From: Alexander Popov <alex.popov@linux.com>
To: kernel-hardening@lists.openwall.com,
Kees Cook <keescook@chromium.org>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Ingo Molnar <mingo@kernel.org>, Andy Lutomirski <luto@kernel.org>,
Tycho Andersen <tycho@tycho.ws>,
Laura Abbott <labbott@redhat.com>,
Mark Rutland <mark.rutland@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Borislav Petkov <bp@alien8.de>,
Richard Sandiford <richard.sandiford@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H . Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
"Dmitry V . Levin" <ldv@altlinux.org>,
Emese Revfy <re.emese@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
Thomas Garnier <thgarnie@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>, Josef Bacik <jbacik@fb.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Nicholas Piggin <npiggin@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
"David S . Miller" <davem@davemloft.net>,
Ding Tianhong <dingtianhong@huawei.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>,
Dominik Brodowski <linux@dominikbrodowski.net>,
Juergen Gross <jgross@suse.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Mathias Krause <minipli@googlemail.com>,
Vikas Shivappa <vikas.shivappa@linux.intel.com>,
Kyle Huey <me@kylehuey.com>,
Dmitry Safonov <dsafonov@virtuozzo.com>,
Will Deacon <will.deacon@arm.com>, Arnd Bergmann <arnd@arndb.de>,
Florian Weimer <fweimer@redhat.com>,
Boris Lukashev <blukashev@sempervictus.com>,
x86@kernel.org, linux-kernel@vger.kernel.org,
alex.popov@linux.com
Subject: [PATCH v11 6/6] doc: self-protection: Add information about STACKLEAK feature
Date: Fri, 6 Apr 2018 17:22:26 +0300 [thread overview]
Message-ID: <1523024546-6150-7-git-send-email-alex.popov@linux.com> (raw)
In-Reply-To: <1523024546-6150-1-git-send-email-alex.popov@linux.com>
Add information about STACKLEAK feature to "Stack depth overflow" and
"Memory poisoning" sections of self-protection.rst.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
---
Documentation/security/self-protection.rst | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst
index 0f53826..b685f18 100644
--- a/Documentation/security/self-protection.rst
+++ b/Documentation/security/self-protection.rst
@@ -165,10 +165,15 @@ Stack depth overflow
A less well understood attack is using a bug that triggers the
kernel to consume stack memory with deep function calls or large stack
allocations. With this attack it is possible to write beyond the end of
-the kernel's preallocated stack space and into sensitive structures. Two
-important changes need to be made for better protections: moving the
-sensitive thread_info structure elsewhere, and adding a faulting memory
-hole at the bottom of the stack to catch these overflows.
+the kernel's preallocated stack space and into sensitive structures.
+The combination of the following measures gives better protection:
+
+* moving the sensitive thread_info structure off the stack
+ (``CONFIG_THREAD_INFO_IN_TASK``);
+* adding a faulting memory hole at the bottom of the stack to catch
+ these overflows (``CONFIG_VMAP_STACK``);
+* runtime checking that alloca() calls don't overstep the stack boundary
+ (``CONFIG_GCC_PLUGIN_STACKLEAK``).
Heap memory integrity
---------------------
@@ -302,11 +307,11 @@ sure structure holes are cleared.
Memory poisoning
----------------
-When releasing memory, it is best to poison the contents (clear stack on
-syscall return, wipe heap memory on a free), to avoid reuse attacks that
-rely on the old contents of memory. This frustrates many uninitialized
-variable attacks, stack content exposures, heap content exposures, and
-use-after-free attacks.
+When releasing memory, it is best to poison the contents, to avoid reuse
+attacks that rely on the old contents of memory. E.g., clear stack on a
+syscall return (``CONFIG_GCC_PLUGIN_STACKLEAK``), wipe heap memory on a
+free. This frustrates many uninitialized variable attacks, stack content
+exposures, heap content exposures, and use-after-free attacks.
