Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1594942imm; Thu, 19 Jul 2018 04:43:08 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdVim9KjSgIDxpYHx6Nv3XYc93mLGgt21MQ9kMaqV22Al90UXTG+9rj8SW2qqXBvCDLIXA3 X-Received: by 2002:a63:5e45:: with SMTP id s66-v6mr9670008pgb.151.1532000588051; Thu, 19 Jul 2018 04:43:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532000588; cv=none; d=google.com; s=arc-20160816; b=qt3hrHnQbztyOTLLddfMBQcPGX1wyExASMlIaBNAuXrRpY1sZott0CicnYHUGjWmDF XqoO1hb+U8gh9tMmJDBMjdyE1kpURtalls+AxTqu6UbMakN+qSCv6bn9qbypvW+S6NsN RFHm2TOQ3mwsnZ1m0CcnaGbtiFp8w44oaNTSm6ztYxNl8OrhGQsc1zAIFNF9fgmGq2JO GQJszhmgrZwc5amWj6UrQ06G3HZB9Ma8vpO9UjeLjnLeaY5YSTrVlXjS0BMKGzKIaUnD EJpYL3NWdV83e+l+3t/t/eoDuZvlzQT0CScUeqRkht121zOONvAJn/sa4/fAs4LfSd4T neHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=jgOHu/GzBVvK3wFvjoFwjq62bmwEoGvH0fAte0HwD70=; b=fJFsf0FdJmm4nWkr3j9Xu407fCdf+28mJeyJWh6u21ORi+r9556+ouVXWUT9s+ly3g R5f4LPnOeYRPmau2fVIeD7DfG4scpwNEZA941KnTeoGYedairUWd6oQJBP+3U1fsugJC LZdf0kuLF/jAHblIziElf45zANED7NQ+fdeZWblIYNAAN07g1uz+y+LAwEQPDJRHxeua YPu2mGoNq0GVpxmEgRO5gOpV0PAWfI+S0jGjN44wNoLSfg6+8g+SP5TAYLOxYpOewdXs SpOJ7bg1GW3yqCfnIWfFjFDfqhgHAfGelVzHzWysqUvTd82/sKkc8igCTd1JuyhyvlBq awhg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s10-v6si5330043plq.32.2018.07.19.04.42.15; Thu, 19 Jul 2018 04:43:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730899AbeGSMYP (ORCPT + 99 others); Thu, 19 Jul 2018 08:24:15 -0400 Received: from foss.arm.com ([217.140.101.70]:48206 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727584AbeGSMYP (ORCPT ); Thu, 19 Jul 2018 08:24:15 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2880918A; Thu, 19 Jul 2018 04:41:29 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 8229F3F246; Thu, 19 Jul 2018 04:41:27 -0700 (PDT) Date: Thu, 19 Jul 2018 12:41:25 +0100 From: Mark Rutland To: Laura Abbott Cc: Alexander Popov , Kees Cook , Ard Biesheuvel , kernel-hardening@lists.openwall.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Will Deacon , Catalin Marinas Subject: Re: [PATCH 2/2] arm64: Clear the stack Message-ID: <20180719114124.fzjkqtpqnhhtxexy@lakrids.cambridge.arm.com> References: <20180718211013.14512-1-labbott@redhat.com> <20180718211013.14512-3-labbott@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180718211013.14512-3-labbott@redhat.com> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 18, 2018 at 02:10:13PM -0700, Laura Abbott wrote: > > Implementation of stackleak based heavily on the x86 version > > Signed-off-by: Laura Abbott > --- > Since last time: Minor style cleanups. Re-wrote check_alloca to > correctly handle all stack types. While doing that, I also realized > current_top_of_stack was incorrect so I fixed that as well. > --- > arch/arm64/Kconfig | 1 + > arch/arm64/include/asm/processor.h | 17 ++++++++++++++ > arch/arm64/kernel/entry.S | 7 ++++++ > arch/arm64/kernel/process.c | 32 +++++++++++++++++++++++++++ > arch/arm64/kvm/hyp/Makefile | 3 ++- > drivers/firmware/efi/libstub/Makefile | 3 ++- > include/linux/stackleak.h | 1 + > 7 files changed, 62 insertions(+), 2 deletions(-) > > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index 42c090cf0292..216d36a49ab5 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -96,6 +96,7 @@ config ARM64 > select HAVE_ARCH_MMAP_RND_BITS > select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT > select HAVE_ARCH_SECCOMP_FILTER > + select HAVE_ARCH_STACKLEAK > select HAVE_ARCH_THREAD_STRUCT_WHITELIST > select HAVE_ARCH_TRACEHOOK > select HAVE_ARCH_TRANSPARENT_HUGEPAGE > diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h > index a73ae1e49200..4f3062ee22c6 100644 > --- a/arch/arm64/include/asm/processor.h > +++ b/arch/arm64/include/asm/processor.h > @@ -266,5 +266,22 @@ extern void __init minsigstksz_setup(void); > #define SVE_SET_VL(arg) sve_set_current_vl(arg) > #define SVE_GET_VL() sve_get_current_vl() > > +/* > + * For CONFIG_STACKLEAK > + * > + * These need to be macros because otherwise we get stuck in a nightmare > + * of header definitions for the use of task_stack_page. > + */ > + > +#define current_top_of_stack() \ > +({ \ > + unsigned long _low = 0; \ > + unsigned long _high = 0; \ > + \ > + current_stack_type(current, current_stack_pointer, &_low, &_high); \ > + _high; \ > +}) ... with the info changes, this could be: #define current_top_of_stack() \ ({ \ struct stack_info _info; \ BUG_ON(!on_accessible_stack(current_stack_pinter, &_info)); \ _info->high; \ }) > +#define on_thread_stack() (on_task_stack(current, current_stack_pointer, NULL, NULL)) ... and one fewer NULL here. > + > #endif /* __ASSEMBLY__ */ > #endif /* __ASM_PROCESSOR_H */ > diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S > index 28ad8799406f..67d12016063d 100644 > --- a/arch/arm64/kernel/entry.S > +++ b/arch/arm64/kernel/entry.S > @@ -431,6 +431,11 @@ tsk .req x28 // current thread_info > > .text > > + .macro stackleak_erase > +#ifdef CONFIG_GCC_PLUGIN_STACKLEAK > + bl stackleak_erase > +#endif > + .endm > /* > * Exception vectors. > */ > @@ -910,6 +915,7 @@ ret_fast_syscall: > and x2, x1, #_TIF_WORK_MASK > cbnz x2, work_pending > enable_step_tsk x1, x2 > + stackleak_erase > kernel_exit 0 > ret_fast_syscall_trace: > enable_daif > @@ -936,6 +942,7 @@ ret_to_user: > cbnz x2, work_pending > finish_ret_to_user: > enable_step_tsk x1, x2 > + stackleak_erase > kernel_exit 0 > ENDPROC(ret_to_user) > > diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c > index e10bc363f533..904defa36689 100644 > --- a/arch/arm64/kernel/process.c > +++ b/arch/arm64/kernel/process.c > @@ -493,3 +493,35 @@ void arch_setup_new_exec(void) > { > current->mm->context.flags = is_compat_task() ? MMCF_AARCH32 : 0; > } > + > +#ifdef CONFIG_GCC_PLUGIN_STACKLEAK > +void __used stackleak_check_alloca(unsigned long size) > +{ > + unsigned long stack_left; > + enum stack_type type; > + unsigned long current_sp = current_stack_pointer; > + unsigned long low, high; > + > + type = current_stack_type(current, current_sp, &low, &high); > + BUG_ON(type == STACK_TYPE_UNKNOWN); > + > + stack_left = current_sp - low; ... similarly with the info changes, this could be: unsigned long current_sp = current_stack_pointer; unsigned long stack_left; struct stack_info info; BUG_ON(!on_accessible_stack(current, current_sp, &info)); stack_lead = current_sp - info->low; Otherwise, this looks good to me. Thanks, Mark. > + > + if (size >= stack_left) { > + /* > + * Kernel stack depth overflow is detected, let's report that. > + * If CONFIG_VMAP_STACK is enabled, we can safely use BUG(). > + * If CONFIG_VMAP_STACK is disabled, BUG() handling can corrupt > + * the neighbour memory. CONFIG_SCHED_STACK_END_CHECK calls > + * panic() in a similar situation, so let's do the same if that > + * option is on. Otherwise just use BUG() and hope for the best. > + */ > +#if !defined(CONFIG_VMAP_STACK) && defined(CONFIG_SCHED_STACK_END_CHECK) > + panic("alloca() over the kernel stack boundary\n"); > +#else > + BUG(); > +#endif > + } > +} > +EXPORT_SYMBOL(stackleak_check_alloca); > +#endif > diff --git a/arch/arm64/kvm/hyp/Makefile b/arch/arm64/kvm/hyp/Makefile > index 4313f7475333..2fabc2dc1966 100644 > --- a/arch/arm64/kvm/hyp/Makefile > +++ b/arch/arm64/kvm/hyp/Makefile > @@ -3,7 +3,8 @@ > # Makefile for Kernel-based Virtual Machine module, HYP part > # > > -ccflags-y += -fno-stack-protector -DDISABLE_BRANCH_PROFILING > +ccflags-y += -fno-stack-protector -DDISABLE_BRANCH_PROFILING \ > + $(DISABLE_STACKLEAK_PLUGIN) > > KVM=../../../../virt/kvm > > diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile > index a34e9290a699..25dd2a14560d 100644 > --- a/drivers/firmware/efi/libstub/Makefile > +++ b/drivers/firmware/efi/libstub/Makefile > @@ -20,7 +20,8 @@ cflags-$(CONFIG_EFI_ARMSTUB) += -I$(srctree)/scripts/dtc/libfdt > KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ > -D__NO_FORTIFY \ > $(call cc-option,-ffreestanding) \ > - $(call cc-option,-fno-stack-protector) > + $(call cc-option,-fno-stack-protector) \ > + $(DISABLE_STACKLEAK_PLUGIN) > > GCOV_PROFILE := n > KASAN_SANITIZE := n > diff --git a/include/linux/stackleak.h b/include/linux/stackleak.h > index b911b973d328..08420ec6b7c3 100644 > --- a/include/linux/stackleak.h > +++ b/include/linux/stackleak.h > @@ -5,6 +5,7 @@ > #include > #include > > +#include > /* > * Check that the poison value points to the unused hole in the > * virtual memory map for your platform. > -- > 2.17.1 >