller" <davem@davemloft.net>,
Ding Tianhong <dingtianhong@huawei.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>,
Dominik Brodowski <linux@dominikbrodowski.net>,
Juergen Gross <jgross@suse.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Mathias Krause <minipli@googlemail.com>,
Vikas Shivappa <vikas.shivappa@linux.intel.com>,
Kyle Huey <me@kylehuey.com>,
Dmitry Safonov <dsafonov@virtuozzo.com>,
Will Deacon <will.deacon@arm.com>, Arnd Bergmann <arnd@arndb.de>,
x86@kernel.org, linux-kernel@vger.kernel.org,
alex.popov@linux.com
Subject: [PATCH RFC v9 7/7] doc: self-protection: Add information about STACKLEAK feature
Date: Sat, 3 Mar 2018 23:00:32 +0300 [thread overview]
Message-ID: <1520107232-14111-8-git-send-email-alex.popov@linux.com> (raw)
In-Reply-To: <1520107232-14111-1-git-send-email-alex.popov@linux.com>
Add information about STACKLEAK feature to "Stack depth overflow" and
"Memory poisoning" sections of self-protection.rst.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
---
Documentation/security/self-protection.rst | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst
index 0f53826..b685f18 100644
--- a/Documentation/security/self-protection.rst
+++ b/Documentation/security/self-protection.rst
@@ -165,10 +165,15 @@ Stack depth overflow
A less well understood attack is using a bug that triggers the
kernel to consume stack memory with deep function calls or large stack
allocations. With this attack it is possible to write beyond the end of
-the kernel's preallocated stack space and into sensitive structures. Two
-important changes need to be made for better protections: moving the
-sensitive thread_info structure elsewhere, and adding a faulting memory
-hole at the bottom of the stack to catch these overflows.
+the kernel's preallocated stack space and into sensitive structures.
+The combination of the following measures gives better protection:
+
+* moving the sensitive thread_info structure off the stack
+ (``CONFIG_THREAD_INFO_IN_TASK``);
+* adding a faulting memory hole at the bottom of the stack to catch
+ these overflows (``CONFIG_VMAP_STACK``);
+* runtime checking that alloca() calls don't overstep the stack boundary
+ (``CONFIG_GCC_PLUGIN_STACKLEAK``).
Heap memory integrity
---------------------
@@ -302,11 +307,11 @@ sure structure holes are cleared.
Memory poisoning
----------------
-When releasing memory, it is best to poison the contents (clear stack on
-syscall return, wipe heap memory on a free), to avoid reuse attacks that
-rely on the old contents of memory. This frustrates many uninitialized
-variable attacks, stack content exposures, heap content exposures, and
-use-after-free attacks.
+When releasing memory, it is best to poison the contents, to avoid reuse
+attacks that rely on the old contents of memory. E.g., clear stack on a
+syscall return (``CONFIG_GCC_PLUGIN_STACKLEAK``), wipe heap memory on a
+free. This frustrates many uninitialized variable attacks, stack content
+exposures, heap content exposures, and use-after-free attacks.