Destination tracking
--------------------
--
2.7.4
next prev parent reply other threads:[~2018-04-06 14:22 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-06 14:22 [PATCH v11 0/6] Introduce the STACKLEAK feature and a test for it Alexander Popov
2018-04-06 14:22 ` [PATCH v11 1/6] gcc-plugins: Clean up the cgraph_create_edge* macros Alexander Popov
2018-04-06 14:22 ` [PATCH v11 2/6] x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls Alexander Popov
2018-04-16 18:29 ` Kees Cook
2018-04-18 18:33 ` Laura Abbott
2018-04-18 18:50 ` Dave Hansen
2018-04-24 1:03 ` Kees Cook
2018-04-24 4:23 ` Dave Hansen
2018-04-30 23:48 ` Kees Cook
2018-05-02 8:42 ` Thomas Gleixner
2018-05-02 12:38 ` Kees Cook
2018-05-02 12:39 ` Thomas Gleixner
2018-05-02 12:51 ` Kees Cook
2018-05-02 21:02 ` Kees Cook
2018-05-06 10:04 ` Thomas Gleixner
2018-04-06 14:22 ` [PATCH v11 3/6] gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack Alexander Popov
2018-04-06 14:22 ` [PATCH v11 4/6] lkdtm: Add a test for STACKLEAK Alexander Popov
2018-04-06 14:22 ` [PATCH v11 5/6] fs/proc: Show STACKLEAK metrics in the /proc file system Alexander Popov
2018-04-06 14:22 ` Alexander Popov [this message]
2018-05-02 20:33 ` [PATCH 0/2] Stackleak for arm64 Laura Abbott
2018-05-02 20:33 ` Laura Abbott
2018-05-02 20:33 ` [PATCH 1/2] stackleak: Update " Laura Abbott
2018-05-02 20:33 ` Laura Abbott
2018-05-02 20:33 ` [PATCH 2/2] arm64: Clear the stack Laura Abbott
2018-05-02 20:33 ` Laura Abbott
2018-05-02 21:31 ` Kees Cook
2018-05-02 21:31 ` Kees Cook
2018-05-02 23:07 ` Laura Abbott
2018-05-02 23:07 ` Laura Abbott
2018-05-02 23:37 ` Kees Cook
2018-05-02 23:37 ` Kees Cook
2018-05-03 16:05 ` Alexander Popov
2018-05-03 16:05 ` Alexander Popov
2018-05-03 16:45 ` Kees Cook
2018-05-03 16:45 ` Kees Cook
2018-05-03 7:19 ` Mark Rutland
2018-05-03 7:19 ` Mark Rutland
2018-05-03 11:37 ` Ard Biesheuvel
2018-05-03 11:37 ` Ard Biesheuvel
2018-05-03 17:33 ` Alexander Popov
2018-05-03 17:33 ` Alexander Popov
2018-05-03 19:09 ` Laura Abbott
2018-05-03 19:09 ` Laura Abbott
2018-05-04 8:30 ` Alexander Popov
2018-05-04 8:30 ` Alexander Popov
2018-05-04 11:09 ` Mark Rutland
2018-05-04 11:09 ` Mark Rutland
2018-05-06 8:22 ` Alexander Popov
2018-05-06 8:22 ` Alexander Popov
2018-05-11 15:50 ` Alexander Popov
2018-05-11 15:50 ` Alexander Popov
2018-05-11 16:13 ` Mark Rutland
2018-05-11 16:13 ` Mark Rutland
2018-05-13 8:40 ` Alexander Popov
2018-05-13 8:40 ` Alexander Popov
2018-05-14 5:15 ` Mark Rutland
2018-05-14 5:15 ` Mark Rutland
2018-05-14 9:35 ` Alexander Popov
2018-05-14 9:35 ` Alexander Popov
2018-05-14 10:06 ` Mark Rutland
2018-05-14 10:06 ` Mark Rutland
2018-05-14 13:53 ` Alexander Popov
2018-05-14 13:53 ` Alexander Popov
2018-05-14 14:07 ` Mark Rutland
2018-05-14 14:07 ` Mark Rutland
2018-05-03 19:00 ` Laura Abbott
2018-05-03 19:00 ` Laura Abbott
2018-05-04 11:16 ` Mark Rutland
2018-05-04 11:16 ` Mark Rutland
2018-05-14 18:55 ` [PATCH v11 0/6] Introduce the STACKLEAK feature and a test for it Laura Abbott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1523024546-6150-7-git-send-email-alex.popov@linux.com \
--to=alex.popov@linux.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=ast@kernel.org \
--cc=blukashev@sempervictus.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=dingtianhong@huawei.com \
--cc=dsafonov@virtuozzo.com \
--cc=dwmw@amazon.co.uk \
--cc=fweimer@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jbacik@fb.com \
--cc=jgross@suse.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=labbott@redhat.com \
--cc=ldv@altlinux.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=me@kylehuey.com \
--cc=mhiramat@kernel.org \
--cc=mingo@kernel.org \
--cc=minipli@googlemail.com \
--cc=npiggin@gmail.com \
--cc=pageexec@freemail.hu \
--cc=re.emese@gmail.com \
--cc=richard.sandiford@arm.com \
--cc=rostedt@goodmis.org \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
--cc=torvalds@linux-foundation.org \
--cc=tycho@tycho.ws \
--cc=vikas.shivappa@linux.intel.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.