__stack_chk_guard is setup once while init stage and never changed
after that.
Although the modification of this variable at runtime will usually
cause the kernel to crash (so dose the attacker), it should be marked
as _ro_after_init, and it should not affect performance if it is
placed in the ro_after_init section.
This should also be the case on the ARM platform, or am I missing
something?
Signed-off-by: Dan Li <[email protected]>
---
arch/arm64/kernel/process.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
index c8989b9..c858b85 100644
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -60,7 +60,7 @@
#if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_STACKPROTECTOR_PER_TASK)
#include <linux/stackprotector.h>
-unsigned long __stack_chk_guard __read_mostly;
+unsigned long __stack_chk_guard __ro_after_init;
EXPORT_SYMBOL(__stack_chk_guard);
#endif
--
2.7.4
On Tue, Sep 14, 2021 at 05:44:02PM +0800, Dan Li wrote:
> __stack_chk_guard is setup once while init stage and never changed
> after that.
>
> Although the modification of this variable at runtime will usually
> cause the kernel to crash (so dose the attacker), it should be marked
> as _ro_after_init, and it should not affect performance if it is
> placed in the ro_after_init section.
>
> This should also be the case on the ARM platform, or am I missing
> something?
I don't see why it can't be - we only write to it in
boot_init_stack_canary(), same as ARM64.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!
On Tue, Sep 14, 2021 at 05:44:02PM +0800, Dan Li wrote:
> __stack_chk_guard is setup once while init stage and never changed
> after that.
>
> Although the modification of this variable at runtime will usually
> cause the kernel to crash (so dose the attacker), it should be marked
> as _ro_after_init, and it should not affect performance if it is
> placed in the ro_after_init section.
>
> This should also be the case on the ARM platform, or am I missing
> something?
>
> Signed-off-by: Dan Li <[email protected]>
FWIW, this makes sense to me:
Acked-by: Mark Rutland <[email protected]>
Looking at the history, this was added to arm64 in commit:
c0c264ae5112d1cd ("arm64: Add CONFIG_CC_STACKPROTECTOR")
... whereas __ro_after_init was introduced around 2 years later in
commit:
c74ba8b3480da6dd ("arch: Introduce post-init read-only memory")
... so we weren't deliberately avoiding __ro_after_init, and there are
probably a significant number of other variables we could apply it to.
Mark.
> ---
> arch/arm64/kernel/process.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
> index c8989b9..c858b85 100644
> --- a/arch/arm64/kernel/process.c
> +++ b/arch/arm64/kernel/process.c
> @@ -60,7 +60,7 @@
>
> #if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_STACKPROTECTOR_PER_TASK)
> #include <linux/stackprotector.h>
> -unsigned long __stack_chk_guard __read_mostly;
> +unsigned long __stack_chk_guard __ro_after_init;
> EXPORT_SYMBOL(__stack_chk_guard);
> #endif
>
> --
> 2.7.4
>
Hi King, Rutland:
Thanks for the reply and let me understand the reason here.
Then may I first submit a patch to modify the attributes of
__stack_chk_guard of the arm/aarch64 platform?
On 9/14/21 6:17 PM, Mark Rutland wrote:
> On Tue, Sep 14, 2021 at 05:44:02PM +0800, Dan Li wrote:
>> __stack_chk_guard is setup once while init stage and never changed
>> after that.
>>
>> Although the modification of this variable at runtime will usually
>> cause the kernel to crash (so dose the attacker), it should be marked
>> as _ro_after_init, and it should not affect performance if it is
>> placed in the ro_after_init section.
>>
>> This should also be the case on the ARM platform, or am I missing
>> something?
>>
>> Signed-off-by: Dan Li <[email protected]>
>
> FWIW, this makes sense to me:
>
> Acked-by: Mark Rutland <[email protected]>
>
> Looking at the history, this was added to arm64 in commit:
>
> c0c264ae5112d1cd ("arm64: Add CONFIG_CC_STACKPROTECTOR")
>
> ... whereas __ro_after_init was introduced around 2 years later in
> commit:
>
> c74ba8b3480da6dd ("arch: Introduce post-init read-only memory")
>
> ... so we weren't deliberately avoiding __ro_after_init, and there are
> probably a significant number of other variables we could apply it to.
>
> Mark.
