Received: by 10.223.185.116 with SMTP id b49csp2824789wrg; Mon, 5 Mar 2018 09:14:26 -0800 (PST) X-Google-Smtp-Source: AG47ELvMB12KViv+lbO2rrfeQnpoeraXjqzeHcCJozeEEYhwaJceWHG2Sbym9YdetGeaIYHm2rZE X-Received: by 2002:a17:902:710f:: with SMTP id a15-v6mr13490491pll.87.1520270065922; Mon, 05 Mar 2018 09:14:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520270065; cv=none; d=google.com; s=arc-20160816; b=qbmXUVU93YVB6jaPFHGoH2cW9dm18uU+NlKGl1FgP0CfOOGIxeL0j9SuueeN8K//8c dVb1cDaARetE3NNNtHarkq8W/FUbnGtgGSBQsk7xewrGl6MUDppCTLMhIrL82hiwDkc9 LhbZRATU9UdC5uWkcZks1S8UQHBB1rHo4bexo/Xb/DZ21XbtWm+EGj+aLWwT1q15vq0k jXSt7P3HVHWACcWKjm+oBcEIW3wCAPmocI8vNUgwlHi4v2bdIUn0Wq8++z+UGM58eiqW qpnt69seI4WCa7nozatYGySkUKa78FARxqFIxEUSd3b7i/0qiRLNvZenaYNz1KJrt2In 92RQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=vuyGlTqWOxJFd3HZH0GSH0WCg/bckl8IuyKNxKFyMuM=; b=FeCEej3DscsNhKX0JGWvd3zTwzt+Wv/PxRnNxNrFTt4o2DR6A0cIJNvRAWysotyZn1 uparlVtAfoh34xH4gjXFaEMV34jWu8Tb51CE4Zm4PesVNxKYrO0IM2rApQvhRu2xTDHe ug1vUUB/6aN2aVuU0UjltfvSGWPG2tA84obZTExn4u3K62oDrmw6CaLf0jrqSUt7eP6U mYR1FkgoRyVWwNQhL9jBsd0ARh1QK/kgrPqlY7L38jodCvlDsGwqp567UOq63mzMzgkN NaL39VzmjftlOd3c9dsS4OKVjcqa5CiMtD1bznF0ccuaVNT7KY7FyFbPcC2PIxbsJO17 STVQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p9si8607633pge.163.2018.03.05.09.14.11; Mon, 05 Mar 2018 09:14:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752806AbeCERNE (ORCPT + 99 others); Mon, 5 Mar 2018 12:13:04 -0500 Received: from mail-it0-f42.google.com ([209.85.214.42]:52157 "EHLO mail-it0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752404AbeCERNC (ORCPT ); Mon, 5 Mar 2018 12:13:02 -0500 Received: by mail-it0-f42.google.com with SMTP id u66so10264085ith.1 for ; Mon, 05 Mar 2018 09:13:01 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=vuyGlTqWOxJFd3HZH0GSH0WCg/bckl8IuyKNxKFyMuM=; b=Z+W+JC9VkgcHBglMBQ392JqsgVbUQGoKSpvG9Dx4DYsj5gQYXI9hIhogsNdUjR3TKo 2l6w1CLZHzp1wYc1SwXwrNdY15plwuhz07bsdX3ZmQZ/j7viJvK+oaEJaQ6O9nsX8KtX 75ML6WCzMBJtAJkDy5dp59HmczMoVigFxjDnwpItCAg8gFyHzajbXs6bIhVxA/nic0Na 4Ir6PXH2F14JuTFHwHvKo0Xm0tqzqrogwfXT1PmIBHv2diB12/+q9/GM/GxUegxmpzvj 8erQKq/iPHZW6bb5bC3JxBPDOLk1/nC3o69nCpq7WA1Oj97MayEsR8jl5Mwu3s5sjmC8 qCLg== X-Gm-Message-State: AElRT7Gs6XZZhFsip/222bYWoPWWKzVYqqQbkE2Cz/9oPW6QTe9M6mRU BeEQaCF3qhAYJkDfS/WUQPVlYA== X-Received: by 10.36.149.136 with SMTP id m130mr14054477itd.64.1520269617384; Mon, 05 Mar 2018 09:06:57 -0800 (PST) Received: from ?IPv6:2601:602:9802:a8dc::f21a? ([2601:602:9802:a8dc::f21a]) by smtp.gmail.com with ESMTPSA id z17sm3197531ioe.63.2018.03.05.09.06.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Mar 2018 09:06:56 -0800 (PST) Subject: Re: C tricks for efficient stack zeroing To: "Jason A. Donenfeld" , LKML Cc: pageexec@freemail.hu References: From: Laura Abbott Message-ID: <9c65c2ab-fc82-3d9e-491d-c4d1658d103d@redhat.com> Date: Mon, 5 Mar 2018 09:06:55 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/02/2018 11:50 AM, Jason A. Donenfeld wrote: > Hi list, > > I'm writing this email to solicit tricks for efficiently zeroing out > the stack upon returning from a function. The reason this is often > desirable is if the stack contains intermediate values that could > assist in some form of cryptographic attack if compromised at a later > point in time. It turns out many surprising things could be such an > aid to an attacker, and so generally it's important to clean things up > upon returning. > > Often times complicated cryptographic functions -- say elliptic curve > scalar multiplication -- use a decent amount of stack (say, 1k or 2k), > with a variety of functions, and then copy a result into a return > argument. Imagine a call graph like this: > > do_something(u8 *output, const u8 *input) > thing1(...) > thing2(...) > thinga(...) > thingb(...) > thingi(...) > thingc(...) > thing3(...) > thing4(...) > thinga(...) > thingc(...) > > Each one of these functions have a few stack variables. The current > solution is to call memzero_explicit() on each of those stack > variables when each function return. But let's say that thingb uses as > much or more stack as thinga. In this case, I'm wasting cycles (and > gcc optimizations) by clearing the stack in both thinga and thingb, > and I could probably get away with doing this in thingb only. > Probably. But to hand estimate those seems a bit brittle. > > What would be really nice would be to somehow keep track of the > maximum stack depth, and just before the function returns, clear from > the maximum depth to its stack base, all in one single call. This > would not only make the code faster and less brittle, but it would > also clean up some algorithms quite a bit. > > Ideally this would take the form of a gcc attribute on the function, > but I was unable to find anything of that nature. I started looking > for little C tricks for this, and came up dry too. I realize I could > probably just take the current stack address and zero out until _the > very end_ but that seems to overshoot and would probably be bad for > performance. The best I've been able to do come up with are some > x86-specific macros, but that approach seems a bit underwhelming. > Other approaches include adding a new attribute via the gcc plugin > system, which could make this kind of thing more complete [cc'ing > pipacs in case he's thought about that before]. > > I thought maybe somebody on the list has thought about this problem in > depth before and might have some insights to share. > > Regards, > Jason > Have you seen http://www.openwall.com/lists/kernel-hardening/2018/03/03/7 ? This sounds exactly like what you have proposed. Thanks, Laura