From: Kees Cook <keescook@chromium.org> To: Thomas Gleixner <tglx@linutronix.de> Cc: Kees Cook <keescook@chromium.org>, Elena Reshetova <elena.reshetova@intel.com>, x86@kernel.org, Andy Lutomirski <luto@kernel.org>, Peter Zijlstra <peterz@infradead.org>, Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>, Mark Rutland <mark.rutland@arm.com>, Alexander Potapenko <glider@google.com>, Alexander Popov <alex.popov@linux.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Jann Horn <jannh@google.com>, kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Vlastimil Babka <vbabka@suse.cz>, David Hildenbrand <david@redhat.com>, Mike Rapoport <rppt@linux.ibm.com>, Andrew Morton <akpm@linux-foundation.org>, Jonathan Corbet <corbet@lwn.net>, Randy Dunlap <rdunlap@infradead.org> Subject: [PATCH v5 0/7] Optionally randomize kernel stack offset each syscall Date: Tue, 9 Mar 2021 13:42:54 -0800 [thread overview] Message-ID: <20210309214301.678739-1-keescook@chromium.org> (raw) v5: - rebase to v5.12-rc2 - clean up static branch issues introduced since v4 series - adjust comments (Mark Rutland) - update kernel-parameters.txt (Randy Dunlap) v4: https://lore.kernel.org/lkml/20200622193146.2985288-1-keescook@chromium.org/ v3: https://lore.kernel.org/lkml/20200406231606.37619-1-keescook@chromium.org/ v2: https://lore.kernel.org/lkml/20200324203231.64324-1-keescook@chromium.org/ rfc: https://lore.kernel.org/kernel-hardening/20190329081358.30497-1-elena.reshetova@intel.com/ Hi, This is a continuation and refactoring of Elena's earlier effort to add kernel stack base offset randomization. In the time since the earlier discussions, two attacks[1][2] were made public that depended on stack determinism, so we're no longer in the position of "this is a good idea but we have no examples of attacks". :) Earlier discussions also devolved into debates on entropy sources, which is mostly a red herring, given the already low entropy available due to stack size. Regardless, entropy can be changed/improved separately from this series as needed. Earlier discussions also got stuck debating how much syscall overhead was too much, but this is also a red herring since the feature itself needs to be selectable at boot with no cost for those that don't want it: this is solved here with static branches. So, here is the latest improved version, made as arch-agnostic as possible, with usage added for x86 and arm64. It also includes some small static branch clean ups, and addresses some surprise performance issues due to the stack canary[3]. At the very least, the first three patches should land ASAP, the first is a minor bug fix for v5.11. The next two are optimizations for static branch usage that Peter already Acked. If I can get an Ack from an arm64 maintainer, I think this could all land via -tip to make merging easiest. Thanks! -Kees [1] https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html [2] https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf [3] https://lore.kernel.org/lkml/202003281520.A9BFF461@keescook/ Kees Cook (7): mm: Restore init_on_* static branch defaults jump_label: Provide CONFIG-driven build state defaults init_on_alloc: Unpessimize default-on builds stack: Optionally randomize kernel stack offset each syscall x86/entry: Enable random_kstack_offset support arm64: entry: Enable random_kstack_offset support lkdtm: Add REPORT_STACK for checking stack offsets .../admin-guide/kernel-parameters.txt | 11 +++++ Makefile | 4 ++ arch/Kconfig | 23 ++++++++++ arch/arm64/Kconfig | 1 + arch/arm64/kernel/Makefile | 5 +++ arch/arm64/kernel/syscall.c | 10 +++++ arch/x86/Kconfig | 1 + arch/x86/entry/common.c | 3 ++ arch/x86/include/asm/entry-common.h | 8 ++++ drivers/misc/lkdtm/bugs.c | 17 ++++++++ drivers/misc/lkdtm/core.c | 1 + drivers/misc/lkdtm/lkdtm.h | 1 + include/linux/jump_label.h | 19 +++++++++ include/linux/mm.h | 10 +++-- include/linux/randomize_kstack.h | 42 +++++++++++++++++++ init/main.c | 23 ++++++++++ mm/page_alloc.c | 4 +- 17 files changed, 177 insertions(+), 6 deletions(-) create mode 100644 include/linux/randomize_kstack.h -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org> To: Thomas Gleixner <tglx@linutronix.de> Cc: Kees Cook <keescook@chromium.org>, Elena Reshetova <elena.reshetova@intel.com>, x86@kernel.org, Andy Lutomirski <luto@kernel.org>, Peter Zijlstra <peterz@infradead.org>, Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>, Mark Rutland <mark.rutland@arm.com>, Alexander Potapenko <glider@google.com>, Alexander Popov <alex.popov@linux.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Jann Horn <jannh@google.com>, kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Vlastimil Babka <vbabka@suse.cz>, David Hildenbrand <david@redhat.com>, Mike Rapoport <rppt@linux.ibm.com>, Andrew Morton <akpm@linux-foundation.org>, Jonathan Corbet <corbet@lwn.net>, Randy Dunlap <rdunlap@infradead.org> Subject: [PATCH v5 0/7] Optionally randomize kernel stack offset each syscall Date: Tue, 9 Mar 2021 13:42:54 -0800 [thread overview] Message-ID: <20210309214301.678739-1-keescook@chromium.org> (raw) v5: - rebase to v5.12-rc2 - clean up static branch issues introduced since v4 series - adjust comments (Mark Rutland) - update kernel-parameters.txt (Randy Dunlap) v4: https://lore.kernel.org/lkml/20200622193146.2985288-1-keescook@chromium.org/ v3: https://lore.kernel.org/lkml/20200406231606.37619-1-keescook@chromium.org/ v2: https://lore.kernel.org/lkml/20200324203231.64324-1-keescook@chromium.org/ rfc: https://lore.kernel.org/kernel-hardening/20190329081358.30497-1-elena.reshetova@intel.com/ Hi, This is a continuation and refactoring of Elena's earlier effort to add kernel stack base offset randomization. In the time since the earlier discussions, two attacks[1][2] were made public that depended on stack determinism, so we're no longer in the position of "this is a good idea but we have no examples of attacks". :) Earlier discussions also devolved into debates on entropy sources, which is mostly a red herring, given the already low entropy available due to stack size. Regardless, entropy can be changed/improved separately from this series as needed. Earlier discussions also got stuck debating how much syscall overhead was too much, but this is also a red herring since the feature itself needs to be selectable at boot with no cost for those that don't want it: this is solved here with static branches. So, here is the latest improved version, made as arch-agnostic as possible, with usage added for x86 and arm64. It also includes some small static branch clean ups, and addresses some surprise performance issues due to the stack canary[3]. At the very least, the first three patches should land ASAP, the first is a minor bug fix for v5.11. The next two are optimizations for static branch usage that Peter already Acked. If I can get an Ack from an arm64 maintainer, I think this could all land via -tip to make merging easiest. Thanks! -Kees [1] https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html [2] https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf [3] https://lore.kernel.org/lkml/202003281520.A9BFF461@keescook/ Kees Cook (7): mm: Restore init_on_* static branch defaults jump_label: Provide CONFIG-driven build state defaults init_on_alloc: Unpessimize default-on builds stack: Optionally randomize kernel stack offset each syscall x86/entry: Enable random_kstack_offset support arm64: entry: Enable random_kstack_offset support lkdtm: Add REPORT_STACK for checking stack offsets .../admin-guide/kernel-parameters.txt | 11 +++++ Makefile | 4 ++ arch/Kconfig | 23 ++++++++++ arch/arm64/Kconfig | 1 + arch/arm64/kernel/Makefile | 5 +++ arch/arm64/kernel/syscall.c | 10 +++++ arch/x86/Kconfig | 1 + arch/x86/entry/common.c | 3 ++ arch/x86/include/asm/entry-common.h | 8 ++++ drivers/misc/lkdtm/bugs.c | 17 ++++++++ drivers/misc/lkdtm/core.c | 1 + drivers/misc/lkdtm/lkdtm.h | 1 + include/linux/jump_label.h | 19 +++++++++ include/linux/mm.h | 10 +++-- include/linux/randomize_kstack.h | 42 +++++++++++++++++++ init/main.c | 23 ++++++++++ mm/page_alloc.c | 4 +- 17 files changed, 177 insertions(+), 6 deletions(-) create mode 100644 include/linux/randomize_kstack.h -- 2.25.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2021-03-09 21:44 UTC|newest] Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-03-09 21:42 Kees Cook [this message] 2021-03-09 21:42 ` [PATCH v5 0/7] Optionally randomize kernel stack offset each syscall Kees Cook 2021-03-09 21:42 ` [PATCH v5 1/7] mm: Restore init_on_* static branch defaults Kees Cook 2021-03-09 21:42 ` Kees Cook 2021-03-10 23:56 ` Andrew Morton 2021-03-10 23:56 ` Andrew Morton 2021-03-15 17:28 ` Kees Cook 2021-03-15 17:28 ` Kees Cook 2021-03-09 21:42 ` [PATCH v5 2/7] jump_label: Provide CONFIG-driven build state defaults Kees Cook 2021-03-09 21:42 ` Kees Cook 2021-03-09 21:42 ` [PATCH v5 3/7] init_on_alloc: Unpessimize default-on builds Kees Cook 2021-03-09 21:42 ` Kees Cook 2021-03-10 12:52 ` Andrey Konovalov 2021-03-10 12:52 ` Andrey Konovalov 2021-03-10 12:52 ` Andrey Konovalov 2021-03-10 21:03 ` Kees Cook 2021-03-10 21:03 ` Kees Cook 2021-03-09 21:42 ` [PATCH v5 4/7] stack: Optionally randomize kernel stack offset each syscall Kees Cook 2021-03-09 21:42 ` Kees Cook 2021-03-09 21:42 ` [PATCH v5 5/7] x86/entry: Enable random_kstack_offset support Kees Cook 2021-03-09 21:42 ` Kees Cook 2021-03-09 21:43 ` [PATCH v5 6/7] arm64: entry: " Kees Cook 2021-03-09 21:43 ` Kees Cook 2021-03-09 21:43 ` [PATCH v5 7/7] lkdtm: Add REPORT_STACK for checking stack offsets Kees Cook 2021-03-09 21:43 ` Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210309214301.678739-1-keescook@chromium.org \ --to=keescook@chromium.org \ --cc=akpm@linux-foundation.org \ --cc=alex.popov@linux.com \ --cc=ard.biesheuvel@linaro.org \ --cc=catalin.marinas@arm.com \ --cc=corbet@lwn.net \ --cc=david@redhat.com \ --cc=elena.reshetova@intel.com \ --cc=glider@google.com \ --cc=jannh@google.com \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-hardening@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=luto@kernel.org \ --cc=mark.rutland@arm.com \ --cc=peterz@infradead.org \ --cc=rdunlap@infradead.org \ --cc=rppt@linux.ibm.com \ --cc=tglx@linutronix.de \ --cc=vbabka@suse.cz \ --cc=will@kernel.org \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.