From: Thomas Gleixner <tglx@linutronix.de> To: Kees Cook <keescook@chromium.org> Cc: Kees Cook <keescook@chromium.org>, Elena Reshetova <elena.reshetova@intel.com>, x86@kernel.org, Andy Lutomirski <luto@kernel.org>, Peter Zijlstra <peterz@infradead.org>, Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>, Mark Rutland <mark.rutland@arm.com>, Alexander Potapenko <glider@google.com>, Alexander Popov <alex.popov@linux.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Jann Horn <jannh@google.com>, Vlastimil Babka <vbabka@suse.cz>, David Hildenbrand <david@redhat.com>, Mike Rapoport <rppt@linux.ibm.com>, Andrew Morton <akpm@linux-foundation.org>, Jonathan Corbet <corbet@lwn.net>, Randy Dunlap <rdunlap@infradead.org>, kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v7 3/6] stack: Optionally randomize kernel stack offset each syscall Date: Sun, 28 Mar 2021 16:42:03 +0200 [thread overview] Message-ID: <87eefzcpc4.ffs@nanos.tec.linutronix.de> (raw) In-Reply-To: <20210319212835.3928492-4-keescook@chromium.org> Kees, On Fri, Mar 19 2021 at 14:28, Kees Cook wrote: > +/* > + * Do not use this anywhere else in the kernel. This is used here because > + * it provides an arch-agnostic way to grow the stack with correct > + * alignment. Also, since this use is being explicitly masked to a max of > + * 10 bits, stack-clash style attacks are unlikely. For more details see > + * "VLAs" in Documentation/process/deprecated.rst VLAs are bad, VLAs to the rescue! :) > + * The asm statement is designed to convince the compiler to keep the > + * allocation around even after "ptr" goes out of scope. > + */ > +void *__builtin_alloca(size_t size); > + > +#define add_random_kstack_offset() do { \ > + if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ > + &randomize_kstack_offset)) { \ > + u32 offset = this_cpu_read(kstack_offset); \ Not that it matters on x86, but as this has to be called in the interrupt disabled region of the syscall entry, shouldn't this be a raw_cpu_read(). The asm-generic version has a preempt_disable/enable pair around the raw read for native wordsize reads, otherwise a irqsave/restore pair. __this_cpu_read() is fine as well, but that has an sanity check before the raw read when CONFIG_DEBUG_PREEMPT is on, which is harmless but also pointless in this case. Probably the same for the counterpart this_cpu_write(). Thanks, tglx
WARNING: multiple messages have this Message-ID (diff)
From: Thomas Gleixner <tglx@linutronix.de> To: Kees Cook <keescook@chromium.org> Cc: Kees Cook <keescook@chromium.org>, Elena Reshetova <elena.reshetova@intel.com>, x86@kernel.org, Andy Lutomirski <luto@kernel.org>, Peter Zijlstra <peterz@infradead.org>, Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>, Mark Rutland <mark.rutland@arm.com>, Alexander Potapenko <glider@google.com>, Alexander Popov <alex.popov@linux.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Jann Horn <jannh@google.com>, Vlastimil Babka <vbabka@suse.cz>, David Hildenbrand <david@redhat.com>, Mike Rapoport <rppt@linux.ibm.com>, Andrew Morton <akpm@linux-foundation.org>, Jonathan Corbet <corbet@lwn.net>, Randy Dunlap <rdunlap@infradead.org>, kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v7 3/6] stack: Optionally randomize kernel stack offset each syscall Date: Sun, 28 Mar 2021 16:42:03 +0200 [thread overview] Message-ID: <87eefzcpc4.ffs@nanos.tec.linutronix.de> (raw) In-Reply-To: <20210319212835.3928492-4-keescook@chromium.org> Kees, On