From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751468AbcGNFtC (ORCPT ); Thu, 14 Jul 2016 01:49:02 -0400 Received: from mx1.redhat.com ([209.132.183.28]:35608 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751239AbcGNFsw (ORCPT ); Thu, 14 Jul 2016 01:48:52 -0400 Date: Thu, 14 Jul 2016 00:48:42 -0500 From: Josh Poimboeuf To: Kees Cook Cc: Andy Lutomirski , "linux-kernel@vger.kernel.org" , Rik van Riel , Casey Schaufler , PaX Team , Brad Spengler , Russell King , Catalin Marinas , Will Deacon , Ard Biesheuvel , Benjamin Herrenschmidt , Michael Ellerman , Tony Luck , Fenghua Yu , "David S. Miller" , X86 ML , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Andy Lutomirski , Borislav Petkov , Mathias Krause , Jan Kara , Vitaly Wool , Andrea Arcangeli , Dmitry Vyukov , Laura Abbott , "linux-arm-kernel@lists.infradead.org" , "linux-ia64@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" , sparclinux , linux-arch , "linux-mm@kvack.org" , "kernel-hardening@lists.openwall.com" Subject: Re: [PATCH v2 01/11] mm: Implement stack frame object validation Message-ID: <20160714054842.6zal5rqawpgew26r@treble> References: <1468446964-22213-1-git-send-email-keescook@chromium.org> <1468446964-22213-2-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.0.1 (2016-04-01) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 14 Jul 2016 05:48:51 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 13, 2016 at 03:04:26PM -0700, Kees Cook wrote: > On Wed, Jul 13, 2016 at 3:01 PM, Andy Lutomirski wrote: > > On Wed, Jul 13, 2016 at 2:55 PM, Kees Cook wrote: > >> This creates per-architecture function arch_within_stack_frames() that > >> should validate if a given object is contained by a kernel stack frame. > >> Initial implementation is on x86. > >> > >> This is based on code from PaX. > >> > > > > This, along with Josh's livepatch work, are two examples of unwinders > > that matter for correctness instead of just debugging. ISTM this > > should just use Josh's code directly once it's been written. > > Do you have URL for Josh's code? I'd love to see what happening there. The code is actually going to be 100% different next time around, but FWIW, here's the last attempt: https://lkml.kernel.org/r/4d34d452bf8f85c7d6d5f93db1d3eeb4cba335c7.1461875890.git.jpoimboe@redhat.com In the meantime I've realized the need to rewrite the x86 core stack walking code to something much more manageable so we don't need all these unwinders everywhere. I'll probably post the patches in the next week or so. I'll add you to the CC list. With the new interface I think you'll be able to do something like: struct unwind_state; unwind_start(&state, current, NULL, NULL); unwind_next_frame(&state); oldframe = unwind_get_stack_pointer(&state); unwind_next_frame(&state); frame = unwind_get_stack_pointer(&state); do { if (obj + len <= frame) return blah; oldframe = frame; frame = unwind_get_stack_pointer(&state); } while (unwind_next_frame(&state); And then at the end there'll be some (still TBD) way to query whether it reached the last syscall pt_regs frame, or if it instead encountered a bogus frame pointer along the way and had to bail early. -- Josh From mboxrd@z Thu Jan 1 00:00:00 1970 From: Josh Poimboeuf Subject: Re: [PATCH v2 01/11] mm: Implement stack frame object validation Date: Thu, 14 Jul 2016 00:48:42 -0500 Message-ID: <20160714054842.6zal5rqawpgew26r@treble> References: <1468446964-22213-1-git-send-email-keescook@chromium.org> <1468446964-22213-2-git-send-email-keescook@chromium.