From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5668DC433F5 for ; Wed, 11 May 2022 03:00:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236079AbiEKDAp (ORCPT ); Tue, 10 May 2022 23:00:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50430 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229608AbiEKDAl (ORCPT ); Tue, 10 May 2022 23:00:41 -0400 Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 348C9CE3 for ; Tue, 10 May 2022 20:00:40 -0700 (PDT) Received: by mail-pl1-x62a.google.com with SMTP id q4so563464plr.11 for ; Tue, 10 May 2022 20:00:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=mZiq0i3ZmSbOmRGumiJgmqnCAjwiMGc23Fy8HgZKiMw=; b=fJbqTV61Ycfi+Xa36egufJwJScZ4LxDM66PtbkuTZBy7ejyzzEIOVnuXIg+Ke2cdyE 4Xs/1egwfv3V5DaUg5vQcLqGzgZo0mH7J6d+/PjwPyIqdNMp/ty9sBvIBXkLsDMSm9z7 +f7Q5Y9z4TwZsRvVF7Hl/LOazk9GaF5t4jitM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=mZiq0i3ZmSbOmRGumiJgmqnCAjwiMGc23Fy8HgZKiMw=; b=BBASTw2FANbREPipu1/N5R5dn8Z62NYmB6axu1vdwq/QTaMLNCMUipEpK8ckNpDboK GqhSIVuO1eimDQigRjFXdWWwLqKY0w59BLyP42mjnraHVrqkNXTcAWi8lzWt/kAffHtx 7KEGsIiosrlRn5ecQjWpBgKiB4HqG0CHzNke66teOpueVQnwK1K2RAyxrYX45N86Ghil Iiue1V+rYSqiDEGzi50RWyt/+Q7SStFu0tKu0epY3UG0BoZfTXVySJR/l5lFOy4VXVL1 xZZAEzrB9Xf68GlrNtEoPdSkG/eiQrUV2lhRZq7YRVoIINdRzS6PYe9F034a9NbXBhgu 5e6Q== X-Gm-Message-State: AOAM531qHMCBb98Cu492w60YB/n/W3vSItduG0FxCfI8QO9zIMW4hG+u Gicw7H5TpPRq9LrXxeESRHU4HjA8UkZcew== X-Google-Smtp-Source: ABdhPJyUvFaOINlxX4PXvon0YBAhVNu+6F4AtdgOXbDHCDm4+5aNd+8Uofu+71b2ZcsfxlEegJyKjw== X-Received: by 2002:a17:903:110c:b0:15f:f15:30ec with SMTP id n12-20020a170903110c00b0015f0f1530ecmr12996966plh.162.1652238039600; Tue, 10 May 2022 20:00:39 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id c1-20020a056a00008100b0050dc7628202sm270483pfj.220.2022.05.10.20.00.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 May 2022 20:00:39 -0700 (PDT) Date: Tue, 10 May 2022 20:00:38 -0700 From: Kees Cook To: Mark Rutland Cc: Alexander Popov , linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org, catalin.marinas@arm.com, linux-kernel@vger.kernel.org, luto@kernel.org, will@kernel.org Subject: Re: [PATCH v2 03/13] stackleak: remove redundant check Message-ID: <202205101958.2A33DE20@keescook> References: <20220427173128.2603085-1-mark.rutland@arm.com> <20220427173128.2603085-4-mark.rutland@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 10, 2022 at 12:46:48PM +0100, Mark Rutland wrote: > On Sun, May 08, 2022 at 09:17:01PM +0300, Alexander Popov wrote: > > On 27.04.2022 20:31, Mark Rutland wrote: > > > In __stackleak_erase() we check that the `erase_low` value derived from > > > `current->lowest_stack` is above the lowest legitimate stack pointer > > > value, but this is already enforced by stackleak_track_stack() when > > > recording the lowest stack value. > > > > > > Remove the redundant check. > > > > > > There should be no functional change as a result of this patch. > > > > Mark, I can't agree here. I think this check is important. > > The performance profit from dropping it is less than the confidence decrease :) > > > > With this check, if the 'lowest_stack' value is corrupted, stackleak doesn't > > overwrite some wrong kernel memory, but simply clears the whole thread > > stack, which is safe behavior. > > If you feel strongly about it, I can restore the check, but I struggle to > believe that it's worthwhile. The `lowest_stack` value lives in the > task_struct, and if you have the power to corrupt that you have the power to do > much more interesting things. > > If we do restore it, I'd like to add a big fat comment explaining the > rationale (i.e. that it only matter if someone could corrupt > `current->lowest_stack`, as otherwise that's guarnateed to be within bounds). Yeah, let's restore it and add the comment. While I do agree it's likely that such an corruption would likely mean an attacker had significant control over kernel memory already, it is not uncommon that an attack only has a limited index from a given address, etc. Or some manipulation is possible via weird gadgets, etc. It's unlikely, but not impossible, and a bounds-check for that value is cheap compared to the rest of the work happening. :) -Kees -- Kees Cook From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 133A4C433F5 for ; Wed, 11 May 2022 03:01:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Gtft/4BqpN2bL0g/+f5fVUMLZ0cjRNXOIOlWWl9TzrE=; b=hOvG17F926Cq07 88cGlbwXAa9Vip4NkRl8DwYDnJ2FZVtHH1uxiV/4TtsfJJcbRqfgcm14Kk1+xGwyz+KltHlB8RduN