Received: by 10.192.165.156 with SMTP id m28csp961812imm;
        Mon, 16 Apr 2018 11:32:36 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/wbw0UsLT2RrjguntW0wqCsHAqPbJi2IH0QfnGpZHkloYUwtvOft9pzmgkFL1SGyIsanID
X-Received: by 10.167.128.140 with SMTP id v12mr22609737pff.177.1523903556736;
        Mon, 16 Apr 2018 11:32:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523903556; cv=none;
        d=google.com; s=arc-20160816;
        b=dVb+V/Kraney2mZ6bNI9Sd1hHfP+SnZ8DVAL/oZxXNczcj3m5YvjEAD56t8B3ouNdi
         85nmHG9BSZN69VceTe5/XxzNdsvN2LPXm3a+fIXRaU1iLo9n3wa3ALV34vtaOkqcY5tN
         InU/fEd40Ibu7mg64IJEi+3RFJe0zCmvyX2wG2MsLxCCxwgLuYWLjmm9rKnK4PHqtbAH
         xg0eiCC25AYcxNzOn6ZPcRyNrA7aJkhdPNhgWx7t7+7PCwT5e/r9REuOvxbi7mHpwt4f
         BvaW+l3yR+PpV1YhF+LMtRLb+ljaZ/HKV0YftnPWWne1eSxlBUHuklsp8SAIRCqJ4aj8
         WgaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=1IWjPxj81AM/BeFE1BOv32XSDwKpfNZ26wsdamAnSbE=;
        b=Hlk+Md/1Nif1EEjVbVXNm3kyFege1nYMGWpBXqAxuBPDN9znnCRSuO6C+aq91R2Iuw
         PByEqB8n8CmxUmOOeNrPxsXqf8pEbdS6hiL2HcI4nRcaFoSr8Nu8uL1PNj65ulzjTqlA
         Rc0+wlMv0P4j3aCPBtt6teVJcj97X+rFXjoL0R7buPxulRqaDvrXZAlyczuMC5EGwkqY
         i1kRIsDPuqNhcyGJSOuQQfow1ev+Onf9ywNak5piobhHpNoi86fQksdvtcS58g8Vy9ne
         OxnhKtVhQwneyfJ2hCeZfTVCCntheq8khspWNPGk5PR5z8FT9V2xIjVff4iG1TfsJzBo
         MwBQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=NvAF+582;
       dkim=fail header.i=@chromium.org header.s=google header.b=HORN0uzb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s10si10217030pge.41.2018.04.16.11.32.21;
        Mon, 16 Apr 2018 11:32:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=NvAF+582;
       dkim=fail header.i=@chromium.org header.s=google header.b=HORN0uzb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753315AbeDPS3R (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Mon, 16 Apr 2018 14:29:17 -0400
Received: from mail-ua0-f193.google.com ([209.85.217.193]:42286 "EHLO
        mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753154AbeDPS3P (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 16 Apr 2018 14:29:15 -0400
Received: by mail-ua0-f193.google.com with SMTP id o34so10759623uae.9
        for <linux-kernel@vger.kernel.org>; Mon, 16 Apr 2018 11:29:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=1IWjPxj81AM/BeFE1BOv32XSDwKpfNZ26wsdamAnSbE=;
        b=NvAF+5824K3dPuzwKUsE70BMHN9GQzZLQe/zFaz+oznCdEv8kkGiricR6uQ8tuvWon
         t29HvOqzAmm6KsLHOLynFdDfl/mWEKvbEh3OQy6DQi/dYG7QuSHOiEFxMCBRBhHEoTLa
         ZuleL6/KBef4x0IGTnXuXoO/MksWIUXT/C5iHfgbt/q2M21Ku4VYDkYJpZV/2MSJcp8o
         gpiQAC3FeEQUUoNQG+MLoQqgs8ExfRKt2lckKyPyVV/QsgbBOQitEULJlRS6oc2oGfGu
         XTMvd/FJ7ocKhkhDQ9IXOjQFkmsg1UCK6nmKQe1/JI/2vcr2MQiSyUYV1Cn+OL079gAS
         E4Yw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=1IWjPxj81AM/BeFE1BOv32XSDwKpfNZ26wsdamAnSbE=;
        b=HORN0uzbPvnK2oiTuYKihE1QOturZyYsCNrAm26QlrbpJJH9GIznPsNxnEMI3ELqXG
         WmI0lRkEqtpo/qC8O0YRIkFPVwZlR++Q1t1ZNSOqchE3tvesHAjQRrKgWQgWNZuh+4uD
         /dytc5J9ZmmO1xYumIh5OETVgPMmK+X1Pixgg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=1IWjPxj81AM/BeFE1BOv32XSDwKpfNZ26wsdamAnSbE=;
        b=Yw+AJprTdjFyKtZYay6ZnYf4R4KAX01xq1Koo61iibTmCAEVRj8QFFfGFsMpf/YESc
         8K1Q76qgjJh/r24+LKxt2c1ufjbZLb5KWk04X3GXa9K/UH5vyvl/AxX7SLtA6TFdBK3U
         HBK8GoYf0+5bMSeK4UFrGP/qRThKqKJf+pKi2qn4EN9KFRqBM21LXJ8fswLMCsZUrxL0
         WNxZrmxk8UxHtB8eRpWjtv+Ne5lhjQIHz2Oq6UfpQjXsg49NRP1N/BKUu3q2axOtHutN
         qt+I8gM2r7QYhEte0gej323Qc6gkivj2U2+rZjutVPoLPVAfZbIdVwl5fqFIIJHAAOgp
         04WA==
X-Gm-Message-State: ALQs6tCEP5Q6C5ZgJDWUwyRUHm7F+apEkxR6E17jbRZ4avAbzVW3Rctd
        OHSePhyxCs2TpuHIqSFr5Lz/S2kiMWUTphtc8cSVLHgvilBjcDjtsdGoo1fZeYQo/0s7cp5tGdc
        FgT/eTCDlHU1DaqCUkNPFdeWkVMnqb9g=
X-Received: by 10.176.86.206 with SMTP id c14mr12229136uab.164.1523903354563;
 Mon, 16 Apr 2018 11:29:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.164.81 with HTTP; Mon, 16 Apr 2018 11:29:13 -0700 (PDT)
In-Reply-To: <1523024546-6150-3-git-send-email-alex.popov@linux.com>
References: <1523024546-6150-1-git-send-email-alex.popov@linux.com> <1523024546-6150-3-git-send-email-alex.popov@linux.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Mon, 16 Apr 2018 11:29:13 -0700
X-Google-Sender-Auth: CUaChLBr_I122P_ywfFFQPNhXnA
Message-ID: <CAGXu5jKm218fpxyV3vOM+2SO-ERG3tWPUV0x8+-S0MJAReFz+A@mail.gmail.com>
Subject: Re: [PATCH v11 2/6] x86/entry: Add STACKLEAK erasing the kernel stack
 at the end of syscalls
To:     Alexander Popov <alex.popov@linux.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Ingo Molnar <mingo@kernel.org>,
        Laura Abbott <labbott@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>
Cc:     Kernel Hardening <kernel-hardening@lists.openwall.com>,
        PaX Team <pageexec@freemail.hu>,
        Brad Spengler <spender@grsecurity.net>,
        Andy Lutomirski <luto@kernel.org>,
        Tycho Andersen <tycho@tycho.ws>,
        Mark Rutland <mark.rutland@arm.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Borislav Petkov <bp@alien8.de>,
        Richard Sandiford <richard.sandiford@arm.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        "H . Peter Anvin" <hpa@zytor.com>,
        Peter Zijlstra <a.p.zijlstra@chello.nl>,
        "Dmitry V . Levin" <ldv@altlinux.org>,
        Emese Revfy <re.emese@gmail.com>,
        Jonathan Corbet <corbet@lwn.net>,
        Andrey Ryabinin <aryabinin@virtuozzo.com>,
        "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
        Thomas Garnier <thgarnie@google.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Josef Bacik <jbacik@fb.com>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        Nicholas Piggin <npiggin@gmail.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        "David S . Miller" <davem@davemloft.net>,
        Ding Tianhong <dingtianhong@huawei.com>,
        David Woodhouse <dwmw@amazon.co.uk>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Steven Rostedt <rostedt@goodmis.org>,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        Juergen Gross <jgross@suse.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Dan Williams <dan.j.williams@intel.com>,
        Mathias Krause <minipli@googlemail.com>,
        Vikas Shivappa <vikas.shivappa@linux.intel.com>,
        Kyle Huey <me@kylehuey.com>,
        Dmitry Safonov <dsafonov@virtuozzo.com>,
        Will Deacon <will.deacon@arm.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Florian Weimer <fweimer@redhat.com>,
        Boris Lukashev <blukashev@sempervictus.com>,
        X86 ML <x86@kernel.org>, LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-ccpol: medium
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Apr 6, 2018 at 7:22 AM, Alexander Popov <alex.popov@linux.com> wrote:
> This commit introduces the architecture-specific code filling the used
> part of the kernel stack with a poison value before returning to the
> userspace. Full STACKLEAK feature also contains the gcc plugin which
> comes in a separate commit.

Thanks for sending this again! And thanks for the updated reasoning
for why this remains a valuable addition:

https://lkml.kernel.org/r/1523024546-6150-1-git-send-email-alex.popov@linux.com

I, too, remain convinced this is a good protection to have, even as we
slowly remove VLAs and try to improve the compiler's initialization of
stack variables.

Dave, Ingo, Linus: how does this look? With the assembly rewritten
into C, the entry changes are very small:

>  arch/x86/entry/entry_32.S        |  7 ++++++
>  arch/x86/entry/entry_64.S        |  3 +++
>  arch/x86/entry/entry_64_compat.S |  5 ++++
>  arch/x86/entry/erase.c           | 54 ++++++++++++++++++++++++++++++++++++++++

I'd really like to get people's Ack/Review. :)

Laura, can this C version work for arm64 as well?

Thanks,

-Kees

-- 
Kees Cook
Pixel Security