linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org,
	Alexander Popov <alex.popov@linux.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Ingo Molnar <mingo@kernel.org>,
	Masahiro Yamada <yamada.masahiro@socionext.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Tycho Andersen <tycho@tycho.ws>,
	Mark Rutland <mark.rutland@arm.com>,
	Laura Abbott <labbott@redhat.com>,
	Will Deacon <will.deacon@arm.com>
Subject: [GIT PULL] gcc-plugin updates for v4.19-rc1
Date: Mon, 13 Aug 2018 14:43:28 -0700	[thread overview]
Message-ID: <20180813214328.GA15137@beast> (raw)

Hi Linus,

Please pull these gcc-plugin changes for v4.19-rc1. This has some Kconfig
and Makefile cleanups from Masahiro and myself, but the bulk of this
is the STACKLEAK plugin ported by Alexander Popov. As discussed in its
commit logs, it provides efficient stack content poisoning at syscall
exit. This creates a defense against several classes of flaws:

- uninitialized stack usage (while we continue to work on improving the
  compiler to do this in other ways: e.g. unconditional zero init was
  proposed to gcc and clang, and more plugin work has started too)

- stack content exposure (by greatly reducing the lifetime of valid stack
  contents, exposures via either direct read bugs or unknown cache
  side-channels become much more difficult to exploit. This complements
  the existing buddy and heap poisoning options, but provides the coverage
  for stacks)

- stack exhaustion/guard-page skipping (while we continue to work to
  remove all VLAs in the kernel: of the ~115 cases found in v4.16, after
  the v4.19 merge window we should be down to about 13 remaining, most of
  them in crypto code, all of which have patches under review)

The x86 hooks are included in this series (which have been reviewed by
Ingo, Dave Hansen, and Thomas Gleixner), and have hopefully addressed
your concerns with regard to the size of assembly changes which are now
minimal. The arm64 hooks are expected to be coming through the arm64
tree during the v4.19 merge window as well (written by Laura Abbott and
reviewed by Mark Rutland and Will Deacon).

Thanks!

-Kees

The following changes since commit 7daf201d7fe8334e2d2364d4e8ed3394ec9af819:

  Linux 4.18-rc2 (2018-06-24 20:54:29 +0800)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/gcc-plugins-v4.19-rc1

for you to fetch changes up to b1310d137bc578f0032b6b990628a366d5f0910e:

  stackleak: Allow runtime disabling of kernel stack erasing (2018-07-26 09:04:15 -0700)

----------------------------------------------------------------
- Kconfig and Makefile clean ups (Masahiro Yamada, Kees Cook)
- Add STACKLEAK plugin, metrics, docs, knob and x86 hooks (Alexander Popov)

----------------------------------------------------------------
Alexander Popov (7):
      gcc-plugins: Clean up the cgraph_create_edge* macros
      x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls
      gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack
      lkdtm: Add a test for STACKLEAK
      fs/proc: Show STACKLEAK metrics in the /proc file system
      doc: self-protection: Add information about STACKLEAK feature
      stackleak: Allow runtime disabling of kernel stack erasing

Kees Cook (1):
      gcc-plugins: Regularize Makefile.gcc-plugins

Masahiro Yamada (2):
      gcc-plugins: remove unused GCC_PLUGIN_SUBDIR
      gcc-plugins: split out Kconfig entries to scripts/gcc-plugins/Kconfig

 Documentation/security/self-protection.rst |  23 +-
 Documentation/sysctl/kernel.txt            |  18 ++
 Documentation/x86/x86_64/mm.txt            |   2 +
 arch/Kconfig                               | 147 +--------
 arch/x86/Kconfig                           |   1 +
 arch/x86/entry/calling.h                   |  14 +
 arch/x86/entry/entry_32.S                  |   7 +
 arch/x86/entry/entry_64.S                  |   3 +
 arch/x86/entry/entry_64_compat.S           |   5 +
 arch/x86/kernel/dumpstack.c                |  31 ++
 drivers/misc/lkdtm/Makefile                |   3 +
 drivers/misc/lkdtm/core.c                  |   3 +
 drivers/misc/lkdtm/lkdtm.h                 |   5 +
 drivers/misc/lkdtm/stackleak.c             | 146 +++++++++
 fs/proc/base.c                             |  18 ++
 include/linux/sched.h                      |   5 +
 include/linux/stackleak.h                  |  35 +++
 kernel/Makefile                            |   4 +
 kernel/fork.c                              |   3 +
 kernel/stackleak.c                         | 132 ++++++++
 kernel/sysctl.c                            |  15 +-
 scripts/Makefile.gcc-plugins               |  47 ++-
 scripts/gcc-plugins/Kconfig                | 196 ++++++++++++
 scripts/gcc-plugins/Makefile               |   5 -
 scripts/gcc-plugins/gcc-common.h           |  26 +-
 scripts/gcc-plugins/stackleak_plugin.c     | 480 +++++++++++++++++++++++++++++
 26 files changed, 1195 insertions(+), 179 deletions(-)
 create mode 100644 drivers/misc/lkdtm/stackleak.c
 create mode 100644 include/linux/stackleak.h
 create mode 100644 kernel/stackleak.c
 create mode 100644 scripts/gcc-plugins/Kconfig
 create mode 100644 scripts/gcc-plugins/stackleak_plugin.c

-- 
Kees Cook
Pixel Security

             reply	other threads:[~2018-08-13 21:43 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-13 21:43 Kees Cook [this message]
2018-08-15 16:41 ` Linus Torvalds
2018-08-15 18:35   ` Kees Cook
2018-08-15 19:04     ` Linus Torvalds
2018-08-15 19:43       ` Alexander Popov
2018-08-15 19:45       ` Kees Cook
2018-08-15 20:18         ` Linus Torvalds
2018-08-15 20:56           ` Kees Cook
2018-08-15 21:18             ` Alexander Popov
2018-08-15 21:33               ` Linus Torvalds
2018-08-16 22:18             ` Alexander Popov
2018-08-16  9:51           ` David Laight

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180813214328.GA15137@beast \
    --to=keescook@chromium.org \
    --cc=alex.popov@linux.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=labbott@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mingo@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=tycho@tycho.ws \
    --cc=will.deacon@arm.com \
    --cc=yamada.masahiro@socionext.com \
    --subject='Re: [GIT PULL] gcc-plugin updates for v4.19-rc1' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).