Destination tracking
--------------------
--
2.7.4
next prev parent reply other threads:[~2018-03-03 20:00 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-03 20:00 [PATCH RFC v9 0/7] Introduce the STACKLEAK feature and a test for it Alexander Popov
2018-03-03 20:00 ` [PATCH RFC v9 1/7] gcc-plugins: Clean up the cgraph_create_edge* macros Alexander Popov
2018-03-03 20:00 ` [PATCH RFC v9 2/7] x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls Alexander Popov
2018-03-05 16:41 ` Dave Hansen
2018-03-05 19:43 ` Laura Abbott
2018-03-05 19:50 ` Dave Hansen
2018-03-05 20:25 ` Peter Zijlstra
2018-03-05 21:21 ` Alexander Popov
2018-03-05 21:36 ` Kees Cook
2018-03-21 11:04 ` Alexander Popov
2018-03-21 15:33 ` Dave Hansen
2018-03-22 20:56 ` Alexander Popov
2018-03-26 17:32 ` Kees Cook
2018-03-26 17:43 ` Andy Lutomirski
2018-03-03 20:00 ` [PATCH RFC v9 3/7] gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack Alexander Popov
2018-03-03 20:00 ` [PATCH RFC v9 4/7] x86/entry: Erase kernel stack in syscall_trace_enter() Alexander Popov
2018-03-05 19:40 ` Dave Hansen
2018-03-05 20:06 ` Kees Cook
2018-03-05 20:15 ` Linus Torvalds
2018-03-05 21:02 ` Alexander Popov
2018-03-05 21:02 ` Kees Cook
2018-03-05 21:40 ` Linus Torvalds
2018-03-05 22:07 ` Linus Torvalds
2018-03-06 0:56 ` Kees Cook
2018-03-06 4:30 ` Linus Torvalds
2018-03-06 17:58 ` Andy Lutomirski
2018-03-06 7:56 ` [OLD PATCH] net: recvmsg: Unconditionally zero struct sockaddr_storage " Ingo Molnar
2018-03-06 7:56 ` Ingo Molnar
2018-03-06 8:08 ` Ingo Molnar
2018-03-06 15:16 ` Daniel Micay
2018-03-06 15:28 ` Daniel Micay
2018-03-06 18:56 ` Linus Torvalds
2018-03-06 19:07 ` Peter Zijlstra
2018-03-06 19:07 ` Ard Biesheuvel
2018-03-06 19:16 ` Linus Torvalds
2018-03-06 20:42 ` Arnd Bergmann
2018-03-06 21:01 ` Linus Torvalds
2018-03-06 21:21 ` Arnd Bergmann
2018-03-06 21:29 ` Linus Torvalds
2018-03-06 22:09 ` Arnd Bergmann
2018-03-06 22:24 ` Linus Torvalds
2018-03-06 21:36 ` Steven Rostedt
2018-03-06 21:41 ` Linus Torvalds
2018-03-06 21:47 ` Linus Torvalds
2018-03-06 22:29 ` Steven Rostedt
2018-03-06 22:41 ` Linus Torvalds
2018-03-06 22:52 ` Steven Rostedt
2018-03-06 23:09 ` Linus Torvalds
2018-03-12 8:22 ` Ingo Molnar
2018-03-12 9:00 ` Ard Biesheuvel
2018-03-12 9:21 ` Ingo Molnar
2018-03-06 21:47 ` Arnd Bergmann
2018-03-06 22:19 ` Linus Torvalds
2018-03-05 20:26 ` Peter Zijlstra
2018-03-03 20:00 ` [PATCH RFC v9 5/7] lkdtm: Add a test for STACKLEAK Alexander Popov
2018-03-03 20:00 ` [PATCH RFC v9 6/7] fs/proc: Show STACKLEAK metrics in the /proc file system Alexander Popov
2018-03-03 20:00 ` Alexander Popov [this message]
2018-03-05 19:34 ` [PATCH RFC v9 0/7] Introduce the STACKLEAK feature and a test for it Kees Cook
2018-03-05 19:42 ` Dave Hansen
2018-03-05 20:02 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1520107232-14111-8-git-send-email-alex.popov@linux.com \
--to=alex.popov@linux.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=dingtianhong@huawei.com \
--cc=dsafonov@virtuozzo.com \
--cc=dwmw@amazon.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jbacik@fb.com \
--cc=jgross@suse.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=labbott@redhat.com \
--cc=ldv@altlinux.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=me@kylehuey.com \
--cc=mhiramat@kernel.org \
--cc=mingo@kernel.org \
--cc=minipli@googlemail.com \
--cc=npiggin@gmail.com \
--cc=pageexec@freemail.hu \
--cc=re.emese@gmail.com \
--cc=richard.sandiford@arm.com \
--cc=rostedt@goodmis.org \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
--cc=tycho@tycho.ws \
--cc=vikas.shivappa@linux.intel.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.