Received: by 10.223.185.116 with SMTP id b49csp8737630wrg; Fri, 2 Mar 2018 07:07:58 -0800 (PST) X-Google-Smtp-Source: AG47ELtCmVGtG61Ri9VaAE5WNPxq/ysSka15KE3z4iS4+JeuB0zPjnKax5GebKe7rQKtHgfYcuEf X-Received: by 2002:a17:902:7046:: with SMTP id h6-v6mr5286557plt.301.1520003278698; Fri, 02 Mar 2018 07:07:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520003278; cv=none; d=google.com; s=arc-20160816; b=hO/lIyVfxlOjSqFwckZL+KVFriqSRLRkyr+wnf7fykdBT2CxhNvULkyBhpcPLwokmS 9mDsa1UKCBzo3d2tcqq0SvdIAwTWfYZmZzIPrsOulbucQBxHzHVdUCVq77sSrluaKck1 cSzZG/9EQfEJifIT+p1nzerb3bV4/SzRmWvAGADPg+v9BFtkKkpfLK2GyIdqmChYlm6K tdiYmn/9OjewTy0beOv3Wv+fLqCLacgVCmiaqRhGpS4ka5day/DiV463Mm0me3CemtJF JcpTWpbNRmRnzfDrpCOh07GaRCiz7bi4y7WiX9iXAAsrWhneST/MMAYVfxR8a/e8R81e Ttsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:cc:references:to:subject:reply-to :arc-authentication-results; bh=UL/ugZxV1QhAkzEMnKwNL0Vi1KZN/dMJx8o+0I8WOJg=; b=G4DMgRlccyIJQPf23q3PylbmoPkBIB7GQmohN+TEo/g+r9cB/JRH+NsoPUoHgH4rEY ZYvXJFiKIuWyUJcMFi73O0gqJL5GLoV4KLnBhXzQze9uN6t+vfGaZ1nY6IkNT5rnsQWT gTy/3BvWqUYNpitzu2mWbZVuf57tFqvtVrUWh8/AF0Pi0JiJXdM9nQoPaHVdZIPP2mom 3IuqmtzPVD/daJGUjy2hifOJGjb9Fcz4hvOw4JhvAGNVlFljbG3p93Muc/UFiMnkmJ1k CKkQAoaSrKz6cJMzunSABJ53+dG4AwHJk5ByANpL41StLZPbnp9kOrJvWKXDMXUZ13hw b6HA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i189si4132047pgc.505.2018.03.02.07.07.43; Fri, 02 Mar 2018 07:07:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1427000AbeCBLOo (ORCPT + 99 others); Fri, 2 Mar 2018 06:14:44 -0500 Received: from mail-lf0-f66.google.com ([209.85.215.66]:36872 "EHLO mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1423411AbeCBLOk (ORCPT ); Fri, 2 Mar 2018 06:14:40 -0500 Received: by mail-lf0-f66.google.com with SMTP id y19so12828274lfd.4 for ; Fri, 02 Mar 2018 03:14:39 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:subject:to:references:cc:from :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=UL/ugZxV1QhAkzEMnKwNL0Vi1KZN/dMJx8o+0I8WOJg=; b=opaRL1oxuHwCZg0Bm6n/YfIl//KJn98VAQMVomUMvRjUdaCJiXJPQ51TdFKQgBsilb b5zBJhQTRKVw9bj3YDasfhZW+Uf7hv30xVSu2hM4L86tQqb74JknpR8JEY/UpoX3ydGC 5d7BrDQF/LuAoG4DzZQfw06HKo/7SItw9fDouUjBpkFUrVX4Ql8yqoEYZfsj8v3MijII r3QX3nJx6jXM/nxsmfEM0b9j1LZ1YmqEQJyh01XWk8YOOb4Pn8fTE4BZq2aDNiMoEu7f zas5DIOUZHgCHdFXDYhp0bEXl0d5LJCDtqludcFp//DnzmHyItMSADTUOxU9I0SoJFQV 0Kjg== X-Gm-Message-State: APf1xPCV8pcL4D/FL4oAzwigtiSooCILDY1+zcDe4/DIHQdTQZP1kQwV FvWA29BjmOx3AwvhdzIytUU= X-Received: by 10.46.76.25 with SMTP id z25mr3842543lja.148.1519989279186; Fri, 02 Mar 2018 03:14:39 -0800 (PST) Received: from [192.168.42.179] ([213.87.152.86]) by smtp.gmail.com with ESMTPSA id h11sm1285299lfd.88.2018.03.02.03.14.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Mar 2018 03:14:38 -0800 (PST) Reply-To: alex.popov@linux.com Subject: Re: [PATCH 1/2] stackleak: Update for arm64 To: Will Deacon , Laura Abbott , Kees Cook , Mark Rutland , Ard Biesheuvel , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, richard.sandiford@arm.com References: <20180221011303.20392-1-labbott@redhat.com> <20180221011303.20392-2-labbott@redhat.com> <20180222165834.GC18421@arm.com> <97090ca6-efad-7c03-6084-a97674ae61c7@linux.com> <874lm2d96q.fsf@e105548-lin.cambridge.arm.com> <5d10c6ad-b4b6-eb27-79f0-ca235b73e7eb@linux.com> <87woywxezi.fsf@e105548-lin.cambridge.arm.com> Cc: PaX Team From: Alexander Popov Message-ID: Date: Fri, 2 Mar 2018 14:14:36 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <87woywxezi.fsf@e105548-lin.cambridge.arm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks for your reply, Richard! On 01.03.2018 13:33, Richard Sandiford wrote: > Alexander Popov writes: >> On 27.02.2018 13:21, Richard Sandiford wrote: >>> Alexander Popov writes: >>>> Would you be so kind to take a look at the whole STACKLEAK plugin? >>>> http://www.openwall.com/lists/kernel-hardening/2018/02/16/4 >>>> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=kspp/gcc-plugin/stackleak&id=57a0a6763b12e82dd462593d0f42be610e93cdc9 >>>> >>>> It's not very big. I documented it in detail. I would be really >>>> grateful for the >>>> review! >>> >>> Looks good to me FWIW. Just a couple of minor things: >>> >>>> + /* >>>> + * 1. Loop through the GIMPLE statements in each of cfun basic blocks. >>>> + * cfun is a global variable which represents the function that is >>>> + * currently processed. >>>> + */ >>>> + FOR_EACH_BB_FN(bb, cfun) { >>>> + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { >>>> + gimple stmt; >>>> + >>>> + stmt = gsi_stmt(gsi); >>>> + >>>> + /* Leaf function is a function which makes no calls */ >>>> + if (is_gimple_call(stmt)) >>>> + is_leaf = false; >>> >>> It's probably not going to matter in practice, but it might be worth >>> emphasising in the comments that this leafness is only approximate. >> >> That's important, thank you! May I ask why you think it's not going to matter in >> practice? > > I just thought the kind of calls it misses are going to have very > shallow frames, but from what you said later I guess that isn't the > point. It also might be a bit too hand-wavy for something like this :-) > >>> It will sometimes be a false positive, because we could still >>> end up creating calls to libgcc functions from non-call statements >>> (or for target-specific reasons). It can also be a false negative, >>> since call statements can be to built-in or internal functions that >>> end up being open-coded. >> >> Oh, that raises the question: how does this leafness inaccuracy affect in my >> particular case? >> >> is_leaf is currently used for finding the special cases to skip the >> track_stack() call insertion: >> >> /* >> * Special cases to skip the instrumentation. >> * >> * Taking the address of static inline functions materializes them, >> * but we mustn't instrument some of them as the resulting stack >> * alignment required by the function call ABI will break other >> * assumptions regarding the expected (but not otherwise enforced) >> * register clobbering ABI. >> * >> * Case in point: native_save_fl on amd64 when optimized for size >> * clobbers rdx if it were instrumented here. >> * >> * TODO: any more special cases? >> */ >> if (is_leaf && >> !TREE_PUBLIC(current_function_decl) && >> DECL_DECLARED_INLINE_P(current_function_decl)) { >> return 0; >> } >> >> >> And now it seems to me that the stackleak plugin should not instrument all >> static inline functions, regardless of is_leaf. Do you agree? > > OK. I'd missed that this was just a heuristic to detect certain kinds > of linux function, so it's probably fine as it is. > > Not sure whether it's safe to punt for general static inline functions. > E.g. couldn't you have a static inline function that just provides a > more convenient interface to another function? But I guess it's a > linux-specific heuristic, so I can't really say. Huh, I got the insight! I think that the current approach (originally by PaX Team) should work fine despite the false positives which you described: If some static inline function already does explicit calls (so is_leaf is false), adding the track_stack() call will not introduce anything special that can break the aforementioned register clobbering ABI in that function. Does it sound reasonable? However, I don't know what to with false negatives. > TBH the paravirt save_fl stuff seems like dancing on the edge, > but that's another story. :-) That's interesting. Could you elaborate on that? >>>> + /* >>>> + * The stackleak_final pass should be executed before the "final" pass, >>>> + * which turns the RTL (Register Transfer Language) into assembly. >>>> + */ >>>> + PASS_INFO(stackleak_final, "final", 1, PASS_POS_INSERT_BEFORE); >>> >>> This might be too late, since it happens e.g. after addresses have >>> been calculated for branch ranges, and after machine-specific passes >>> (e.g. bundling on ia64). >>> >>> The stack size is final after reload, so inserting the pass after that >>> might be better. >> >> Thanks for that notice. May I ask for the additional clarification? >> >> I specified -fdump-passes and see a lot of passes between reload and final: ... >> >> Where exactly would you recommend me to insert the stackleak_final pass, which >> removes the unneeded track_stack() calls? > > Directly after rtl-reload seems best. That's the first point at which > the frame size is final, and reload is one of the few rtl passes that > always runs. Doing it there could also help with things like shrink > wrapping (part of rtl-pro_and_epilogue). Thanks a lot for your detailed answer. I'll follow your advice in the next version of the patch series. Best regards, Alexander