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org To: Kees Cook Cc: Andy Lutomirski , "linux-kernel@vger.kernel.org" , Rik van Riel , Casey Schaufler , PaX Team , Brad Spengler , Russell King , Catalin Marinas , Will Deacon , Ard Biesheuvel , Benjamin Herrenschmidt , Michael Ellerman , Tony Luck , Fenghua Yu , "David S. Miller" , X86 ML , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim List-Id: linux-arch.vger.kernel.org On Wed, Jul 13, 2016 at 03:04:26PM -0700, Kees Cook wrote: > On Wed, Jul 13, 2016 at 3:01 PM, Andy Lutomirski wrote: > > On Wed, Jul 13, 2016 at 2:55 PM, Kees Cook wrote: > >> This creates per-architecture function arch_within_stack_frames() that > >> should validate if a given object is contained by a kernel stack frame. > >> Initial implementation is on x86. > >> > >> This is based on code from PaX. > >> > > > > This, along with Josh's livepatch work, are two examples of unwinders > > that matter for correctness instead of just debugging. ISTM this > > should just use Josh's code directly once it's been written. > > Do you have URL for Josh's code? I'd love to see what happening there. The code is actually going to be 100% different next time around, but FWIW, here's the last attempt: https://lkml.kernel.org/r/4d34d452bf8f85c7d6d5f93db1d3eeb4cba335c7.1461875890.git.jpoimboe@redhat.com In the meantime I've realized the need to rewrite the x86 core stack walking code to something much more manageable so we don't need all these unwinders everywhere. I'll probably post the patches in the next week or so. I'll add you to the CC list. With the new interface I think you'll be able to do something like: struct unwind_state; unwind_start(&state, current, NULL, NULL); unwind_next_frame(&state); oldframe = unwind_get_stack_pointer(&state); unwind_next_frame(&state); frame = unwind_get_stack_pointer(&state); do { if (obj + len <= frame) return blah; oldframe = frame; frame = unwind_get_stack_pointer(&state); } while (unwind_next_frame(&state); And then at the end there'll be some (still TBD) way to query whether it reached the last syscall pt_regs frame, or if it instead encountered a bogus frame pointer along the way and had to bail early. -- Josh -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com ([209.132.183.28]:35608 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751239AbcGNFsw (ORCPT ); Thu, 14 Jul 2016 01:48:52 -0400 Date: Thu, 14 Jul 2016 00:48:42 -0500 From: Josh Poimboeuf Subject: Re: [PATCH v2 01/11] mm: Implement stack frame object validation Message-ID: <20160714054842.6zal5rqawpgew26r@treble> References: <1468446964-22213-1-git-send-email-keescook@chromium.org> <1468446964-22213-2-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Sender: linux-arch-owner@vger.kernel.org List-ID: To: Kees Cook Cc: Andy Lutomirski , "linux-kernel@vger.kernel.org" , Rik van Riel , Casey Schaufler , PaX Team , Brad Spengler , Russell King , Catalin Marinas , Will Deacon , Ard Biesheuvel , Benjamin Herrenschmidt , Michael Ellerman , Tony Luck , Fenghua Yu , "David S. Miller" , X86 ML , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Andy Lutomirski , Borislav Petkov , Mathias Krause , Jan Kara , Vitaly Wool , Andrea Arcangeli , Dmitry Vyukov , Laura Abbott , "linux-arm-kernel@lists.infradead.org" , "linux-ia64@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" , sparclinux , linux-arch , "linux-mm@kvack.org" , "kernel-hardening@lists.openwall.com" Message-ID: <20160714054842.18Xu0UglDWKuPMBRAZAiM4pFit7GVI0nw1QmB_tcXEg@z> On Wed, Jul 13, 2016 at 03:04:26PM -0700, Kees Cook wrote: > On Wed, Jul 13, 2016 at 3:01 PM, Andy Lutomirski wrote: > > On Wed, Jul 13, 2016 at 2:55 PM, Kees Cook wrote: > >> This creates per-architecture function arch_within_stack_frames() that > >> should validate if a given object is contained by a kernel stack frame. > >> Initial implementation is on x86. > >> > >> This is based on code from PaX. > >> > > > > This, along with Josh's livepatch work, are two examples of unwinders > > that matter for correctness instead of just debugging. ISTM this > > should just use Josh's code directly once it's been written. > > Do you have URL for Josh's code? I'd love to see what happening there. The code is actually going to be 100% different next time around, but FWIW, here's the last attempt: https://lkml.kernel.org/r/4d34d452bf8f85c7d6d5f93db1d3eeb4cba335c7.1461875890.git.jpoimboe@redhat.com In the meantime I've realized the need to rewrite the x86 core stack walking code to something much more manageable so we don't need all these unwinders everywhere. I'll probably post the patches in the next week or so. I'll add you to the CC list. With the new interface I think you'll be able to do something like: struct unwind_state; unwind_start(&state, current, NULL, NULL); unwind_next_frame(&state); oldframe = unwind_get_stack_pointer(&state); unwind_next_frame(&state); frame = unwind_get_stack_pointer(&state); do { if (obj + len <= frame) return blah; oldframe = frame; frame = unwind_get_stack_pointer(&state); } while (unwind_next_frame(&state); And then at the end there'll be some (still TBD) way to query whether it reached the last syscall pt_regs frame, or if it instead encountered a bogus frame pointer along the way and had to bail early. -- Josh From mboxrd@z Thu Jan 1 00:00:00 1970 From: Josh Poimboeuf Date: Thu, 14 Jul 2016 05:48:42 +0000 Subject: Re: [PATCH v2 01/11] mm: Implement stack frame object validation Message-Id: <20160714054842.6zal5rqawpgew26r@treble> List-Id: References: <1468446964-22213-1-git-send-email-keescook@chromium.org> <1468446964-22213-2-git-send-email-keescook@chromium.org> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Kees Cook Cc: Andy Lutomirski , "linux-kernel@vger.kernel.org" , Rik van Riel , Casey Schaufler , PaX Team , Brad Spengler , Russell King , Catalin Marinas , Will Deacon , Ard Biesheuvel , Benjamin Herrenschmidt , Michael Ellerman , Tony Luck , Fenghua Yu , "David S. Miller" , X86 ML , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Andy Lutomirski , Borislav Petkov , Mathias Krause , Jan Kara , Vitaly Wool , Andrea Arcangeli , Dmitry Vyukov , Laura Abbott , "linux-arm-kernel@lists.infradead.org" , "linux-ia64@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" , sparclinux , linux-arch , "linux-mm@kvack.org" , "kernel-hardening@lists.openwall.com" On Wed, Jul 13, 2016 at 03:04:26PM -0700, Kees Cook wrote: > On Wed, Jul 13, 2016 at 3:01 PM, Andy Lutomirski wrote: > > On Wed, Jul 13, 2016 at 2:55 PM, Kees Cook wrote: > >> This creates per-architecture function arch_within_stack_frames() that > >> should validate if a given object is contained by a kernel stack frame. > >> Initial implementation is on x86. > >> > >> This is based on code from PaX. > >> > > > > This, along with Josh's livepatch work, are two examples of unwinders > > that matter for correctness instead of just debugging. ISTM this > > should just use Josh's code directly once it's been written. > > Do you have URL for Josh's code? I'd love to see what happening there. The code is actually going to be 100% different next time around, but FWIW, here's the last attempt: https://lkml.kernel.org/r/4d34d452bf8f85c7d6d5f93db1d3eeb4cba335c7.1461875890.git.jpoimboe@redhat.com In the meantime I've realized the need to rewrite the x86 core stack walking code to something much more manageable so we don't need all these unwinders everywhere. I'll probably post the patches in the next week or so. I'll add you to the CC list. With the new interface I think you'll be able to do something like: struct unwind_state; unwind_start(&state, current, NULL, NULL); unwind_next_frame(&state); oldframe = unwind_get_stack_pointer(&state); unwind_next_frame(&state); frame = unwind_get_stack_pointer(&state); do { if (obj + len <= frame) return blah; oldframe = frame; frame = unwind_get_stack_pointer(&state); } while (unwind_next_frame(&state); And then at the end there'll be some (still TBD) way to query whether it reached the last syscall pt_regs frame, or if it instead encountered a bogus frame pointer along the way and had to bail early. -- Josh From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vk0-f69.google.com (mail-vk0-f69.google.com [209.85.213.69]) by kanga.kvack.org (Postfix) with ESMTP id BC3C06B0262 for ; Thu, 14 Jul 2016 01:48:52 -0400 (EDT) Received: by mail-vk0-f69.google.com with SMTP id r135so142810576vkf.0 for ; Wed, 13 Jul 2016 22:48:52 