Received: by 10.192.165.148 with SMTP id m20csp1213841imm; Wed, 2 May 2018 16:38:36 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqFfJEJjuevM7f1RJSjnYCQVeK4+p2fExWCSOHF6y4nk6KoJE7Sx32GZVKiCvvTGnpSW2ba X-Received: by 2002:a17:902:4301:: with SMTP id i1-v6mr21902831pld.280.1525304316442; Wed, 02 May 2018 16:38:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525304316; cv=none; d=google.com; s=arc-20160816; b=ZlOqIoU04/Gj7+m+dogbp+Cv4EnLQxzhWTyg3DKIDGWeundE3J7p0Cem8W5x5hL8SR 9blZsWisFHNFbPxjbfECITvmm1pLc6BKem5utfIRT8lbufJq2vTZOcQXb98UB+6nomB4 oRsrMc0zxbuEh6wHW6bQve6tl2qPlJ8G61tZBKo2nM9zlqJfw5mStAk6XPXQYaoWWdjq I907kDsdcT1S3rkSCwo4mCLeIvNsehEA2iyG+s90weUz/lVGHB1HtjrR7+H7fvxzXNby w4Igv/hb8HFXNhGf+hOsG5eq6hxtlPEhiQRRRcYUhdFz27IjI0yihNdRA0qezacBkWl9 5tZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=yiJ8PzdfgQxDmVR/O1w3xEB7cwtpbEZwxJIsmKde6lw=; b=o6N7UMLaqjfvLIvIKxiWrnfg9FASX0aok0nembJhWPq9OxT46QZgJS2Kk1EcWEvrUM xcNY4RxMGksU1QDUYMuNcCLH7iHchnSaOuldW51O5vUEy7kYdE/xOtVp/wHdMnunhD7P eYzxc9szlFY01gFc/rNrgvKOAcuDf8fuGr+GBGGTAL3iXGrKZDQnaltGG3VW0tNKg+zf UPFpGjJrexJzbVGg1RfD8kE3pkJ+g9IKMlqvUBKZ4JP7ZAe+zlkJdiyZ8wEut0DDFF9d zKXrMMaYvM8eV9nCOwNwCVLpHvLvB9iKrIRmglrMprL9lg3J7BqmgFmOxABtCzvYiZxH qfRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=bFDZ6A2i; dkim=fail header.i=@chromium.org header.s=google header.b=ZOUvwmnV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h188-v6si10294057pgc.53.2018.05.02.16.38.20; Wed, 02 May 2018 16:38:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=bFDZ6A2i; dkim=fail header.i=@chromium.org header.s=google header.b=ZOUvwmnV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751755AbeEBXiB (ORCPT + 99 others); Wed, 2 May 2018 19:38:01 -0400 Received: from mail-ua0-f193.google.com ([209.85.217.193]:42311 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751587AbeEBXiA (ORCPT ); Wed, 2 May 2018 19:38:00 -0400 Received: by mail-ua0-f193.google.com with SMTP id f3so10666331uan.9 for ; Wed, 02 May 2018 16:38:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=yiJ8PzdfgQxDmVR/O1w3xEB7cwtpbEZwxJIsmKde6lw=; b=bFDZ6A2i0Mg5TAr+y9kcAAVQFyHgArV+KMsHfTCjbpjwqFN69J6+8g4hTCBEnEYg7L SjW93N7PY7iFBfGxeJCUomIJShRVKnT2wdLoxpj0/21Wjq/1KpMKbyg/OAIdJmybQS5U zCcwnBRfeAQe0MHEiI608eNGE+NO9ceglT1m0aH5rMmj1Afl2PbAx4MrtoSjAk1TINWz 2ldKl+y1AMGQeijnxicY3bt6wwY1aCO4/VdQf+SrwAYlM3a+fAB4+aH/SblLJY7bpP7G 3DTv4IviI3ubagMjuJPNt01dv4nrQ80SIWfg50gCA/+tWHaBr9T8KyMt3Rg9mwokI21e YmRg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=yiJ8PzdfgQxDmVR/O1w3xEB7cwtpbEZwxJIsmKde6lw=; b=ZOUvwmnVh/4taWbzgnhKBh1zqT4a+skgoQ8b+TYmjHPslMRwJ8dKRZ2imq0SjSHzky 4xVKkdycvDdHtIcZy/P+qE4HJlZPtcklqHRNvoPYBNRsvsxDPZCnyiZtgdCOOQNSxXK7 GqYgHbvZ8CKrNtXf9dMPfIchWXDt7uIbXcAMY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=yiJ8PzdfgQxDmVR/O1w3xEB7cwtpbEZwxJIsmKde6lw=; b=I6NVEqvaGfat+X78znxHeDjXkYH6UBlZ2OmQXsa4LY0NjmXIq9hK2Xhl9+UtdnTd3o sA0XgLxo2KPsuViMhDHsKCPNiWyQ7eprpDe/wfLZgl/mfTF8ymYxXynTaMdqu80+Lga/ 