From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A926C2D0EC for ; Thu, 26 Mar 2020 17:18:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 12E7C2083E for ; Thu, 26 Mar 2020 17:18:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="bOPaTx6G" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727717AbgCZRS4 (ORCPT ); Thu, 26 Mar 2020 13:18:56 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:38956 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726163AbgCZRSz (ORCPT ); Thu, 26 Mar 2020 13:18:55 -0400 Received: by mail-pl1-f193.google.com with SMTP id m1so2388135pll.6 for ; Thu, 26 Mar 2020 10:18:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=FuNH3TvottBd6Vom+HjZUn38bx12HjWSuxT5PFFp2NM=; b=bOPaTx6GdaN/kw3TDtNtl7YJvpKCdLmNpmXwiUaOV/H2Dyt1eisLQis+PnTqW9A+cy EpkaDdfA5uo4DCk1ebTh4faj0FTdvUrGM01MpAbv2nSbK+gGglpLa6jzzOF6TUBcNS18 J+EdB85pXrJ9G1gjVsQGSBY1SA1XxTOvVWnGc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=FuNH3TvottBd6Vom+HjZUn38bx12HjWSuxT5PFFp2NM=; b=pujXa8qKZgplmazhVdeJ+qAn52+EKFORRCAyhJZqrVa5n4cHeyPszTm4qMWov5ys/h tAlfTNeZt3Oxefx7xEtYmE5P8Qfv2dng+K9Aceol1NETnjZb7QDHwYjzZyA4zn80gigj OirQhwC89U677sKE7I9armbhLyps7PhqdVJLxAibYZLDodsuYs6dkTiOML4hmepGDY+/ RTl5bzXqOt6xaeyDHpyp6mVqbujPaKbsIybTnePTZfgYI+fmPOpYezbGelSnfltyCJTy 8dPd3PxZxwYA2eDejv8X4z5iB+iPdV6kF/LCbVppDKG7kteawP87QVDJ/cffiY0SGOYw L93g== X-Gm-Message-State: ANhLgQ3gzB+m0x11LU/wSHhf8nTX+7hpbvOUvqCWAlOoAH5i4b9RQAMe 3va89LKVh6JZZoQpoHcz5KD0Kw== X-Google-Smtp-Source: ADFU+vuKz5FLrd/n++22UcE/kf4ftn3gYQmH2FDL1/qqMttDY074nJOuzLStkZh5VaZoPZM9xVSjkg== X-Received: by 2002:a17:90a:3783:: with SMTP id v3mr1135572pjb.31.1585243134014; Thu, 26 Mar 2020 10:18:54 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id m68sm6263454pjb.0.2020.03.26.10.18.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Mar 2020 10:18:53 -0700 (PDT) Date: Thu, 26 Mar 2020 10:18:51 -0700 From: Kees Cook To: Jann Horn Cc: "Reshetova, Elena" , Thomas Gleixner , the arch/x86 maintainers , Andy Lutomirski , Peter Zijlstra , Catalin Marinas , Will Deacon , Mark Rutland , Alexander Potapenko , Ard Biesheuvel , Kernel Hardening , "linux-arm-kernel@lists.infradead.org" , Linux-MM , kernel list Subject: Re: [PATCH v2 0/5] Optionally randomize kernel stack offset each syscall Message-ID: <202003260932.510967DD@keescook> References: <20200324203231.64324-1-keescook@chromium.org> <202003241604.7269C810B@keescook> <202003251322.180F2536E@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 26, 2020 at 12:20:19AM +0100, Jann Horn wrote: > On Wed, Mar 25, 2020 at 9:27 PM Kees Cook wrote: > > On Wed, Mar 25, 2020 at 12:15:12PM +0000, Reshetova, Elena wrote: > > > > > Also, are you sure that it isn't possible to make the syscall that > > > > > leaked its stack pointer never return to userspace (via ptrace or > > > > > SIGSTOP or something like that), and therefore never realign its > > > > > stack, while keeping some controlled data present on the syscall's > > > > > stack? > > > > > > How would you reliably detect that a stack pointer has been leaked > > > to userspace while it has been in a syscall? Does not seem to be a trivial > > > task to me. > > > > Well, my expectation is that folks using this defense are also using > > panic_on_warn sysctl, etc, so attackers don't get a chance to actually > > _use_ register values spilled to dmesg. > > Uh... I thought that thing was exclusively for stuff like syzkaller, > because nuking the entire system because of a WARN is far too > excessive? WARNs should be safe to add almost anywhere in the kernel, > so that developers can put their assumptions about system behavior > into code without having to worry about bringing down the entire > system if that assumption turns out to have been false in some > harmless edgecase. So, I'm caught in a tight spot between Linus's deprecation of BUG()[1], and the desire for high-sensitivity security-oriented system builders to have a "completely stop running that kernel thread" option. Linus's entirely reasonable observation that BUG() destabilizes the kernel more often than it doesn't means there isn't actually a safe "stop that kernel thread" option, especially since many mitigations that detect badness span a spectrum of "stops the badness before it happens" (e.g. NX memory) to "I see badness has already happened" (e.g. stack protector). As a result, the only way to provide a way for the security-prioritized users is to downgrade corruptions to DoSes via panic(). I wish there was a magic way to have a perfect kernel state unwinder to get us the BUG() we wanted it to be, but given the kernel's complexity, it doesn't exist (and is unlikely to be worth developing). Right now, we either get "WARN() and keep going as best we can" or we get "WARN() and panic". And with regard to "WARNs should be safe to add", yes, that's generally true, but the goal is to not make them reachable from userspace because of this need to be able to "upgrade" them to panic(). I have tried to document[1] this: Note that the WARN()-family should only be used for "expected to be unreachable" situations. If you want to warn about "reachable but undesirable" situations, please use the pr_warn()-family of functions. System owners may have set the *panic_on_warn* sysctl, to make sure their systems do not continue running in the face of "unreachable" conditions. (For example, see commits like `this one `_.) [1] https://lore.kernel.org/lkml/202003141524.59C619B51A@keescook/ > Also, there are other places that dump register state. In particular > the soft lockup detection, which you can IIRC easily trip even > accidentally if you play around with stuff like FUSE filesystems, or > if a disk becomes unresponsive. Sure, *theoretically* you can also set > the "panic on soft lockup" flag, but that seems like a really terrible > idea to me. I understand your general objection to non-deterministic defenses, as there will always be ways to weaken them, but I don't think that's reason enough to not have them. I prefer to look at mitigations as a spectrum, and to recognize that some are more effective with certain system configurations. They become tools to choose from when building defense in depth. > As far as I can tell, the only clean way to fix this is to tell > distros that give non-root users access to dmesg (Ubuntu in > particular) that they have to stop doing that. E.g. Debian seems to > get by just fine with root-restricted dmesg. Totally agreed about that. Ubuntu may be hard to convince as one of their design principles has been to make the first user able to use the system completely with as little interruption as possible. (e.g. pop-up confirmation dialogs are strongly discouraged, etc.) So, for this series, I think the benefit-to-complexity value is high. It's a simple solution even if it's not perfect (most things can't be given the existing kernel design trade-offs). -Kees -- Kees Cook