From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2557C433F5 for ; Sun, 15 May 2022 16:17:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237660AbiEOQR0 (ORCPT ); Sun, 15 May 2022 12:17:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231624AbiEOQRY (ORCPT ); Sun, 15 May 2022 12:17:24 -0400 Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3F4CDF65 for ; Sun, 15 May 2022 09:17:22 -0700 (PDT) Received: by mail-ed1-f54.google.com with SMTP id c12so1725277eds.10 for ; Sun, 15 May 2022 09:17:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:reply-to :subject:content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=m+papEz+RWVYQ4erdcb0O46hSO9mcyw8EdGsK52iQDQ=; b=W51tJtXEwpTJ1OHl3shN+SwRTSodR/sf9c+Bb1f3Ep0oeMZz5vEwC7ZhWtQOrfa/e1 BbcO4GwAtIiusCde8YnQdC0DcQ+ypL1wmkHiKxRVDvCaw5Cstk0rFV2Xjza0m8O1MAV3 91/imL8gqoKl6E0Fc21GJmhvh7Whe32ha6WNUjOo8Vq3TDUjxU11qKEkOMxviKuJPSKQ X3Tjs8dq3RS+kCKNWRNOS1Ge5F4yN+kNGciiMUr0L3UtZxhxgR/3GA/BcRM7Qlt2NgAX jlXsBjS1XO9TMLJz0t1j/zLppklWrEOWDuuIg6PC9MmG06BBrKpGvfXu1ND3PR1NsCEi Mrfg== X-Gm-Message-State: AOAM531XTr92C5d8ZCoXj1wqerfOCu/SsDcEbB2v3XCDYWTXLYG8j1XD 6t1vsgsRAYnU8r8GYrYr1gk= X-Google-Smtp-Source: ABdhPJzbk5jxfNgZbkHfRwpJoX6Viho3cdHkj4vdkUG/fHA0J7sETGUZWsM0m/qY9QFMH3Se5dSZoA== X-Received: by 2002:a05:6402:84a:b0:423:fe99:8c53 with SMTP id b10-20020a056402084a00b00423fe998c53mr8842690edz.195.1652631441184; Sun, 15 May 2022 09:17:21 -0700 (PDT) Received: from [10.9.0.34] ([46.166.133.199]) by smtp.gmail.com with ESMTPSA id o23-20020a50fd97000000b0042aaaf3f41csm1171934edt.4.2022.05.15.09.17.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 15 May 2022 09:17:20 -0700 (PDT) Message-ID: <8d8061c4-2a3e-cb3a-00c9-677fa8899058@linux.com> Date: Sun, 15 May 2022 19:17:16 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Reply-To: alex.popov@linux.com Subject: Re: [PATCH v2 03/13] stackleak: remove redundant check Content-Language: en-US To: Mark Rutland , Kees Cook Cc: linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org, catalin.marinas@arm.com, linux-kernel@vger.kernel.org, luto@kernel.org, will@kernel.org References: <20220427173128.2603085-1-mark.rutland@arm.com> <20220427173128.2603085-4-mark.rutland@arm.com> <202205101958.2A33DE20@keescook> <33711C66-BB24-4A75-8756-3CDDA02BC0CD@chromium.org> From: Alexander Popov In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12.05.2022 12:14, Mark Rutland wrote: > On Wed, May 11, 2022 at 07:44:41AM -0700, Kees Cook wrote: >> >> >> On May 11, 2022 1:02:45 AM PDT, Mark Rutland wrote: >>> On Tue, May 10, 2022 at 08:00:38PM -0700, Kees Cook wrote: >>>> On Tue, May 10, 2022 at 12:46:48PM +0100, Mark Rutland wrote: >>>>> On Sun, May 08, 2022 at 09:17:01PM +0300, Alexander Popov wrote: >>>>>> On 27.04.2022 20:31, Mark Rutland wrote: >>>>>>> In __stackleak_erase() we check that the `erase_low` value derived from >>>>>>> `current->lowest_stack` is above the lowest legitimate stack pointer >>>>>>> value, but this is already enforced by stackleak_track_stack() when >>>>>>> recording the lowest stack value. >>>>>>> >>>>>>> Remove the redundant check. >>>>>>> >>>>>>> There should be no functional change as a result of this patch. >>>>>> >>>>>> Mark, I can't agree here. I think this check is important. >>>>>> The performance profit from dropping it is less than the confidence decrease :) >>>>>> >>>>>> With this check, if the 'lowest_stack' value is corrupted, stackleak doesn't >>>>>> overwrite some wrong kernel memory, but simply clears the whole thread >>>>>> stack, which is safe behavior. >>>>> >>>>> If you feel strongly about it, I can restore the check, but I struggle to >>>>> believe that it's worthwhile. The `lowest_stack` value lives in the >>>>> task_struct, and if you have the power to corrupt that you have the power to do >>>>> much more interesting things. >>>>> >>>>> If we do restore it, I'd like to add a big fat comment explaining the >>>>> rationale (i.e. that it only matter if someone could corrupt >>>>> `current->lowest_stack`, as otherwise that's guarnateed to be within bounds). >>>> >>>> Yeah, let's restore it and add the comment. While I do agree it's likely >>>> that such an corruption would likely mean an attacker had significant >>>> control over kernel memory already, it is not uncommon that an attack >>>> only has a limited index from a given address, etc. Or some manipulation >>>> is possible via weird gadgets, etc. It's unlikely, but not impossible, >>>> and a bounds-check for that value is cheap compared to the rest of the >>>> work happening. :) >>> >>> Fair enough; I can go spin a patch restoring this. I'm somewhat unhappy with >>> silently fixing that up, though -- IMO it'd be better to BUG() or similar in >>> that case. >> >> I share your desires, and this was exactly what Alexander originally proposed, but Linus rejected it violently. :( >> https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/ > > I see. :/ > > Thinking about this some more, if we assume someone can corrupt *some* word of > memory, then we need to consider that instead of corrupting > task_struct::lowest_stack, they could corrupt task_struct::stack (or x86's > cpu_current_top_of_stack prior to this series). > > With that in mind, if we detect that task_struct::lowest_stack is > out-of-bounds, we have no idea whether it has been corrupted or the other bound > values have been corrupted, and so we can't do the erase safely anyway. :) IMO, even if a kernel thread stack is moved somewhere for any weird reason, stackleak must erase it at the end of syscall and do its job. > So AFAICT we must *avoid* erasing when that goes wrong. Maybe we could WARN() > instead of BUG()? Mark, I think security features must not go out of service. The 'lowest_stack' value is for making stackleak faster. I believe if the 'lowest_stack' value is invalid, stackleak must not skip its main job and should erase the whole kernel thread stack. When I developed 'stackleak_erase()' I tried adding 'WARN_ON()', but it didn't work properly there, as I remember. Warning handling code is very complex. So I dropped that fragile part. Best regards, Alexander From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A74C0C433F5 for ; Sun, 15 May 2022 16:19:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:Reply-To:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:From:References:Cc:To: Subject:MIME-Version:Date:Message-ID:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=nOnour3EN53xO0CSZNCLuOIx/ZlyOq5yvsF9VfZHNGI=; b=AeYJexbxfOoNdV WpOqh5j1KHUNNAg0kly50yxSPYdzJ/dMijzM0FDIY1l9kLWzpu+x8EFMngrlhVCTPVXOM+lKfsygw h+yN8Ii9QdIMgx51PFCqkncAZwpoea0fMZtFgxY5nQ8FiGf6uQSW55DChUm1mXvKS/LX5AXyMU/v1 fqGSRKx53Ql5lOPAPPGOtqTKxkT01B9SSOTc7AjN6NuiIXoXGvun7ZG/PqJKJqquX2hCCMfmjqyHs 6h9CgaCb1Hm6e0KPKTPl/fwx6JXf2obALganoMPFs7KNaB6phU916AgVzn3O9t8uWz39TBE1NIPmr SrMIbm9t0t2Fk0RVprZw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nqGvx-004Nox-93; Sun, 15 May 2022 16:17:29 +0000 Received: from mail-ed1-f51.google.com ([209.85.208.51]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nqGvu-004NoQ-1O for linux-arm-kernel@lists.infradead.org; Sun, 15 May 2022 16:17:27 +0000 Received: by mail-ed1-f51.google.com with SMTP id m12so2262edb.6 for ; Sun, 15 May 2022 09:17:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:reply-to :subject:content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=m+papEz+RWVYQ4erdcb0O46hSO9mcyw8EdGsK52iQDQ=; b=T3tULWlFYcK5CQ0Eg3xUtoscu2lu8ixWsBk4IX+cmWo/N/r5BZq2YNZ/O9iLpQywdo bWq3r8nlHH6SeD1sz0+GwKJVQYPWQYJms0zmwEwhCND9Y+skRT7frv1GZAkd/fZp5DYZ 7wolGEUE0pfPUGYA+7ZtqaZTRmjlayA/oAK9p2FHs7EweDXxVTtbJZ6Mo7FC5R/NHblq 03O62DN2MhL5EJ5pFdhBAEY/uP5/Ce5rFwW18ZycUNusbPXnFd02lJ/s/UIZ5eWxU1eR qXzk8OycoEk8tFnLtEeeXeZwaM9Vl09MI9Q/TQem21wJt+EkAbvOYvARBzA9y5g0gH85 /J8g== X-Gm-Message-State: AOAM531hTRlxyahGm+tFNl2B+U0R8oZHM6eNO1v1Zll8T5dgcIzc6VLL IG5bHBBBtputcWMHrNBBAXoJcLbkx7U= X-Google-Smtp-Source: ABdhPJzbk5jxfNgZbkHfRwpJoX6Viho3cdHkj4vdkUG/fHA0J7sETGUZWsM0m/qY9QFMH3Se5dSZoA== X-Received: by 2002:a05:6402:84a:b0:423:fe99:8c53 with SMTP id b10-20020a056402084a00b00423fe998c53mr8842690edz.195.1652631441184; Sun, 15 May 2022 09:17:21 -0700 (PDT) Received: from [10.9.0.34] ([46.166.133.199]) by smtp.gmail.com with ESMTPSA id o23-20020a50fd97000000b0042aaaf3f41csm1171934edt.4.2022.05.15.09.17.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 15 May 2022 09:17:20 -0700 (PDT) Message-ID: <8d8061c4-2a3e-cb3a-00c9-677fa8899058@linux.com> Date: Sun, 15 May 2022 19:17:16 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH v2 03/13] stackleak: remove redundant check Content-Language: en-US To: Mark Rutland , Kees Cook Cc: linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org, catalin.marinas@arm.com, linux-kernel@vger.kernel.org, luto@kernel.org, will@kernel.org References: <20220427173128.2603085-1-mark.rutland@arm.com> <20220427173128.2603085-4-mark.rutland@arm.com> <202205101958.2A33DE20@keescook> <33711C66-BB24-4A75-8756-3CDDA02BC0CD@chromium.org> From: Alexander Popov In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220515_091726_134104_8DAC54B6 X-CRM114-Status: GOOD ( 26.94 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: alex.popov@linux.com Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 12.05.2022 12:14, Mark Rutland wrote: > On Wed, May 11, 2022 at 07:44:41AM -0700, Kees Cook wrote: >> >> >> On May 11, 2022 1:02:45 AM PDT, Mark Rutland wrote: >>> On Tue, May 10, 2022 at 08:00:38PM -0700, Kees Cook wrote: >>>> On Tue, May 10, 2022 at 12:46:48PM +0100, Mark Rutland wrote: >>>>> On Sun, May 08, 2022 at 09:17:01PM +0300, Alexander Popov wrote: >>>>>> On 27.04.2022 20:31, Mark Rutland wrote: >>>>>>> In __stackleak_erase() we check that the `erase_low` value derived from >>>>>>> `current->lowest_stack` is above the lowest legitimate stack pointer >>>>>>> value, but this is already enforced by stackleak_track_stack() when >>>>>>> recording the lowest stack value. >>>>>>> >>>>>>> Remove the redundant check. >>>>>>> >>>>>>> There should be no functional change as a result of this patch. >>>>>> >>>>>> Mark, I can't agree here. I think this check is important. >>>>>> The performance profit from dropping it is less than the confidence decrease :) >>>>>> >>>>>> With this check, if the 'lowest_stack' value is corrupted, stackleak doesn't >>>>>> overwrite some wrong kernel memory, but simply clears the whole thread >>>>>> stack, which is safe behavior. >>>>> >>>>> If you feel strongly about it, I can restore the check, but I struggle to >>>>> believe that it's worthwhile. The `lowest_stack` value lives in the >>>>> task_struct, and if you have the power to corrupt that you have the power to do >>>>> much more interesting things. >>>>> >>>>> If we do restore it, I'd like to add a big fat comment explaining the >>>>> rationale (i.e. that it only matter if someone could corrupt >>>>> `current->lowest_stack`, as otherwise that's guarnateed to be within bounds). >>>> >>>> Yeah, let's restore it and add the comment. While I do agree it's likely >>>> that such an corruption would likely mean an attacker had significant >>>> control over kernel memory already, it is not uncommon that an attack >>>> only has a limited index from a given address, etc. Or some manipulation >>>> is possible via weird gadgets, etc. It's unlikely, but not impossible, >>>> and a bounds-check for that value is cheap compared to the rest of the >>>> work happening. :) >>> >>> Fair enough; I can go spin a patch restoring this. I'm somewhat unhappy with >>> silently fixing that up, though -- IMO it'd be better to BUG() or similar in >>> that case. >> >> I share your desires, and this was exactly what Alexander originally proposed, but Linus rejected it violently. :( >> https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/ > > I see. :/ > > Thinking about this some more, if we assume someone can corrupt *some* word of > memory, then we need to consider that instead of corrupting > task_struct::lowest_stack, they could corrupt task_struct::stack (or x86's > cpu_current_top_of_stack prior to this series). > > With that in mind, if we detect that task_struct::lowest_stack is > out-of-bounds, we have no idea whether it has been corrupted or the other bound > values have been corrupted, and so we can't do the erase safely anyway. :) IMO, even if a kernel thread stack is moved somewhere for any weird reason, stackleak must erase it at the end of syscall and do its job. > So AFAICT we must *avoid* erasing when that goes wrong. Maybe we could WARN() > instead of BUG()? Mark, I think security features must not go out of service. The 'lowest_stack' value is for making stackleak faster. I believe if the 'lowest_stack' value is invalid, stackleak must not skip its main job and should erase the whole kernel thread stack. When I developed 'stackleak_erase()' I tried adding 'WARN_ON()', but it didn't work properly there, as I remember. Warning handling code is very complex. So I dropped that fragile part. Best regards, Alexander _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel