From: Thomas Gleixner <tglx@linutronix.de>
To: Kees Cook <keescook@chromium.org>
Cc: Kees Cook <keescook@chromium.org>,
Elena Reshetova <elena.reshetova@intel.com>,
x86@kernel.org, Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Potapenko <glider@google.com>,
Alexander Popov <alex.popov@linux.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jann Horn <jannh@google.com>, Vlastimil Babka <vbabka@suse.cz>,
David Hildenbrand <david@redhat.com>,
Mike Rapoport <rppt@linux.ibm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>,
Randy Dunlap <rdunlap@infradead.org>,
kernel-hardening@lists.openwall.com,
linux-hardening@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v7 3/6] stack: Optionally randomize kernel stack offset each syscall
Date: Sun, 28 Mar 2021 16:42:03 +0200 [thread overview]
Message-ID: <87eefzcpc4.ffs@nanos.tec.linutronix.de> (raw)
In-Reply-To: <20210319212835.3928492-4-keescook@chromium.org>
Kees,
On Fri, Mar 19 2021 at 14:28, Kees Cook wrote:
> +/*
> + * Do not use this anywhere else in the kernel. This is used here because
> + * it provides an arch-agnostic way to grow the stack with correct
> + * alignment. Also, since this use is being explicitly masked to a max of
> + * 10 bits, stack-clash style attacks are unlikely. For more details see
> + * "VLAs" in Documentation/process/deprecated.rst
VLAs are bad, VLAs to the rescue! :)
> + * The asm statement is designed to convince the compiler to keep the
> + * allocation around even after "ptr" goes out of scope.
> + */
> +void *__builtin_alloca(size_t size);
> +
> +#define add_random_kstack_offset() do { \
> + if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \
> + &randomize_kstack_offset)) { \
> + u32 offset = this_cpu_read(kstack_offset); \
Not that it matters on x86, but as this has to be called in the
interrupt disabled region of the syscall entry, shouldn't this be a
raw_cpu_read(). The asm-generic version has a preempt_disable/enable
pair around the raw read for native wordsize reads, otherwise a
irqsave/restore pair.
__this_cpu_read() is fine as well, but that has an sanity check before
the raw read when CONFIG_DEBUG_PREEMPT is on, which is harmless but
also pointless in this case.
Probably the same for the counterpart this_cpu_write().
Thanks,
tglx
WARNING: multiple messages have this Message-ID (diff)
From: Thomas Gleixner <tglx@linutronix.de>
To: Kees Cook <keescook@chromium.org>
Cc: Kees Cook <keescook@chromium.org>,
Elena Reshetova <elena.reshetova@intel.com>,
x86@kernel.org, Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Potapenko <glider@google.com>,
Alexander Popov <alex.popov@linux.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jann Horn <jannh@google.com>, Vlastimil Babka <vbabka@suse.cz>,
David Hildenbrand <david@redhat.com>,
Mike Rapoport <rppt@linux.ibm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>,
Randy Dunlap <rdunlap@infradead.org>,
kernel-hardening@lists.openwall.com,
linux-hardening@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v7 3/6] stack: Optionally randomize kernel stack offset each syscall
Date: Sun, 28 Mar 2021 16:42:03 +0200 [thread overview]
Message-ID: <87eefzcpc4.ffs@nanos.tec.linutronix.de> (raw)
In-Reply-To: <20210319212835.3928492-4-keescook@chromium.org>
Kees,
On Fri, Mar 19 2021 at 14:28, Kees Cook wrote:
> +/*
> + * Do not use this anywhere else in the kernel. This is used here because
> + * it provides an arch-agnostic way to grow the stack with correct
> + * alignment. Also, since this use is being explicitly masked to a max of
> + * 10 bits, stack-clash style attacks are unlikely. For more details see
> + * "VLAs" in Documentation/process/deprecated.rst
VLAs are bad, VLAs to the rescue! :)
> + * The asm statement is designed to convince the compiler to keep the
> + * allocation around even after "ptr" goes out of scope.
> + */
> +void *__builtin_alloca(size_t size);
> +
> +#define add_random_kstack_offset() do { \
> + if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \
> + &randomize_kstack_offset)) { \
> + u32 offset = this_cpu_read(kstack_offset); \
Not that it matters on x86, but as this has to be called in the
interrupt disabled region of the syscall entry, shouldn't this be a
raw_cpu_read(). The asm-generic version has a preempt_disable/enable
pair around the raw read for native wordsize reads, otherwise a
irqsave/restore pair.
__this_cpu_read() is fine as well, but that has an sanity check before
the raw read when CONFIG_DEBUG_PREEMPT is on, which is harmless but
also pointless in this case.
Probably the same for the counterpart this_cpu_write().
Thanks,
tglx
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-03-28 14:45 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-19 21:28 [PATCH v7 0/6] Optionally randomize kernel stack offset each syscall Kees Cook
2021-03-19 21:28 ` Kees Cook
2021-03-19 21:28 ` [PATCH v7 1/6] jump_label: Provide CONFIG-driven build state defaults Kees Cook
2021-03-19 21:28 ` Kees Cook
2021-03-19 21:28 ` [PATCH v7 2/6] init_on_alloc: Optimize static branches Kees Cook
2021-03-19 21:28 ` Kees Cook
2021-03-19 21:28 ` [PATCH v7 3/6] stack: Optionally randomize kernel stack offset each syscall Kees Cook
2021-03-19 21:28 ` Kees Cook
2021-03-28 14:42 ` Thomas Gleixner [this message]
2021-03-28 14:42 ` Thomas Gleixner
2021-03-29 18:41 ` Kees Cook
2021-03-29 18:41 ` Kees Cook
2021-03-19 21:28 ` [PATCH v7 4/6] x86/entry: Enable random_kstack_offset support Kees Cook
2021-03-19 21:28 ` Kees Cook
2021-03-20 11:58 ` Ingo Molnar
2021-03-20 11:58 ` Ingo Molnar
2021-03-21 17:03 ` Kees Cook
2021-03-21 17:03 ` Kees Cook
2021-03-28 14:18 ` Thomas Gleixner
2021-03-28 14:18 ` Thomas Gleixner
2021-03-29 18:43 ` Kees Cook
2021-03-29 18:43 ` Kees Cook
2021-03-19 21:28 ` [PATCH v7 5/6] arm64: entry: " Kees Cook
2021-03-19 21:28 ` Kees Cook
2021-04-01 8:34 ` Will Deacon
2021-04-01 8:34 ` Will Deacon
2021-03-19 21:28 ` [PATCH v7 6/6] lkdtm: Add REPORT_STACK for checking stack offsets Kees Cook
2021-03-19 21:28 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eefzcpc4.ffs@nanos.tec.linutronix.de \
--to=tglx@linutronix.de \
--cc=akpm@linux-foundation.org \
--cc=alex.popov@linux.com \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=david@redhat.com \
--cc=elena.reshetova@intel.com \
--cc=glider@google.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=peterz@infradead.org \
--cc=rdunlap@infradead.org \
--cc=rppt@linux.ibm.com \
--cc=vbabka@suse.cz \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.