From: Jann Horn <jannh@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Elena Reshetova <elena.reshetova@intel.com>,
"the arch/x86 maintainers" <x86@kernel.org>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Potapenko <glider@google.com>,
Alexander Popov <alex.popov@linux.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Linux-MM <linux-mm@kvack.org>,
kernel list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v4 3/5] stack: Optionally randomize kernel stack offset each syscall
Date: Mon, 22 Jun 2020 22:07:37 +0200 [thread overview]
Message-ID: <CAG48ez0pRtMZs3Hc3R2+XGHRwt9nZAGZu6vDpPBMbE+Askr_+Q@mail.gmail.com> (raw)
In-Reply-To: <20200622193146.2985288-4-keescook@chromium.org>
On Mon, Jun 22, 2020 at 9:31 PM Kees Cook <keescook@chromium.org> wrote:
> This provides the ability for architectures to enable kernel stack base
> address offset randomization. This feature is controlled by the boot
> param "randomize_kstack_offset=on/off", with its default value set by
> CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT.
[...]
> +#define add_random_kstack_offset() do { \
> + if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \
> + &randomize_kstack_offset)) { \
> + u32 offset = this_cpu_read(kstack_offset); \
> + u8 *ptr = __builtin_alloca(offset & 0x3FF); \
> + asm volatile("" : "=m"(*ptr)); \
> + } \
> +} while (0)
clang generates better code here if the mask is stack-aligned -
otherwise it needs to round the stack pointer / the offset:
$ cat alloca_align.c
#include <alloca.h>
void callee(void);
void alloca_blah(unsigned long rand) {
asm volatile(""::"r"(alloca(rand & MASK)));
callee();
}
$ clang -O3 -c -o alloca_align.o alloca_align.c -DMASK=0x3ff
$ objdump -d alloca_align.o
[...]
0: 55 push %rbp
1: 48 89 e5 mov %rsp,%rbp
4: 81 e7 ff 03 00 00 and $0x3ff,%edi
a: 83 c7 0f add $0xf,%edi
d: 83 e7 f0 and $0xfffffff0,%edi
10: 48 89 e0 mov %rsp,%rax
13: 48 29 f8 sub %rdi,%rax
16: 48 89 c4 mov %rax,%rsp
19: e8 00 00 00 00 callq 1e <alloca_blah+0x1e>
1e: 48 89 ec mov %rbp,%rsp
21: 5d pop %rbp
22: c3 retq
$ clang -O3 -c -o alloca_align.o alloca_align.c -DMASK=0x3f0
$ objdump -d alloca_align.o
[...]
0: 55 push %rbp
1: 48 89 e5 mov %rsp,%rbp
4: 48 89 e0 mov %rsp,%rax
7: 81 e7 f0 03 00 00 and $0x3f0,%edi
d: 48 29 f8 sub %rdi,%rax
10: 48 89 c4 mov %rax,%rsp
13: e8 00 00 00 00 callq 18 <alloca_blah+0x18>
18: 48 89 ec mov %rbp,%rsp
1b: 5d pop %rbp
1c: c3 retq
$
(From a glance at the assembly, gcc seems to always assume that the
length may be misaligned.)
Maybe this should be something along the lines of
__builtin_alloca(offset & (0x3ff & ARCH_STACK_ALIGN_MASK)) (with
appropriate definitions of the stack alignment mask depending on the
architecture's choice of stack alignment for kernel code).
next prev parent reply other threads:[~2020-06-22 20:08 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-22 19:31 [PATCH v4 0/5] Optionally randomize kernel stack offset each syscall Kees Cook
2020-06-22 19:31 ` [PATCH v4 1/5] jump_label: Provide CONFIG-driven build state defaults Kees Cook
2020-06-22 19:31 ` [PATCH v4 2/5] init_on_alloc: Unpessimize default-on builds Kees Cook
2020-06-22 19:31 ` [PATCH v4 3/5] stack: Optionally randomize kernel stack offset each syscall Kees Cook
2020-06-22 19:40 ` Randy Dunlap
2020-06-22 21:26 ` Kees Cook
2020-06-22 20:07 ` Jann Horn [this message]
2020-06-22 20:07 ` Jann Horn
2020-06-22 21:30 ` Kees Cook
2020-06-22 21:42 ` Jann Horn
2020-06-22 21:42 ` Jann Horn
2020-06-22 22:04 ` Kees Cook
2020-06-22 22:56 ` Arvind Sankar
2020-06-22 23:07 ` Kees Cook
2020-06-23 0:05 ` Arvind Sankar
2020-06-23 0:56 ` Kees Cook
2020-06-23 13:42 ` David Laight
2020-06-23 13:42 ` David Laight
2020-06-23 12:38 ` Alexander Popov
2020-06-22 19:31 ` [PATCH v4 4/5] x86/entry: Enable random_kstack_offset support Kees Cook
2020-06-22 19:31 ` [PATCH v4 5/5] arm64: entry: " Kees Cook
2020-06-23 9:40 ` Mark Rutland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez0pRtMZs3Hc3R2+XGHRwt9nZAGZu6vDpPBMbE+Askr_+Q@mail.gmail.com \
--to=jannh@google.com \
--cc=alex.popov@linux.com \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=elena.reshetova@intel.com \
--cc=glider@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.