From: Ingo Molnar <mingo@kernel.org>
To: Kees Cook <keescook@chromium.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Alexander Popov <alex.popov@linux.com>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Andy Lutomirski <luto@kernel.org>,
Tycho Andersen <tycho@tycho.ws>,
Laura Abbott <labbott@redhat.com>,
Mark Rutland <mark.rutland@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Borislav Petkov <bp@alien8.de>,
Richard Sandiford <richard.sandiford@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H . Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
"Dmitry V . Levin" <ldv@altlinux.org>,
Emese Revfy <re.emese@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
Thomas Garnier <thgarnie@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>, Josef Bacik <jbacik@fb.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Nicholas Piggin <npiggin@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
"David S . Miller" <davem@davemloft.net>,
Ding Tianhong <dingtianhong@huawei.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>,
Dominik Brodowski <linux@dominikbrodowski.net>,
Juergen Gross <jgross@suse.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Mathias Krause <minipli@googlemail.com>,
Vikas Shivappa <vikas.shivappa@linux.intel.com>,
Kyle Huey <me@kylehuey.com>,
Dmitry Safonov <dsafonov@virtuozzo.com>,
Will Deacon <will.deacon@arm.com>, Arnd Bergmann <arnd@arndb.de>,
X86 ML <x86@kernel.org>, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [OLD PATCH] net: recvmsg: Unconditionally zero struct sockaddr_storage Re: [PATCH RFC v9 4/7] x86/entry: Erase kernel stack in syscall_trace_enter()
Date: Tue, 6 Mar 2018 08:56:07 +0100 [thread overview]
Message-ID: <20180306075607.57t7eab2zkquhssm@gmail.com> (raw)
In-Reply-To: <CAGXu5jJaTR25zZp5sGqc6m3nv3AunYhEZhxtB_JuP2WFbv_pfg@mail.gmail.com>
* Kees Cook <keescook@chromium.org> wrote:
> In defense of the series, it's hardly "mindless". :) The primary
> feature is that it has run-time tracking of stack depth to clear only
> the minimum needed portion of the stack.
The stack-tracer has been able to do that for years, right?
> > And it doesn't necessarily generate any worse code.
>
> I agree, though some performance-sensitive subsystem (e.g. networking)
> get very defensive about an always-on stack initialization[2].
> [2] Both these cases, and so many more, are solved with the byref
> initialization plugin, but have been NAKed by -net:
> https://lkml.org/lkml/2013/4/9/641
> https://lkml.org/lkml/2017/10/31/699
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -2188,6 +2188,7 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg,
> struct sockaddr __user *uaddr;
> int __user *uaddr_len = COMPAT_NAMELEN(msg);
>
> + memset(&addr, 0, sizeof(addr));
> msg_sys->msg_name = &addr;
>
> if (MSG_CMSG_COMPAT & flags)
In defense of DaveM and Eric, that networking patch is just pure, utter garbage
and I'll NACK it just as much: it adds an unconditional 128-byte memset() to a hot
path!!
NACKed-by: Ingo Molnar <mingo@kernel.org>
The changelog is also infuriatingly misleading:
> Some protocols do not correctly wipe the contents of the on-stack
> struct sockaddr_storage sent down into recvmsg() (e.g. SCTP), and leak
> kernel stack contents to userspace. This wipes it unconditionally before
> per-protocol handlers run.
>
> Note that leaks like this are mitigated by building with
> CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
It's just a scary, passive-aggressive lie about "some protocols" and ignores the
desired case where all protocol handlers are correctly implemented.
Did you *really* expect this patch to be applied? The on-stack struct clearing GCC
plugins (CONFIG_GCC_PLUGIN_STRUCTLEAK*=y) are a nice feature which fix a bad
oversight in the C standard, but this particular unconditional memset() patch is
just garbage.
Also, this characterization of the patch review process of the networking
subsystem:
> though some performance-sensitive subsystem (e.g. networking)
> get very defensive about an always-on stack initialization[2].
... is thus very unfair as well: they didn't NAK or resist the
CONFIG_GCC_PLUGIN_STRUCTLEAK* compiler feature at all, they NAK-ed a poorly
thought out, unconditional memset() which adds unconditional overhead, which is
their job to NAK!
Please refrain from using such unfair pressure tactics to get harebrained security
patches upstream...
Thanks,
Ingo
WARNING: multiple messages have this Message-ID (diff)
From: Ingo Molnar <mingo@kernel.org>
To: Kees Cook <keescook@chromium.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Alexander Popov <alex.popov@linux.com>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Andy Lutomirski <luto@kernel.org>,
Tycho Andersen <tycho@tycho.ws>,
Laura Abbott <labbott@redhat.com>,
Mark Rutland <mark.rutland@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Borislav Petkov <bp@alien8.de>,
Richard Sandiford <richard.sandiford@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H . Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
"Dmitry V . Levin" <ldv@altlinux.org>,
Emese Revfy <re.emese@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
Thomas Garnier <thgarnie@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>, Josef Bacik <jbacik@fb.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Nicholas Piggin <npiggin@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Ding Tianhong <dingtianhong@huawei.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>,
Dominik Brodowski <linux@dominikbrodowski.net>,
Juergen Gross <jgross@suse.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Mathias Krause <minipli@googlemail.com>,
Vikas Shivappa <vikas.shivappa@linux.intel.com>,
Kyle Huey <me@kylehuey.com>,
Dmitry Safonov <dsafonov@virtuozzo.com>,
Will Deacon <will.deacon@arm.com>, Arnd Bergmann <arnd@arndb.de>,
X86 ML <x86@kernel.org>, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [OLD PATCH] net: recvmsg: Unconditionally zero struct sockaddr_storage Re: [PATCH RFC v9 4/7] x86/entry: Erase kernel stack in syscall_trace_enter()
Date: Tue, 6 Mar 2018 08:56:07 +0100 [thread overview]
Message-ID: <20180306075607.57t7eab2zkquhssm@gmail.com> (raw)
In-Reply-To: <CAGXu5jJaTR25zZp5sGqc6m3nv3AunYhEZhxtB_JuP2WFbv_pfg@mail.gmail.com>
* Kees Cook <keescook@chromium.org> wrote:
> In defense of the series, it's hardly "mindless". :) The primary
> feature is that it has run-time tracking of stack depth to clear only
> the minimum needed portion of the stack.
The stack-tracer has been able to do that for years, right?
> > And it doesn't necessarily generate any worse code.
>
> I agree, though some performance-sensitive subsystem (e.g. networking)
> get very defensive about an always-on stack initialization[2].
> [2] Both these cases, and so many more, are solved with the byref
> initialization plugin, but have been NAKed by -net:
> https://lkml.org/lkml/2013/4/9/641
> https://lkml.org/lkml/2017/10/31/699
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -2188,6 +2188,7 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg,
> struct sockaddr __user *uaddr;
> int __user *uaddr_len = COMPAT_NAMELEN(msg);
>
> + memset(&addr, 0, sizeof(addr));
> msg_sys->msg_name = &addr;
>
> if (MSG_CMSG_COMPAT & flags)
In defense of DaveM and Eric, that networking patch is just pure, utter garbage
and I'll NACK it just as much: it adds an unconditional 128-byte memset() to a hot
path!!
NACKed-by: Ingo Molnar <mingo@kernel.org>
The changelog is also infuriatingly misleading:
> Some protocols do not correctly wipe the contents of the on-stack
> struct sockaddr_storage sent down into recvmsg() (e.g. SCTP), and leak
> kernel stack contents to userspace. This wipes it unconditionally before
> per-protocol handlers run.
>
> Note that leaks like this are mitigated by building with
> CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
It's just a scary, passive-aggressive lie about "some protocols" and ignores the
desired case where all protocol handlers are correctly implemented.
Did you *really* expect this patch to be applied? The on-stack struct clearing GCC
plugins (CONFIG_GCC_PLUGIN_STRUCTLEAK*=y) are a nice feature which fix a bad
oversight in the C standard, but this particular unconditional memset() patch is
just garbage.
Also, this characterization of the patch review process of the networking
subsystem:
> though some performance-sensitive subsystem (e.g. networking)
> get very defensive about an always-on stack initialization[2].
... is thus very unfair as well: they didn't NAK or resist the
CONFIG_GCC_PLUGIN_STRUCTLEAK* compiler feature at all, they NAK-ed a poorly
thought out, unconditional memset() which adds unconditional overhead, which is
their job to NAK!
Please refrain from using such unfair pressure tactics to get harebrained security
patches upstream...
Thanks,
Ingo
next prev parent reply other threads:[~2018-03-06 7:56 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-03 20:00 [PATCH RFC v9 0/7] Introduce the STACKLEAK feature and a test for it Alexander Popov
2018-03-03 20:00 ` [PATCH RFC v9 1/7] gcc-plugins: Clean up the cgraph_create_edge* macros Alexander Popov
2018-03-03 20:00 ` [PATCH RFC v9 2/7] x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls Alexander Popov
2018-03-05 16:41 ` Dave Hansen
2018-03-05 19:43 ` Laura Abbott
2018-03-05 19:50 ` Dave Hansen
2018-03-05 20:25 ` Peter Zijlstra
2018-03-05 21:21 ` Alexander Popov
2018-03-05 21:36 ` Kees Cook
2018-03-21 11:04 ` Alexander Popov
2018-03-21 15:33 ` Dave Hansen
2018-03-22 20:56 ` Alexander Popov
2018-03-26 17:32 ` Kees Cook
2018-03-26 17:43 ` Andy Lutomirski
2018-03-03 20:00 ` [PATCH RFC v9 3/7] gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack Alexander Popov
2018-03-03 20:00 ` [PATCH RFC v9 4/7] x86/entry: Erase kernel stack in syscall_trace_enter() Alexander Popov
2018-03-05 19:40 ` Dave Hansen
2018-03-05 20:06 ` Kees Cook
2018-03-05 20:15 ` Linus Torvalds
2018-03-05 21:02 ` Alexander Popov
2018-03-05 21:02 ` Kees Cook
2018-03-05 21:40 ` Linus Torvalds
2018-03-05 22:07 ` Linus Torvalds
2018-03-06 0:56 ` Kees Cook
2018-03-06 4:30 ` Linus Torvalds
2018-03-06 17:58 ` Andy Lutomirski
2018-03-06 7:56 ` Ingo Molnar [this message]
2018-03-06 7:56 ` [OLD PATCH] net: recvmsg: Unconditionally zero struct sockaddr_storage " Ingo Molnar
2018-03-06 8:08 ` Ingo Molnar
2018-03-06 15:16 ` Daniel Micay
2018-03-06 15:28 ` Daniel Micay
2018-03-06 18:56 ` Linus Torvalds
2018-03-06 19:07 ` Peter Zijlstra
2018-03-06 19:07 ` Ard Biesheuvel
2018-03-06 19:16 ` Linus Torvalds
2018-03-06 20:42 ` Arnd Bergmann
2018-03-06 21:01 ` Linus Torvalds
2018-03-06 21:21 ` Arnd Bergmann
2018-03-06 21:29 ` Linus Torvalds
2018-03-06 22:09 ` Arnd Bergmann
2018-03-06 22:24 ` Linus Torvalds
2018-03-06 21:36 ` Steven Rostedt
2018-03-06 21:41 ` Linus Torvalds
2018-03-06 21:47 ` Linus Torvalds
2018-03-06 22:29 ` Steven Rostedt
2018-03-06 22:41 ` Linus Torvalds
2018-03-06 22:52 ` Steven Rostedt
2018-03-06 23:09 ` Linus Torvalds
2018-03-12 8:22 ` Ingo Molnar
2018-03-12 9:00 ` Ard Biesheuvel
2018-03-12 9:21 ` Ingo Molnar
2018-03-06 21:47 ` Arnd Bergmann
2018-03-06 22:19 ` Linus Torvalds
2018-03-05 20:26 ` Peter Zijlstra
2018-03-03 20:00 ` [PATCH RFC v9 5/7] lkdtm: Add a test for STACKLEAK Alexander Popov
2018-03-03 20:00 ` [PATCH RFC v9 6/7] fs/proc: Show STACKLEAK metrics in the /proc file system Alexander Popov
2018-03-03 20:00 ` [PATCH RFC v9 7/7] doc: self-protection: Add information about STACKLEAK feature Alexander Popov
2018-03-05 19:34 ` [PATCH RFC v9 0/7] Introduce the STACKLEAK feature and a test for it Kees Cook
2018-03-05 19:42 ` Dave Hansen
2018-03-05 20:02 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180306075607.57t7eab2zkquhssm@gmail.com \
--to=mingo@kernel.org \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=alex.popov@linux.com \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=dingtianhong@huawei.com \
--cc=dsafonov@virtuozzo.com \
--cc=dwmw@amazon.co.uk \
--cc=edumazet@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jbacik@fb.com \
--cc=jgross@suse.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=labbott@redhat.com \
--cc=ldv@altlinux.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=me@kylehuey.com \
--cc=mhiramat@kernel.org \
--cc=minipli@googlemail.com \
--cc=npiggin@gmail.com \
--cc=pageexec@freemail.hu \
--cc=re.emese@gmail.com \
--cc=richard.sandiford@arm.com \
--cc=rostedt@goodmis.org \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
--cc=torvalds@linux-foundation.org \
--cc=tycho@tycho.ws \
--cc=vikas.shivappa@linux.intel.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.