Received: by 10.223.176.46 with SMTP id f43csp1421270wra;
        Fri, 19 Jan 2018 11:17:00 -0800 (PST)
X-Google-Smtp-Source: ACJfBot0/UByHQpaFt0OjVzNuJzvKCV+72mJ3mkrLfJJzHu2ZtnXTOjYgCD3KZ/B/u2nHxUYd5KR
X-Received: by 2002:a17:902:9343:: with SMTP id g3-v6mr2127783plp.319.1516389420870;
        Fri, 19 Jan 2018 11:17:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516389420; cv=none;
        d=google.com; s=arc-20160816;
        b=RPt7kqwl94MGnCAn7HsR7JfNYDQOgJaavYOs6TvDBYlNHwtHSsKYmYvjQs+fCRiYfV
         8L8iiIeq77G9aqge+cHwC9ZXvHu5Nzy8socW8g7em/iNtJowGDc5vloVFdNDPYJQWN9r
         zRa+CbewFeBHG6aAG0RJQTWaG1rQhqGsvheHp/ketMrLUOgKzJWGrV9pvJ9T4oKONVyJ
         tuD4DGEuRAqsqhMUrFr0AGsim8Oe9lAPLH/1naQqTREwU0CFKsSGaq26MBj7vSG8WXE4
         Ayg2tyLoPqoOc+z2/LAde6NLJlr+0VkPM9AbFmTWNj/c+Xg+c2h6xJ8/vddxTdQ1P71S
         B8vQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=Qyem+ClXWfVFqPUBmcTnt/sMrYJtX7aD2njvc6Wu/9s=;
        b=RavRa3l3S5G82gQ/Gnfn0lUlsr+X2c8n4DACXDA12wtaBEk/5qVWw+C4L8mK4XWapC
         osCfENz0ngpAV1ZOK5rAKnRAAIVGIdAd58rc01Z8l7CtxjMXbBdskwx8LuPH+bgZdGaJ
         aLN23qdDHSv/kU6UNRDH0wRlqzX/BGR44bBzHsbTmYF5BgK7E7QHRINMKJ1luAMbJSdd
         TewOi9O65WbhJXM0C/KM6scjz8E9vaWC3X4ji8O0HIoIX3fKRLTD/lqfHy4Yh4vViGUg
         CjgGFme5TymXxicfW/k5mY0PaOOQY+8zAo93K4/vei9SE2tx5riTPnKw4SRpLDrABex2
         hREg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q7si8521113pgt.517.2018.01.19.11.16.45;
        Fri, 19 Jan 2018 11:17:00 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1756226AbeASTQN (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Fri, 19 Jan 2018 14:16:13 -0500
Received: from mail-ot0-f174.google.com ([74.125.82.174]:44909 "EHLO
        mail-ot0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755899AbeASTQI (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Jan 2018 14:16:08 -0500
Received: by mail-ot0-f174.google.com with SMTP id t20so2282924ote.11
        for <linux-kernel@vger.kernel.org>; Fri, 19 Jan 2018 11:16:08 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=Qyem+ClXWfVFqPUBmcTnt/sMrYJtX7aD2njvc6Wu/9s=;
        b=nGq4aYs9BMy9Y/itqDlbiEU54gyH1/vBk0nWF/Rl7BZNnMbyv727/TdYvQkfs0o4wn
         XkeyYsuBW3jWVD2pFkIKz0FYR+EW4K1VeNzmLo//8mjWM/t0/Kcaal4SnnpvD4psVTcP
         gQE3GIYfDW5EIcuYnC7VUH7IopRsVB8rHSRS/WJnBI26VKClT2Qlk6zA87n4wJuHC9QO
         78TUrdrY0rSQ6gO4SBCH++P2+GE/iFE3yTO4uu5pEZzzGs+q0Ha6lDxxa+RCFn3p06mv
         tT65CU+EVsbKi8vH+nLQkNMICpi2Psk+mcDD0Z54pCCGnAY5pSiIuW/pZKQ8PexTCFoV
         RS0Q==
X-Gm-Message-State: AKwxytetZwSpkA9L6BMX992wtXrpTLEr1eVrstQDRjfMqAKvHAL+nmW9
        lFKfO0SuAyXNSBy0sDZAt4Se3Q==
X-Received: by 10.157.85.167 with SMTP id m36mr6640309oth.251.1516389368143;
        Fri, 19 Jan 2018 11:16:08 -0800 (PST)
Received: from ?IPv6:2601:602:9802:a8dc::89e6? ([2601:602:9802:a8dc::89e6])
        by smtp.gmail.com with ESMTPSA id g9sm1801944otc.51.2018.01.19.11.16.05
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 19 Jan 2018 11:16:06 -0800 (PST)
Subject: Re: [PATCH] fork: Allow stack to be wiped on fork
To:     Michal Hocko <mhocko@kernel.org>, Kees Cook <keescook@chromium.org>
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Andy Lutomirski <luto@kernel.org>,
        Jann Horn <jannh@google.com>, Ingo Molnar <mingo@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Sahara <keun-o.park@darkmatter.ae>,
        "Levin, Alexander (Sasha Levin)" <alexander.levin@verizon.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
        linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com
References: <20180117055015.GA15256@beast>
 <20180117091729.GB2900@dhcp22.suse.cz>
From:   Laura Abbott <labbott@redhat.com>
Message-ID: <ac52fecf-99f7-3b29-ff7f-912b495e9c91@redhat.com>
Date:   Fri, 19 Jan 2018 11:16:04 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.2
MIME-Version: 1.0
In-Reply-To: <20180117091729.GB2900@dhcp22.suse.cz>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 01/17/2018 01:17 AM, Michal Hocko wrote:
> On Tue 16-01-18 21:50:15, Kees Cook wrote:
>> One of the classes of kernel stack content leaks is exposing the contents
>> of prior heap or stack contents when a new process stack is allocated.
>> Normally, those stacks are not zeroed, and the old contents remain in
>> place. With some types of stack content exposure flaws, those contents
>> can leak to userspace. Kernels built with CONFIG_CLEAR_STACK_FORK will
>> no longer be vulnerable to this, as the stack will be wiped each time
>> a stack is assigned to a new process. There's not a meaningful change
>> in runtime performance; it almost looks like it provides a benefit.
> 
> Have you tried something as simple as /bin/true in a loop. kbuild will
> certainly amortize few cycles for the clearing and I would expect, most
> reasonable applications would do as well. But it would be better to know
> the worst case scenario IMHO.
> 

I tried /bin/true in a loop in my QEMU setup and didn't see a difference
there.

>> Performing back-to-back kernel builds before:
>> 	Run times: 157.86 157.09 158.90 160.94 160.80
>> 	Mean: 159.12
>> 	Std Dev: 1.54
>>
>> With CONFIG_CLEAR_STACK_FORK=y:
>> 	Run times: 159.31 157.34 156.71 158.15 160.81
>> 	Mean: 158.46
>> 	Std Dev: 1.46
>>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
> 
> The change seems reasonable to me. Although it would be better to extend
> on the types of attacks this prevents from, with some examples ideally.
> How many attacks of that kind we had in the past and how often they
> appear. That might help people to decide whether to deserve few cycles
> on each fork. Also the config option sounds rather limiting. Consider
> distros, should they enable it just to be on the safe side? This is kind
> of generic concern with other hardening options though.
> 

Agreed this could use a few more words, but it looks good to me overall.

Thanks,
Laura