Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4134164imm;
        Mon, 14 May 2018 03:08:39 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZoYgx5z3QvX6/Cw7wMO7FdKeQ59Ghs3XimK2nX6JweekjN9Tk3+GVSq0hKtOcC8YYI5knUP
X-Received: by 2002:a63:3147:: with SMTP id x68-v6mr7976395pgx.108.1526292519207;
        Mon, 14 May 2018 03:08:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526292519; cv=none;
        d=google.com; s=arc-20160816;
        b=bT1AnyueMTF6F4i2ZiqsucS/AwSKQAkTaGcpjOx5GlWLhvZhMqtL/n1LGNQaH81t37
         lioCDWKy0l1L7n1iWVvIkIlczTBs0huoG/RgBXhu/9FxZ0yNT+15ty7okSGBTTX5JqMF
         W26TeN9ugzcBCvJRb40RpPhy99Gib3wPip9cjJ7l1kiF7Rtz6/zFLfe7QFrVki/Gpj9C
         uB/WRPhplDORWJdVhfnxQCGqlW5CkROcD7ynieYvGsc/Kb5g+GQv7YawoKxZgRn/UM7k
         t4sMOYCUFJqJjpKziNsYWNHC6RvC9nEDieSupJ8vx8qCrOMdjVTj4rhETrVF3BsQThy9
         HaWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=mek+JyMEtZ+BU5TZZ3nlJn23rLdD2zV/qukrc30kh2g=;
        b=DsE3p+oEvMDexvNIH4Xfjw9Q4nrzO47dSGm2XA3PvJK3wNFmyAaMEpkqHvwEh5zHoE
         84Pc3nC6z7SLtEo3Lu58pCqIHSSkph9WgLuugIyrz9iCJDIT2XVxrvoLFIhocKNl9YzN
         TSASuVCVq6YoxzgkRV2+OWWemTZO6OxC7Txf+pMyXwneRg79idIFwgzVpWDi/4vhnkON
         DTQRXZvni9qqL/jvhEck72SQ73XdHj0zqxJbtfaCqLksBwjWFoVZu98w5xejDlFKf8c4
         gvyB+7OUW1v297BwlL5wIJ5PP1qXh60gF0DmX1My95V0JNwXm+r/Q1sgO2fo2rUlz8dL
         HBrg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 4-v6si7328558pga.13.2018.05.14.03.08.24;
        Mon, 14 May 2018 03:08:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752524AbeENKHP (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 99 others); Mon, 14 May 2018 06:07:15 -0400
Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:38910 "EHLO
        foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752038AbeENKGr (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 May 2018 06:06:47 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8E10F15AB;
        Mon, 14 May 2018 03:06:47 -0700 (PDT)
Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 175E53F5AD;
        Mon, 14 May 2018 03:06:45 -0700 (PDT)
Date:   Mon, 14 May 2018 11:06:40 +0100
From:   Mark Rutland <mark.rutland@arm.com>
To:     Alexander Popov <alex.popov@linux.com>
Cc:     Andy Lutomirski <luto@kernel.org>,
        Laura Abbott <labbott@redhat.com>,
        Kees Cook <keescook@chromium.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        kernel-hardening@lists.openwall.com,
        linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] arm64: Clear the stack
Message-ID: <20180514100639.v3erlzbuv2e4awfh@lakrids.cambridge.arm.com>
References: <20180502203326.9491-3-labbott@redhat.com>
 <20180503071917.xm2xvgagvzkworay@salmiak>
 <dd6ad26c-1d2c-88f3-8f01-e68d2b31d6ea@linux.com>
 <20180504110907.c2dw33kjmyybso6t@lakrids.cambridge.arm.com>
 <4badae50-be9b-2c6d-854b-57ab48664800@linux.com>
 <71199506-b46b-5f91-e489-e6450b6d1067@linux.com>
 <20180511161317.57k6prl54xjmsit3@lakrids.cambridge.arm.com>
 <f180b312-d1cf-3992-4e89-9632c1674cd6@linux.com>
 <20180514051555.bpbydgr56hyffjch@salmiak>
 <6c311899-7131-d21b-10f6-d2ba7380a392@linux.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <6c311899-7131-d21b-10f6-d2ba7380a392@linux.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, May 14, 2018 at 12:35:25PM +0300, Alexander Popov wrote:
> On 14.05.2018 08:15, Mark Rutland wrote:
> > On Sun, May 13, 2018 at 11:40:07AM +0300, Alexander Popov wrote:
> >> So what would you think if I do the following in check_alloca():
> >>
> >> 	if (size >= stack_left) {
> >> #if !defined(CONFIG_VMAP_STACK) && defined(CONFIG_SCHED_STACK_END_CHECK)
> >> 		panic("alloca over the kernel stack boundary\n");
> >> #else
> >> 		BUG();
> >> #endif
> > 
> > Given this is already out-of-line, how about we always use panic(), regardless
> > of VMAP_STACK and SCHED_STACK_END_CHECK? i.e. just
> > 
> > 	if (unlikely(size >= stack_left))
> > 		panic("alloca over the kernel stack boundary");
> > 
> > If we have VMAP_STACK selected, and overflow during the panic, it's the same as
> > if we overflowed during the BUG(). It's likely that panic() will use less stack
> > space than BUG(), and the compiler can put the call in a slow path that
> > shouldn't affect most calls, so in all cases it's likely preferable.
> 
> I'm sure that maintainers and Linus will strongly dislike my patch if I always
> use panic() here. panic() kills the whole kernel and we shouldn't use it when we
> can safely continue to work.
> 
> Let me describe my logic. So let's have size >= stack_left on a thread stack.
> 
> 1. If CONFIG_VMAP_STACK is enabled, we can safely use BUG(). Even if BUG()
> handling overflows the thread stack into the guard page, handle_stack_overflow()
> is called and the neighbour memory is not corrupted. The kernel can proceed to live.

On arm64 with CONFIG_VMAP_STACK, a stack overflow will result in a
panic(). My understanding was that the same is true on x86.

> 2. If CONFIG_VMAP_STACK is disabled, BUG() handling can corrupt the neighbour
> kernel memory and cause the undefined behaviour of the whole kernel. I see it on
> my lkdtm test. That is a cogent reason for panic().

In this case, panic() can also corrupt the neighbour stack, and could
also fail.

When CONFIG_VMAP_STACK is not selected, a stack overflow simply cannot
be handled reliably -- while panic() may be more likely to succeed, it
is not gauranteed to.

> 2.a. If CONFIG_SCHED_STACK_END_CHECK is enabled, the kernel already does panic()
> when STACK_END_MAGIC is corrupted. So we will _not_ break the safety policy if
> we do panic() in a similar situation in check_alloca().

Sure, I'm certainly happy with panic() here.

> 2.b. If CONFIG_SCHED_STACK_END_CHECK is disabled, the user has some real reasons
> not to do panic() when the kernel stack is corrupted. 

I believe that CONFIG_SCHED_STACK_END_CHECK is seen as a debug feature,
and hence people don't select it. I strongly doubt that people have
reasons to disable it other than not wanting the overhead associated
with debug features.

I think it is reasonable to panic() here even with CONFIG_VMAP_STACK
selected.

> So we should not do it in check_alloca() as well, just use BUG() and
> hope for the best.

Regardless of whether we BUG() or panic(), we're hoping for the best.

Consistently using panic() here will keep things simpler, so any failure
reported will be easier to reason about, and easier to debug.

Thanks,
Mark.