Fri, Mar 19 2021 at 14:28, Kees Cook wrote: > +/* > + * Do not use this anywhere else in the kernel. This is used here because > + * it provides an arch-agnostic way to grow the stack with correct > + * alignment. Also, since this use is being explicitly masked to a max of > + * 10 bits, stack-clash style attacks are unlikely. For more details see > + * "VLAs" in Documentation/process/deprecated.rst VLAs are bad, VLAs to the rescue! :) > + * The asm statement is designed to convince the compiler to keep the > + * allocation around even after "ptr" goes out of scope. > + */ > +void *__builtin_alloca(size_t size); > + > +#define add_random_kstack_offset() do { \ > + if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ > + &randomize_kstack_offset)) { \ > + u32 offset = this_cpu_read(kstack_offset); \ Not that it matters on x86, but as this has to be called in the interrupt disabled region of the syscall entry, shouldn't this be a raw_cpu_read(). The asm-generic version has a preempt_disable/enable pair around the raw read for native wordsize reads, otherwise a irqsave/restore pair. __this_cpu_read() is fine as well, but that has an sanity check before the raw read when CONFIG_DEBUG_PREEMPT is on, which is harmless but also pointless in this case. Probably the same for the counterpart this_cpu_write(). Thanks, tglx _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-03-28 14:45 UTC|newest] Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-03-19 21:28 [PATCH v7 0/6] Optionally randomize kernel stack offset each syscall Kees Cook 2021-03-19 21:28 ` Kees Cook 2021-03-19 21:28 ` [PATCH v7 1/6] jump_label: Provide CONFIG-driven build state defaults Kees Cook 2021-03-19 21:28 ` Kees Cook 2021-03-19 21:28 ` [PATCH v7 2/6] init_on_alloc: Optimize static branches Kees Cook 2021-03-19 21:28 ` Kees Cook 2021-03-19 21:28 ` [PATCH v7 3/6] stack: Optionally randomize kernel stack offset each syscall Kees Cook 2021-03-19 21:28 ` Kees Cook 2021-03-28 14:42 ` Thomas Gleixner [this message] 2021-03-28 14:42 ` Thomas Gleixner 2021-03-29 18:41 ` Kees Cook 2021-03-29 18:41 ` Kees Cook 2021-03-19 21:28 ` [PATCH v7 4/6] x86/entry: Enable random_kstack_offset support Kees Cook 2021-03-19 21:28 ` Kees Cook 2021-03-20 11:58 ` Ingo Molnar 2021-03-20 11:58 ` Ingo Molnar 2021-03-21 17:03 ` Kees Cook 2021-03-21 17:03 ` Kees Cook 2021-03-28 14:18 ` Thomas Gleixner 2021-03-28 14:18 ` Thomas Gleixner 2021-03-29 18:43 ` Kees Cook 2021-03-29 18:43 ` Kees Cook 2021-03-19 21:28 ` [PATCH v7 5/6] arm64: entry: " Kees Cook 2021-03-19 21:28 ` Kees Cook 2021-04-01 8:34 ` Will Deacon 2021-04-01 8:34 ` Will Deacon 2021-03-19 21:28 ` [PATCH v7 6/6] lkdtm: Add REPORT_STACK for checking stack offsets Kees Cook 2021-03-19 21:28 ` Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=87eefzcpc4.ffs@nanos.tec.linutronix.de \ --to=tglx@linutronix.de \ --cc=akpm@linux-foundation.org \ --cc=alex.popov@linux.com \ --cc=ard.biesheuvel@linaro.org \ --cc=catalin.marinas@arm.com \ --cc=corbet@lwn.net \ --cc=david@redhat.com \ --cc=elena.reshetova@intel.com \ --cc=glider@google.com \ --cc=jannh@google.com \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-hardening@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=luto@kernel.org \ --cc=mark.rutland@arm.com \ --cc=peterz@infradead.org \ --cc=rdunlap@infradead.org \ --cc=rppt@linux.ibm.com \ --cc=vbabka@suse.cz \ --cc=will@kernel.org \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.