H0yoITZwbcVejhjrDW1aEnyoYDDeUsrKd0AYn+rEFHak7nCyUFMBQHurTegjCuzANbVDg4wX6VI8u gnDUqroWnn/UqUIDIJv2CzGa7iqONjXqRGr4kydyka+cLVspl0ccetq5HdfFHozgcj3CXW9ZxIY4V +XOAcxS8Rv09hHLLPYahPJnVGp1VgI40RfRtuWnR/1j5zoWjv58Z4g8Ngw9wI9PzAICL8bvk8hY4v gCZFavzw4km8G4pFE43g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nocak-004uyN-4Z; Wed, 11 May 2022 03:00:46 +0000 Received: from mail-pl1-x629.google.com ([2607:f8b0:4864:20::629]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nocag-004uwM-IP for linux-arm-kernel@lists.infradead.org; Wed, 11 May 2022 03:00:43 +0000 Received: by mail-pl1-x629.google.com with SMTP id d22so567498plr.9 for ; Tue, 10 May 2022 20:00:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=mZiq0i3ZmSbOmRGumiJgmqnCAjwiMGc23Fy8HgZKiMw=; b=fJbqTV61Ycfi+Xa36egufJwJScZ4LxDM66PtbkuTZBy7ejyzzEIOVnuXIg+Ke2cdyE 4Xs/1egwfv3V5DaUg5vQcLqGzgZo0mH7J6d+/PjwPyIqdNMp/ty9sBvIBXkLsDMSm9z7 +f7Q5Y9z4TwZsRvVF7Hl/LOazk9GaF5t4jitM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=mZiq0i3ZmSbOmRGumiJgmqnCAjwiMGc23Fy8HgZKiMw=; b=ye9/3nt/o5sN2pAs7OFNExg1CZTHSMDtB991CsqitsQD5YW8V30WPIJkrNblHIdhIa 9y2l8GzuUvZ3UQluvD42OlNe3Ff9akxPjMoCmyMdGFmsc6G1WNQ5A1LZpIq+J7bMFq6m q/YcDSUMR0UlgZIbVSe+GmBLPZKneWOnSiFcA26ao5Zs6JP68bOw/KYAUclIVWETjGol OFub5QEzxu0csPRwAzS8oKEiTvBMFh6ZncJdD2DMjY0In1s1o43k+La9A7eGkoPbbc3J hGDa9VNoq/0G0yxiz6MIUyzU7VAdU3JYhMFHU4vdDkPwaKtxR3tIEkfUyr8dMEHzBTea ByJQ== X-Gm-Message-State: AOAM532ykprZMr5Hc/ico1+oxNKtX2J8UlOQ6fLYhABLWqhXF0gZhkcC TazCR/CnW4HsBWW7msV5OuiOrQ== X-Google-Smtp-Source: ABdhPJyUvFaOINlxX4PXvon0YBAhVNu+6F4AtdgOXbDHCDm4+5aNd+8Uofu+71b2ZcsfxlEegJyKjw== X-Received: by 2002:a17:903:110c:b0:15f:f15:30ec with SMTP id n12-20020a170903110c00b0015f0f1530ecmr12996966plh.162.1652238039600; Tue, 10 May 2022 20:00:39 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id c1-20020a056a00008100b0050dc7628202sm270483pfj.220.2022.05.10.20.00.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 May 2022 20:00:39 -0700 (PDT) Date: Tue, 10 May 2022 20:00:38 -0700 From: Kees Cook To: Mark Rutland Cc: Alexander Popov , linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org, catalin.marinas@arm.com, linux-kernel@vger.kernel.org, luto@kernel.org, will@kernel.org Subject: Re: [PATCH v2 03/13] stackleak: remove redundant check Message-ID: <202205101958.2A33DE20@keescook> References: <20220427173128.2603085-1-mark.rutland@arm.com> <20220427173128.2603085-4-mark.rutland@arm.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220510_200042_663037_4D469F51 X-CRM114-Status: GOOD ( 22.72 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, May 10, 2022 at 12:46:48PM +0100, Mark Rutland wrote: > On Sun, May 08, 2022 at 09:17:01PM +0300, Alexander Popov wrote: > > On 27.04.2022 20:31, Mark Rutland wrote: > > > In __stackleak_erase() we check that the `erase_low` value derived from > > > `current->lowest_stack` is above the lowest legitimate stack pointer > > > value, but this is already enforced by stackleak_track_stack() when > > > recording the lowest stack value. > > > > > > Remove the redundant check. > > > > > > There should be no functional change as a result of this patch. > > > > Mark, I can't agree here. I think this check is important. > > The performance profit from dropping it is less than the confidence decrease :) > > > > With this check, if the 'lowest_stack' value is corrupted, stackleak doesn't > > overwrite some wrong kernel memory, but simply clears the whole thread > > stack, which is safe behavior. > > If you feel strongly about it, I can restore the check, but I struggle to > believe that it's worthwhile. The `lowest_stack` value lives in the > task_struct, and if you have the power to corrupt that you have the power to do > much more interesting things. > > If we do restore it, I'd like to add a big fat comment explaining the > rationale (i.e. that it only matter if someone could corrupt > `current->lowest_stack`, as otherwise that's guarnateed to be within bounds). Yeah, let's restore it and add the comment. While I do agree it's likely that such an corruption would likely mean an attacker had significant control over kernel memory already, it is not uncommon that an attack only has a limited index from a given address, etc. Or some manipulation is possible via weird gadgets, etc. It's unlikely, but not impossible, and a bounds-check for that value is cheap compared to the rest of the work happening. :) -Kees -- Kees Cook _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel