Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1111781imm; Wed, 15 Aug 2018 11:36:39 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxcsfFGu8/j0x65UWniMMI4VOxFF8LDZLVWZl5UoWZYWzU0ReQqtzYPKbOAeMCZgYolD6dw X-Received: by 2002:a17:902:9a01:: with SMTP id v1-v6mr25895391plp.20.1534358198933; Wed, 15 Aug 2018 11:36:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534358198; cv=none; d=google.com; s=arc-20160816; b=iIuUSGkHWJtCWng7CtWh5Nbot4t1Jspyg93zrlHgvgMRzoRWBUSRZCgzi2NzhGYwcN Nds0ak6iy/QZiaUkWPoa3S5Sv8q7fC7mrVldkEeF3x3JA1LFEPe4xi+qv32zycve+2NC Tf/kTUCapBH/Ujj71Gssr5mg/ov2FpMqOU64ReAfz2K4x5NoY1Ypd6hhlo9rYXfjfj7o oFDXgpqlZFNbgvppiL6gvCFeCRiNwznmqk6P6QokZxefMjDyJKepC9fkesbRgzYO8D85 iA+sAOXnTo8CXHaIOmkBjCM3nJ6MUXKSynnKUrsl3KEgpbYmOzmAgL6XjmXDk0gSfaoI qRig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=Xh/FUUEwxkp7nLrQJqr/J65SG4Lk4GU7hqKGMevo7vQ=; b=ud7bPxZKyae6p27pi8thEOWBE2IShyGZ2ULUTH7ISZf/gBHxHftvbucJg/ojKc56PU 2IH6NI/kGaIJrTq3i8eVH99ASxxBpC2+TcEAn1qJfht5UEUDUaqI0SgVPJpZ29tjnpm/ VeLrXO9uRTfLdiGARqFB0VQbKowRjmk5qAmkY3Ne+AFG9SxOP/2Wdzsu9ugLCLGsFr/L AoJmXEiOFFU2VsWuo/gc8+ax8upKd5Uc7SzfnATXSU2+SExJLM/4aNHPk6l6NadEFCEq jGv1LNbmdROQaEQ2Hz8ihQzgc6WS8qwDdbZOUCBEFLzeI8MfDE9r8eKN5iDWCFVcxEdG ioDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=EOchf478; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d3-v6si23208167pgk.610.2018.08.15.11.36.23; Wed, 15 Aug 2018 11:36:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=EOchf478; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726525AbeHOV2h (ORCPT + 99 others); Wed, 15 Aug 2018 17:28:37 -0400 Received: from mail-yw1-f68.google.com ([209.85.161.68]:42274 "EHLO mail-yw1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725950AbeHOV2h (ORCPT ); Wed, 15 Aug 2018 17:28:37 -0400 Received: by mail-yw1-f68.google.com with SMTP id y203-v6so1534171ywd.9 for ; Wed, 15 Aug 2018 11:35:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Xh/FUUEwxkp7nLrQJqr/J65SG4Lk4GU7hqKGMevo7vQ=; b=EOchf478fQS3XhRCZCkUXeg+SDahAlEIVtm3j/RqI6m4IAuglMXsXbO/+/+Dk2eldA gy8mhIx12vyQSmMELvRzjzCVyt5YFeAquvSszeJaCvI8KKU4qQNA+z3gtmqxj80wY+ND nX/rhxEPZJuTp6cpzNDvD+Q4DpYQO4XPwhOWE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Xh/FUUEwxkp7nLrQJqr/J65SG4Lk4GU7hqKGMevo7vQ=; b=b2HDrWTFe738jtFQONktF4VscE/Eg92XfPd8K1WkpRMGNs0GvIdrl9b18BrqX+8YO6 paNhaONjnMQqNNKPVMegZmGWwsqOMGuMtILWZ5Wkw/+QDVrYcf3FuhQPG11FN0oUskcS eHfKQtGNXqUzZ3DfL+JpZp7x62NglKfzb6ighgVhVUCZzYqmNylGQweqKqvv7Zj06A6G /nrGCTAkXS1+aWaI6QOxv2zlRslIm5yRK4YZMcFqo7Q8jdItGU74r52bm6Ov3wh1ZbqF 3UXBh2Sg1FEWjcaYGn6Yiz82/p9yF+ThoHLbqX3KtLKb6m40ljB7/X6OdjM8h3JU414c Xg/g== X-Gm-Message-State: AOUpUlGZBFA0ftAr0BvQLennP+xB850GjgNMgV6G6rCz0nBIUsDp1dvM XyraEZoDxJS1vU3thkGiSbhSlV35aLw= X-Received: by 2002:a0d:ce81:: with SMTP id q123-v6mr13915478ywd.8.1534358119797; Wed, 15 Aug 2018 11:35:19 -0700 (PDT) Received: from mail-yw1-f48.google.com (mail-yw1-f48.google.com. [209.85.161.48]) by smtp.gmail.com with ESMTPSA id n3-v6sm12393671ywb.70.2018.08.15.11.35.18 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Aug 2018 11:35:18 -0700 (PDT) Received: by mail-yw1-f48.google.com with SMTP id e23-v6so1527922ywe.13 for ; Wed, 15 Aug 2018 11:35:18 -0700 (PDT) X-Received: by 2002:a25:15ca:: with SMTP id 193-v6mr15889455ybv.484.1534358117828; Wed, 15 Aug 2018 11:35:17 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:5092:0:0:0:0:0 with HTTP; Wed, 15 Aug 2018 11:35:16 -0700 (PDT) In-Reply-To: References: <20180813214328.GA15137@beast> From: Kees Cook Date: Wed, 15 Aug 2018 11:35:16 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] gcc-plugin updates for v4.19-rc1 To: Linus Torvalds Cc: Linux Kernel Mailing List , Alexander Popov , Dave Hansen , Ingo Molnar , Masahiro Yamada , Thomas Gleixner , Tycho Andersen , Mark Rutland , Laura Abbott , Will Deacon Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 15, 2018 at 9:41 AM, Linus Torvalds wrote: > On Mon, Aug 13, 2018 at 2:43 PM Kees Cook wrote: >> >> Please pull these gcc-plugin changes for v4.19-rc1. > > No. > > It adds yet another BUG_ON() without having been merged. > > I'm not pulling this. Dammit, have you learnt *nothing*? I swear I'm doing my best. Are you speaking of stackleak_check_alloca() or stackleak_erase()? These were both discussed on the list, and we weren't able to come up with alternatives: in both cases we're off the stack, and recovery is seemingly impossible. What would you prefer in these cases? If I need to take a hard line of "never BUG", how do I handle legitimate system corruption? (i.e. I have interpreted this as different from narrowing copy_*_user() usage: if we let execution continue, we'll just crash somewhere else with likely less information on how to handle it.) > I'm, disappointed in the whole feature, but I'm also tired of having > to go and even look for these things. I am trying to make these patches easier to review. I even made sure to get Ingo's Ack and Alexander implemented additional features Ingo suggested, before sending them your way, as Ingo has a very conservative eye on. > Then actually *finding* them makes me just pissed off. I'm sorry we've disappointed you. I've been pushing back on patches that use BUG (with, I think, good success), but there are cases where our imagination fails us. I'd really like to find a way for this plugin to be acceptable, given the coverage is provides. Even if we solve stack initialization and finish VLA removal, we still would benefit from something doing post-syscall stack poisoning just to keep future cache attacks against the stack minimized. In the meantime, I will send the gcc-plugin cleanups separately... -Kees -- Kees Cook Pixel Security