9xOIkjJ6nSHQq0X8jdlza/dPB1IvAGoEvH0ROca6dL6upb5OnJBa7FuKNOvi14cfIxXt ivFANIyfUbgIs2MjSNiAZVH4CqSf9A0rEQId95RpsE1TO71XVX73nFmPqc0rnt22Fdos gXsNeigO4//rac8HO3iOtDchYrNznVbnZuK4sAHPNDuAaQPez7amDd0jliPdtYtswMhK DSRw== X-Gm-Message-State: ALQs6tAzQaXiREUJrVHEZ4MPHC94vX5UaNEiYBF+1Nin/DqtQaSz3ED7 NQCWtem35YCSmVUCW6xlDEeGkswkRAIDgzJcgUVojw== X-Received: by 10.176.84.78 with SMTP id o14mr20318257uaa.164.1525304279593; Wed, 02 May 2018 16:37:59 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.11.209 with HTTP; Wed, 2 May 2018 16:37:58 -0700 (PDT) In-Reply-To: <4b7e94c1-79c9-0380-25c6-762762ed595f@redhat.com> References: <20180502203326.9491-1-labbott@redhat.com> <20180502203326.9491-3-labbott@redhat.com> <4b7e94c1-79c9-0380-25c6-762762ed595f@redhat.com> From: Kees Cook Date: Wed, 2 May 2018 16:37:58 -0700 X-Google-Sender-Auth: V9OVJKwiw_c1OB5aX4DXWKnuBn0 Message-ID: Subject: Re: [PATCH 2/2] arm64: Clear the stack To: Laura Abbott Cc: Alexander Popov , Mark Rutland , Ard Biesheuvel , Kernel Hardening , linux-arm-kernel , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 2, 2018 at 4:07 PM, Laura Abbott wrote: > On 05/02/2018 02:31 PM, Kees Cook wrote: >> struct stackleak { >> #ifdef CONFIG_GCC_PLUGIN_STACKLEAK >> unsigned long lowest; >> #ifdef CONFIG_STACKLEAK_METRICS >> unsigned long prev_lowest; >> #endif >> #endif >> }; >> > > Is this well defined across all compilers if the plugin is off? > This seems to compile with gcc at least but 0 sized structs > make me a little uneasy. Yup! Or at least, there have been no problems with this and the seccomp struct, which is empty when !CONFIG_SECCOMP. >> This is the only difference between x86 and arm64 in this code. What >> do you think about implementing on_thread_stack() to match x86: >> >> if (on_thread_stack()) >> boundary = current_stack_pointer; >> else >> boundary = current_top_of_stack(); >> >> then we could make this common code too instead of having two copies in >> arch/? >> > > The issue isn't on_thread_stack, it's current_top_of_stack which isn't > defined on arm64. I agree it would be good if the code would be common > but I'm not sure how much we want to start trying to force APIs. Ah, gotcha. Well, I'd rather we had an #ifdef here that two copies of the code. ;) >>> +#ifdef CONFIG_GCC_PLUGIN_STACKLEAK >>> +void __used check_alloca(unsigned long size) >>> +{ >>> + unsigned long sp, stack_left; >>> + >>> + sp = current_stack_pointer; >>> + >>> + stack_left = sp & (THREAD_SIZE - 1); >>> + BUG_ON(stack_left < 256 || size >= stack_left - 256); >>> +} >>> +EXPORT_SYMBOL(check_alloca); >> >> >> This is pretty different from x86. Is this just an artifact of ORC, or >> something else? >> > > This was based on the earlier version of x86. I'll confess to > not seeing how the current x86 version ended up with get_stack_info > but I suspect it's either related to ORC unwinding or it's best > practice. Alexander, what was the history here? -Kees -- Kees Cook Pixel Security