Received: by 10.213.65.68 with SMTP id h4csp882744imn;
        Tue, 27 Mar 2018 10:31:23 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48R/42Lc8ixYI5gDvRIITBdonozCB3Rs+BK+kSONZftDx8kKwZ9mcSJlA0SlvFbaUE4+K5L
X-Received: by 2002:a17:902:7804:: with SMTP id p4-v6mr217808pll.17.1522171883197;
        Tue, 27 Mar 2018 10:31:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522171883; cv=none;
        d=google.com; s=arc-20160816;
        b=VxRJJLYl76IfIQpTWPTHCwP3edUH6zGr5GDRN/Ldopyp5SvKCRBd6zxA7grelNFTa9
         pflOMzBFTWa5x4p2A5wkBFvi2kl2uyvtNmutAFXV8K7JYSiPJvTC9+GrVgQmPRF2ZvBK
         63BxRbFkJevbG5zOr3x4qICFIlcV6DnWHuLYtVJZsXaqL86XrHpq3pWeVRjFSTlQl3ry
         LO58pSA0UpHF80/t6QHC20yu81gv6tfteNBWx+TFMGms5lYPxyhALSOKcOiAcgHwq7uI
         0idHn9xpkcYFueCKx6zFYyIwl3nq5CoT7bIltf3e6YvXs4OhFiKajpmQx71W7TXlQTwK
         Tuew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=y4s/7pQNeFgDfjpIK/kzmbDADMeUFWdoMEJv7rl6IP0=;
        b=l4zNVcRnVdRIspnH5eUI8/L2W9AofKNJczRBut7ggctvpemvBQL92KL2IxmASBmf/3
         J7pYvhJN58mNxRqjl0pcn7r+kejm8TPStuU88gezxOXGGQLpEO52ykYN1Su0eqBmFs14
         Qrln/nOacenL+FduxYvTHTVEvRy2nrvP7CmM1jHCkHV89a73hil6eEnQM5ryPlI6H0Fc
         GtnbsML2yaDAQfBvhWzwrcXXAlgtRpBYLLgztMLKDI6CjRS819J95Gtm14ZRuhum8KeJ
         YctFhuKFN9BPFzzRDyvVhRTDDBi0g3kG4I9An6UIsmV1BfyyE74ovXyu7V/LvEr6dL7h
         Kf0g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 69-v6si1595024pla.390.2018.03.27.10.31.08;
        Tue, 27 Mar 2018 10:31:23 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754806AbeC0R2T (ORCPT <rfc822;saikripd@gmail.com> + 99 others);
        Tue, 27 Mar 2018 13:28:19 -0400
Received: from 216-12-86-13.cv.mvl.ntelos.net ([216.12.86.13]:33308 "EHLO
        brightrain.aerifal.cx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754739AbeC0R2R (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Mar 2018 13:28:17 -0400
Received: from dalias by brightrain.aerifal.cx with local (Exim 3.15 #2)
        id 1f0sNk-0001YD-00; Tue, 27 Mar 2018 17:27:36 +0000
Date:   Tue, 27 Mar 2018 13:27:36 -0400
From:   Rich Felker <dalias@libc.org>
To:     Russell King - ARM Linux <linux@armlinux.org.uk>
Cc:     Tony Lindgren <tony@atomide.com>, Huacai Chen <chenhc@lemote.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Stephen Rothwell <sfr@canb.auug.org.au>,
        Ralf Baechle <ralf@linux-mips.org>,
        James Hogan <james.hogan@mips.com>,
        Yoshinori Sato <ysato@users.sourceforge.jp>,
        linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
        linux-omap@vger.kernel.org
Subject: Re: Regression with arm in next with stack protector
Message-ID: <20180327172736.GK1436@brightrain.aerifal.cx>
References: <20180323181452.GJ5799@atomide.com>
 <20180327090409.GA10990@n2100.armlinux.org.uk>
 <20180327153525.GI1436@brightrain.aerifal.cx>
 <20180327172027.GA14598@n2100.armlinux.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180327172027.GA14598@n2100.armlinux.org.uk>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 27, 2018 at 06:20:27PM +0100, Russell King - ARM Linux wrote:
> On Tue, Mar 27, 2018 at 11:35:25AM -0400, Rich Felker wrote:
> > On Tue, Mar 27, 2018 at 10:04:10AM +0100, Russell King - ARM Linux wrote:
> > > On Fri, Mar 23, 2018 at 11:14:53AM -0700, Tony Lindgren wrote:
> > > > Hi,
> > > > 
> > > > Looks like commit 5638790dadae ("zboot: fix stack protector in
> > > > compressed boot phase") breaks booting on arm.
> > > > 
> > > > This is all I get from the bootloader on omap3:
> > > > 
> > > > Starting kernel ...
> > > > 
> > > > data abort
> > > > pc : [<810002d0>]          lr : [<100110a8>]
> > > > reloc pc : [<9d6002d0>]    lr : [<2c6110a8>]
> > > > sp : 81467c18  ip : 81466bf0     fp : 81466bf0
> > > > r10: 80fc2c40  r9 : 81000258     r8 : 86fec000
> > > > r7 : ffffffff  r6 : 81466bf8     r5 : 00000000  r4 : 80008000
> > > > r3 : 81466c14  r2 : 81466c18     r1 : 000a0dff  r0 : 00466bf8
> > > > Flags: nZCv  IRQs off  FIQs off  Mode SVC_32
> > > > Resetting CPU ...
> > > > 
> > > > resetting ...
> > > 
> > > The reason for this is the following code that was introduced by the
> > > referenced patch:
> > > 
> > > +               ldr     r0, =__stack_chk_guard
> > > +               ldr     r1, =0x000a0dff
> > > +               str     r1, [r0]
> > > 
> > > This uses the absolute address of __stack_chk_guard in the decompressor,
> > > which is a self-relocatable image.  As with all constructs like the
> > > above, this absolute address doesn't get fixed up, and so it ends up
> > > pointing at invalid memory (in this case 0x466bf8) vs RAM at 0x80000000,
> > > and the decompressor looks to be around 0x81000000.
> > > 
> > > Such constructs can not be used in the decompressor for exactly this
> > > reason - they need to use PC-relative addressing instead just like
> > > everything else does in head.S.
> > 
> > Can someone please answer why this is even needed to begin with? I
> > don't see any compelling reason __stack_chk_guard needs a particular
> > value in the decompressor, which is not dealing with any non-constant
> > input.
> 
> Untrue - it can do some parsing of the DT and updating/appending
> information from ATAGs.  However, all that should be coming from
> a trusted environment, so I don't see much of a "trust" issue here.
> (If the parent environment is not trusted, then the environment we're
> running in is not trusted.)

OK, I was considering DT constant, but it doesn't really matter as you
say since the input comes from a trusted environment and could subvert
the system in much more direct ways than blowing away the
decompressor's stack buffers if it wanted to.

> > Just putting __stack_chk_guard in its bss should be fine and
> > would eliminate all the risks of wrong code to load a value into it.
> > Alternatively put it in initialized data with the desired value.
> 
> I'm no expert with this, so I can't comment.  I build my kernels
> with gcc 4.7.4, which I don't think supports this feature.

By "this feature" do you mean stack protector? I still have a 4.7.3
for x86 around and -fstack-protector-all works fine on it. Not sure if
there are issues using stack protector with kernel, or on ARM, for
older GCCs. In any case defining __stack_chk_guard as initialized data
should work on any gcc version regardless of whether stack protector
is actually used; it doesn't require any compiler features just basic
C.

Rich