linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org,
	Alexander Popov <alex.popov@linux.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Ingo Molnar <mingo@kernel.org>, Laura Abbott <labbott@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Tycho Andersen <tycho@tycho.ws>
Subject: [GIT PULL] gcc-plugin stackleak for v4.20-rc1
Date: Wed, 24 Oct 2018 12:14:13 -0700	[thread overview]
Message-ID: <20181024191413.GA24294@beast> (raw)

Hi Linus,

Please pull this new GCC plugin, stackleak, for v4.20-rc1. This plugin
was ported from grsecurity by Alexander Popov. It provides efficient
stack content poisoning at syscall exit. This creates a defense against
at least two classes of flaws:

- Uninitialized stack usage. (We continue to work on improving the
  compiler to do this in other ways: e.g. unconditional zero init was
  proposed to GCC and Clang, and more plugin work has started too).

- Stack content exposure. By greatly reducing the lifetime of valid stack
  contents, exposures via either direct read bugs or unknown cache
  side-channels become much more difficult to exploit. This complements
  the existing buddy and heap poisoning options, but provides the coverage
  for stacks.

The x86 hooks are included in this series (which have been reviewed by
Ingo, Dave Hansen, and Thomas Gleixner). The arm64 hooks have already
been merged through the arm64 tree (written by Laura Abbott and reviewed
by Mark Rutland and Will Deacon).

With VLAs being removed this release (the final "-Wvla" patch is waiting
for the crypto, powerpc, and block trees to land in the merge window),
there is no need for alloca() protection, so it has been removed from
the plugin.

There is no use of BUG() or panic() (in fact, since the alloca()
protection has been removed, the arm64 hook using them is removed
as well).

There are two merge conflicts:

  drivers/misc/lkdtm/core.c: Trivial addition of a new test.

  Documentation/x86/x86_64/mm.txt: Looks nasty, but is actually trivial.
  The memory layout tables were rewritten, so the two additions of
  "STACKLEAK_POISON value in this last hole: ffffffffffff4111" just
  belong at the end of the newly reformatted tables.

Thanks!

-Kees

The following changes since commit 57361846b52bc686112da6ca5368d11210796804:

  Linux 4.19-rc2 (2018-09-02 14:37:30 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/stackleak-v4.20-rc1

for you to fetch changes up to 6fcde90466738b84a073e4f4d18c50015ee29fb2:

  arm64: Drop unneeded stackleak_check_alloca() (2018-09-04 10:35:48 -0700)

----------------------------------------------------------------
New gcc plugin: stackleak

- Introduces the stackleak gcc plugin ported from grsecurity by Alexander
  Popov, with x86 and arm64 support.

----------------------------------------------------------------
Alexander Popov (7):
      x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls
      gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack
      lkdtm: Add a test for STACKLEAK
      fs/proc: Show STACKLEAK metrics in the /proc file system
      doc: self-protection: Add information about STACKLEAK feature
      stackleak: Allow runtime disabling of kernel stack erasing
      arm64: Drop unneeded stackleak_check_alloca()

 Documentation/security/self-protection.rst |  10 +-
 Documentation/sysctl/kernel.txt            |  18 ++
 Documentation/x86/x86_64/mm.txt            |   2 +
 arch/Kconfig                               |   7 +
 arch/arm64/kernel/process.c                |  22 --
 arch/x86/Kconfig                           |   1 +
 arch/x86/entry/calling.h                   |  14 +
 arch/x86/entry/entry_32.S                  |   7 +
 arch/x86/entry/entry_64.S                  |   3 +
 arch/x86/entry/entry_64_compat.S           |   5 +
 drivers/misc/lkdtm/Makefile                |   2 +
 drivers/misc/lkdtm/core.c                  |   1 +
 drivers/misc/lkdtm/lkdtm.h                 |   3 +
 drivers/misc/lkdtm/stackleak.c             |  73 +++++
 fs/proc/base.c                             |  18 ++
 include/linux/sched.h                      |   5 +
 include/linux/stackleak.h                  |  35 +++
 kernel/Makefile                            |   4 +
 kernel/fork.c                              |   3 +
 kernel/stackleak.c                         | 132 +++++++++
 kernel/sysctl.c                            |  15 +-
 scripts/Makefile.gcc-plugins               |  10 +
 scripts/gcc-plugins/Kconfig                |  51 ++++
 scripts/gcc-plugins/stackleak_plugin.c     | 427 +++++++++++++++++++++++++++++
 24 files changed, 840 insertions(+), 28 deletions(-)
 create mode 100644 drivers/misc/lkdtm/stackleak.c
 create mode 100644 include/linux/stackleak.h
 create mode 100644 kernel/stackleak.c
 create mode 100644 scripts/gcc-plugins/stackleak_plugin.c

-- 
Kees Cook

             reply	other threads:[~2018-10-24 19:14 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-24 19:14 Kees Cook [this message]
2018-11-01 18:49 ` Linus Torvalds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181024191413.GA24294@beast \
    --to=keescook@chromium.org \
    --cc=alex.popov@linux.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=labbott@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=tycho@tycho.ws \
    --subject='Re: [GIT PULL] gcc-plugin stackleak for v4.20-rc1' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).