archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <>
To: Linus Torvalds <>
Cc: Linux Kernel Mailing List <>,
	Alexander Popov <>,
	Dave Hansen <>,
	Ingo Molnar <>,
	Masahiro Yamada <>,
	Thomas Gleixner <>,
	Tycho Andersen <>,
	Mark Rutland <>,
	Laura Abbott <>,
	Will Deacon <>
Subject: Re: [GIT PULL] gcc-plugin updates for v4.19-rc1
Date: Wed, 15 Aug 2018 11:35:16 -0700	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On Wed, Aug 15, 2018 at 9:41 AM, Linus Torvalds
<> wrote:
> On Mon, Aug 13, 2018 at 2:43 PM Kees Cook <> wrote:
>> Please pull these gcc-plugin changes for v4.19-rc1.
> No.
> It adds yet another BUG_ON() without having been merged.
> I'm not pulling this. Dammit, have you learnt *nothing*?

I swear I'm doing my best. Are you speaking of
stackleak_check_alloca() or stackleak_erase()? These were both
discussed on the list, and we weren't able to come up with
alternatives: in both cases we're off the stack, and recovery is
seemingly impossible. What would you prefer in these cases? If I need
to take a hard line of "never BUG", how do I handle legitimate system
corruption? (i.e. I have interpreted this as different from narrowing
copy_*_user() usage: if we let execution continue, we'll just crash
somewhere else with likely less information on how to handle it.)

> I'm, disappointed in the whole feature, but I'm also tired of having
> to go and even look for these things.

I am trying to make these patches easier to review. I even made sure
to get Ingo's Ack and Alexander implemented additional features Ingo
suggested, before sending them your way, as Ingo has a very
conservative eye on.

> Then actually *finding* them makes me just pissed off.

I'm sorry we've disappointed you. I've been pushing back on patches
that use BUG (with, I think, good success), but there are cases where
our imagination fails us.

I'd really like to find a way for this plugin to be acceptable, given
the coverage is provides. Even if we solve stack initialization and
finish VLA removal, we still would benefit from something doing
post-syscall stack poisoning just to keep future cache attacks against
the stack minimized.

In the meantime, I will send the gcc-plugin cleanups separately...


Kees Cook
Pixel Security

  reply	other threads:[~2018-08-15 18:35 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-13 21:43 [GIT PULL] gcc-plugin updates for v4.19-rc1 Kees Cook
2018-08-15 16:41 ` Linus Torvalds
2018-08-15 18:35   ` Kees Cook [this message]
2018-08-15 19:04     ` Linus Torvalds
2018-08-15 19:43       ` Alexander Popov
2018-08-15 19:45       ` Kees Cook
2018-08-15 20:18         ` Linus Torvalds
2018-08-15 20:56           ` Kees Cook
2018-08-15 21:18             ` Alexander Popov
2018-08-15 21:33               ` Linus Torvalds
2018-08-16 22:18             ` Alexander Popov
2018-08-16  9:51           ` David Laight

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='' \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).