linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Ingo Molnar <mingo@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Christoph Hellwig <hch@infradead.org>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Jann Horn <jannh@google.com>, Eric Biggers <ebiggers3@gmail.com>,
	Elena Reshetova <elena.reshetova@intel.com>,
	Hans Liljestrand <ishkamiel@gmail.com>,
	Greg KH <gregkh@linuxfoundation.org>,
	Alexey Dobriyan <adobriyan@gmail.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
	Manfred Spraul <manfred@colorfullife.com>,
	"axboe@kernel.dk" <axboe@kernel.dk>,
	James Bottomley <James.Bottomley@hansenpartnership.com>,
	"x86@kernel.org" <x86@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
	"David S. Miller" <davem@davemloft.net>,
	Rik van Riel <riel@redhat.com>,
	LKML <linux-kernel@vger.kernel.org>,
	linux-arch <linux-arch@vger.kernel.org>,
	"kernel-hardening@lists.openwall.com" 
	<kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH v6 2/2] x86/refcount: Implement fast refcount overflow protection
Date: Wed, 19 Jul 2017 15:50:14 -0700	[thread overview]
Message-ID: <CAGXu5j+zeCU083g6fDEcXM-CYEHYfbkd1cbWoUTJP_0WtyYRpA@mail.gmail.com> (raw)
In-Reply-To: <20170719195249.akr6m2x65mhtsyvf@treble>

On Wed, Jul 19, 2017 at 12:52 PM, Josh Poimboeuf <jpoimboe@redhat.com> wrote:
> On Wed, Jul 19, 2017 at 12:45:19PM -0700, Kees Cook wrote:
>> > diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h
>> > index 13b91e850a02..e7587db3487c 100644
>> > --- a/arch/x86/include/asm/refcount.h
>> > +++ b/arch/x86/include/asm/refcount.h
>> > @@ -15,6 +15,7 @@
>> >         ".pushsection .text.unlikely\n"                 \
>> >         "111:\tlea %[counter], %%" _ASM_CX "\n"         \
>> >         "112:\t" ASM_UD0 "\n"                           \
>> > +       ASM_UNREACHABLE                                 \
>> >         ".popsection\n"                                 \
>> >         "113:\n"                                        \
>> >         _ASM_EXTABLE_REFCOUNT(112b, 113b)
>> > diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
>> > index cd4bbe8242bd..85e0b8f42ca0 100644
>> > --- a/include/linux/compiler-gcc.h
>> > +++ b/include/linux/compiler-gcc.h
>> > @@ -202,15 +202,25 @@
>> >  #endif
>> >
>> >  #ifdef CONFIG_STACK_VALIDATION
>> > +
>> >  #define annotate_unreachable() ({                                      \
>> >         asm("%c0:\t\n"                                                  \
>> > -           ".pushsection .discard.unreachable\t\n"                     \
>> > -           ".long %c0b - .\t\n"                                        \
>> > -           ".popsection\t\n" : : "i" (__LINE__));                      \
>> > +           ".pushsection .discard.unreachable\n\t"                     \
>> > +           ".long %c0b - .\n\t"                                        \
>> > +           ".popsection\n\t" : : "i" (__LINE__));                      \
>>
>> Is this just an indentation change?
>
> This was sneaking in a fix to put the tab after the newline instead of
> before it.  I figured it's not worth its own commit.

Ah! Now I see it. Gotcha.

>> >  })
>> > +
>> > +#define ASM_UNREACHABLE                                                        \
>> > +       "999: .pushsection .discard.unreachable\n\t"                    \
>> > +       ".long 999b - .\n\t"                                            \
>> > +       ".popsection\n\t"
>>
>> Just so I understand, we'll get a single byte added for each exception
>> case, but it'll get discarded during final link?
>
> I think it's four bytes actually, but yeah, the section gets stripped at
> vmlinux link time.

Right, yes.

BTW, I think this needs compiler.h coverage instead of the #else in
compiler-gcc.h (since it's different from how annotate_unreachable is
used only in compiler-gcc.h. I'll adjust.

Also, in looking at CONFIG_STACK_VALIDATION, do you want it to just
warn and skip, or do you want to error out the build if validation
isn't available but it's in the .config?

-Kees

-- 
Kees Cook
Pixel Security

  reply	other threads:[~2017-07-19 22:50 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-19  0:03 [PATCH v6 0/2] x86: Implement fast refcount overflow protection Kees Cook
2017-07-19  0:03 ` [PATCH v6 1/2] x86/asm: Add suffix macro for GEN_*_RMWcc() Kees Cook
2017-07-19  0:03 ` [PATCH v6 2/2] x86/refcount: Implement fast refcount overflow protection Kees Cook
2017-07-19 19:37   ` Josh Poimboeuf
2017-07-19 19:45     ` Kees Cook
2017-07-19 19:52       ` Josh Poimboeuf
2017-07-19 22:50         ` Kees Cook [this message]
2017-07-19 23:01           ` Josh Poimboeuf
2017-07-19 23:12     ` Kees Cook
2017-07-19 23:30       ` Josh Poimboeuf
2017-07-20  9:11 ` [PATCH v6 0/2] x86: " Ingo Molnar
2017-07-20 17:15   ` Kees Cook
2017-07-20 22:53     ` Kees Cook
2017-07-21  7:50       ` Ingo Molnar
2017-07-21 21:22   ` Andrew Morton
2017-07-22  3:33     ` Kees Cook
2017-07-24  6:38       ` Michael Ellerman
2017-07-24  8:44         ` Peter Zijlstra
2017-07-24 12:09           ` Michael Ellerman
2017-07-24 12:23             ` Peter Zijlstra

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGXu5j+zeCU083g6fDEcXM-CYEHYfbkd1cbWoUTJP_0WtyYRpA@mail.gmail.com \
    --to=keescook@chromium.org \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=arnd@arndb.de \
    --cc=arozansk@redhat.com \
    --cc=axboe@kernel.dk \
    --cc=dave@stgolabs.net \
    --cc=davem@davemloft.net \
    --cc=ebiederm@xmission.com \
    --cc=ebiggers3@gmail.com \
    --cc=elena.reshetova@intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hch@infradead.org \
    --cc=ishkamiel@gmail.com \
    --cc=jannh@google.com \
    --cc=jpoimboe@redhat.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=manfred@colorfullife.com \
    --cc=mingo@kernel.org \
    --cc=peterz@infradead.org \
    --cc=riel@redhat.com \
    --cc=serge@hallyn.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).