>
>> ---
>> arch/arm64/kernel/process.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
>> index c8989b9..c858b85 100644
>> --- a/arch/arm64/kernel/process.c
>> +++ b/arch/arm64/kernel/process.c
>> @@ -60,7 +60,7 @@
>>
>> #if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_STACKPROTECTOR_PER_TASK)
>> #include <linux/stackprotector.h>
>> -unsigned long __stack_chk_guard __read_mostly;
>> +unsigned long __stack_chk_guard __ro_after_init;
>> EXPORT_SYMBOL(__stack_chk_guard);
>> #endif
>>
>> --
>> 2.7.4
>>
On Wed, Sep 15, 2021 at 09:57:14AM +0800, ashimida wrote:
> Hi King, Rutland:
>
> Thanks for the reply and let me understand the reason here.
>
> Then may I first submit a patch to modify the attributes of
> __stack_chk_guard of the arm/aarch64 platform?
This patch looks fine as-is (hence the Acked-by). Doing the same for
arch/arm makes sense, but that should be a separate patch.
I was suggesting that in future we should probably do the same in more
places, not that you need to do so now.
Thanks,
Mark.
>
> On 9/14/21 6:17 PM, Mark Rutland wrote:
> > On Tue, Sep 14, 2021 at 05:44:02PM +0800, Dan Li wrote:
> > > __stack_chk_guard is setup once while init stage and never changed
> > > after that.
> > >
> > > Although the modification of this variable at runtime will usually
> > > cause the kernel to crash (so dose the attacker), it should be marked
> > > as _ro_after_init, and it should not affect performance if it is
> > > placed in the ro_after_init section.
> > >
> > > This should also be the case on the ARM platform, or am I missing
> > > something?
> > >
> > > Signed-off-by: Dan Li <[email protected]>
> >
> > FWIW, this makes sense to me:
> >
> > Acked-by: Mark Rutland <[email protected]>
> >
> > Looking at the history, this was added to arm64 in commit:
> >
> > c0c264ae5112d1cd ("arm64: Add CONFIG_CC_STACKPROTECTOR")
> >
> > ... whereas __ro_after_init was introduced around 2 years later in
> > commit:
> >
> > c74ba8b3480da6dd ("arch: Introduce post-init read-only memory")
> >
> > ... so we weren't deliberately avoiding __ro_after_init, and there are
> > probably a significant number of other variables we could apply it to.
> >
> > Mark.
> >
> > > ---
> > > arch/arm64/kernel/process.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
> > > index c8989b9..c858b85 100644
> > > --- a/arch/arm64/kernel/process.c
> > > +++ b/arch/arm64/kernel/process.c
> > > @@ -60,7 +60,7 @@
> > > #if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_STACKPROTECTOR_PER_TASK)
> > > #include <linux/stackprotector.h>
> > > -unsigned long __stack_chk_guard __read_mostly;
> > > +unsigned long __stack_chk_guard __ro_after_init;
> > > EXPORT_SYMBOL(__stack_chk_guard);
> > > #endif
> > > --
> > > 2.7.4
> > >
Fine, I got it, thanks for reply.
On 9/15/21 5:19 PM, Mark Rutland wrote:
> On Wed, Sep 15, 2021 at 09:57:14AM +0800, ashimida wrote:
>> Hi King, Rutland:
>>
>> Thanks for the reply and let me understand the reason here.
>>
>> Then may I first submit a patch to modify the attributes of
>> __stack_chk_guard of the arm/aarch64 platform?
>
> This patch looks fine as-is (hence the Acked-by). Doing the same for
> arch/arm makes sense, but that should be a separate patch.
>
> I was suggesting that in future we should probably do the same in more
> places, not that you need to do so now.
>
> Thanks,
> Mark.
>
On Tue, 14 Sep 2021 17:44:02 +0800, Dan Li wrote:
> __stack_chk_guard is setup once while init stage and never changed
> after that.
>
> Although the modification of this variable at runtime will usually
> cause the kernel to crash (so dose the attacker), it should be marked
> as _ro_after_init, and it should not affect performance if it is
> placed in the ro_after_init section.
>
> [...]
Applied to arm64 (for-next/fixes), thanks!
[1/1] arm64:Mark __stack_chk_guard as __ro_after_init
https://git.kernel.org/arm64/c/9fcb2e93f41c
--
Catalin