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id h4si311242ybb.17.2016.07.13.22.48.51 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Jul 2016 22:48:52 -0700 (PDT) Date: Thu, 14 Jul 2016 00:48:42 -0500 From: Josh Poimboeuf Subject: Re: [PATCH v2 01/11] mm: Implement stack frame object validation Message-ID: <20160714054842.6zal5rqawpgew26r@treble> References: <1468446964-22213-1-git-send-email-keescook@chromium.org> <1468446964-22213-2-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org List-ID: To: Kees Cook Cc: Andy Lutomirski , "linux-kernel@vger.kernel.org" , Rik van Riel , Casey Schaufler , PaX Team , Brad Spengler , Russell King , Catalin Marinas , Will Deacon , Ard Biesheuvel , Benjamin Herrenschmidt , Michael Ellerman , Tony Luck , Fenghua Yu , "David S. Miller" , X86 ML , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Andy Lutomirski , Borislav Petkov , Mathias Krause , Jan Kara , Vitaly Wool , Andrea Arcangeli , Dmitry Vyukov , Laura Abbott , "linux-arm-kernel@lists.infradead.org" , "linux-ia64@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" , sparclinux , linux-arch , "linux-mm@kvack.org" , "kernel-hardening@lists.openwall.com" On Wed, Jul 13, 2016 at 03:04:26PM -0700, Kees Cook wrote: > On Wed, Jul 13, 2016 at 3:01 PM, Andy Lutomirski wrote: > > On Wed, Jul 13, 2016 at 2:55 PM, Kees Cook wrote: > >> This creates per-architecture function arch_within_stack_frames() that > >> should validate if a given object is contained by a kernel stack frame. > >> Initial implementation is on x86. > >> > >> This is based on code from PaX. > >> > > > > This, along with Josh's livepatch work, are two examples of unwinders > > that matter for correctness instead of just debugging. ISTM this > > should just use Josh's code directly once it's been written. > > Do you have URL for Josh's code? I'd love to see what happening there. The code is actually going to be 100% different next time around, but FWIW, here's the last attempt: https://lkml.kernel.org/r/4d34d452bf8f85c7d6d5f93db1d3eeb4cba335c7.1461875890.git.jpoimboe@redhat.com In the meantime I've realized the need to rewrite the x86 core stack walking code to something much more manageable so we don't need all these unwinders everywhere. I'll probably post the patches in the next week or so. I'll add you to the CC list. With the new interface I think you'll be able to do something like: struct unwind_state; unwind_start(&state, current, NULL, NULL); unwind_next_frame(&state); oldframe = unwind_get_stack_pointer(&state); unwind_next_frame(&state); frame = unwind_get_stack_pointer(&state); do { if (obj + len <= frame) return blah; oldframe = frame; frame = unwind_get_stack_pointer(&state); } while (unwind_next_frame(&state); And then at the end there'll be some (still TBD) way to query whether it reached the last syscall pt_regs frame, or if it instead encountered a bogus frame pointer along the way and had to bail early. -- Josh -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 From: jpoimboe@redhat.com (Josh Poimboeuf) Date: Thu, 14 Jul 2016 00:48:42 -0500 Subject: [PATCH v2 01/11] mm: Implement stack frame object validation In-Reply-To: References: <1468446964-22213-1-git-send-email-keescook@chromium.org> <1468446964-22213-2-git-send-email-keescook@chromium.org> Message-ID: <20160714054842.6zal5rqawpgew26r@treble> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On Wed, Jul 13, 2016 at 03:04:26PM -0700, Kees Cook wrote: > On Wed, Jul 13, 2016 at 3:01 PM, Andy Lutomirski wrote: > > On Wed, Jul 13, 2016 at 2:55 PM, Kees Cook wrote: > >> This creates per-architecture function arch_within_stack_frames() that > >> should validate if a given object is contained by a kernel stack frame. > >> Initial implementation is on x86. > >> > >> This is based on code from PaX. > >> > > > > This, along with Josh's livepatch work, are two examples of unwinders > > that matter for correctness instead of just debugging. ISTM this > > should just use Josh's code directly once it's been written. > > Do you have URL for Josh's code? I'd love to see what happening there. The code is actually going to be 100% different next time around, but FWIW, here's the last attempt: https://lkml.kernel.org/r/4d34d452bf8f85c7d6d5f93db1d3eeb4cba335c7.1461875890.git.jpoimboe at redhat.com In the meantime I've realized the need to rewrite the x86 core stack walking code to something much more manageable so we don't need all these unwinders everywhere. I'll probably post the patches in the next week or so. I'll add you to the CC list. With the new interface I think you'll be able to do something like: struct unwind_state; unwind_start(&state, current, NULL, NULL); unwind_next_frame(&state); oldframe = unwind_get_stack_pointer(&state); unwind_next_frame(&state); frame = unwind_get_stack_pointer(&state); do { if (obj + len <= frame) return blah; oldframe = frame; frame = unwind_get_stack_pointer(&state); } while (unwind_next_frame(&state); And then@the end there'll be some (still TBD) way to query whether it reached the last syscall pt_regs frame, or if it instead encountered a bogus frame pointer along the way and had to bail early. -- Josh From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com Date: Thu, 14 Jul 2016 00:48:42 -0500 From: Josh Poimboeuf Message-ID: <20160714054842.6zal5rqawpgew26r@treble> References: <1468446964-22213-1-git-send-email-keescook@chromium.org> <1468446964-22213-2-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Subject: [kernel-hardening] Re: [PATCH v2 01/11] mm: Implement stack frame object validation To: Kees Cook Cc: Andy Lutomirski , "linux-kernel@vger.kernel.org" , Rik van Riel , Casey Schaufler , PaX Team , Brad Spengler , Russell King , Catalin Marinas , Will Deacon , Ard Biesheuvel , Benjamin Herrenschmidt , Michael Ellerman , Tony Luck , Fenghua Yu , "David S. Miller" , X86 ML , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Andy Lutomirski , Borislav Petkov , Mathias Krause , Jan Kara , Vitaly Wool , Andrea Arcangeli , Dmitry Vyukov , Laura Abbott , "linux-arm-kernel@lists.infradead.org" , "linux-ia64@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" , sparclinux , linux-arch , "linux-mm@kvack.org" , "kernel-hardening@lists.openwall.com" List-ID: On Wed, Jul 13, 2016 at 03:04:26PM -0700, Kees Cook wrote: > On Wed, Jul 13, 2016 at 3:01 PM, Andy Lutomirski wrote: > > On Wed, Jul 13, 2016 at 2:55 PM, Kees Cook wrote: > >> This creates per-architecture function arch_within_stack_frames() that > >> should validate if a given object is contained by a kernel stack frame. > >> Initial implementation is on x86. > >> > >> This is based on code from PaX. > >> > > > > This, along with Josh's livepatch work, are two examples of unwinders > > that matter for correctness instead of just debugging. ISTM this > > should just use Josh's code directly once it's been written. > > Do you have URL for Josh's code? I'd love to see what happening there. The code is actually going to be 100% different next time around, but FWIW, here's the last attempt: https://lkml.kernel.org/r/4d34d452bf8f85c7d6d5f93db1d3eeb4cba335c7.1461875890.git.jpoimboe@redhat.com In the meantime I've realized the need to rewrite the x86 core stack walking code to something much more manageable so we don't need all these unwinders everywhere. I'll probably post the patches in the next week or so. I'll add you to the CC list. With the new interface I think you'll be able to do something like: struct unwind_state; unwind_start(&state, current, NULL, NULL); unwind_next_frame(&state); oldframe = unwind_get_stack_pointer(&state); unwind_next_frame(&state); frame = unwind_get_stack_pointer(&state); do { if (obj + len <= frame) return blah; oldframe = frame; frame = unwind_get_stack_pointer(&state); } while (unwind_next_frame(&state); And then at the end there'll be some (still TBD) way to query whether it reached the last syscall pt_regs frame, or if it instead encountered a bogus frame pointer along the way and had to bail early. -- Josh