Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp638219img;
        Wed, 20 Mar 2019 07:53:49 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwFYf1SK+l+fB+saRMjqk+nnALORxJn6hvCAeebIzJsKaWRTi7TlEizmLA461AqfULF/0ZY
X-Received: by 2002:a63:e050:: with SMTP id n16mr7743077pgj.210.1553093629895;
        Wed, 20 Mar 2019 07:53:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553093629; cv=none;
        d=google.com; s=arc-20160816;
        b=ddGAPgX0hYLs6KopV8gJ4lsQQ0NUO19c14Mn9YCilp8Nt7iq24XM8JNgf4KInhcQmP
         NRufx6rDI+7FfSwe1E6P5VTBjJ3DGz3LIc9m1knNSCETlhs3MhA6bkB0L5Deyz/V3G0h
         ouMTOVzoq/c5E7LZk6Sbf2MoRIFtIU2xVn3IMF97pspXkQH2mf0b772BQT57f2HNH7bT
         YnIvyGFqszeCpDiIz8Bwt0yQ1KdK0mtveasnPxAb6gyHCuDjA3gaMB7woiO2fzfRlvtw
         D+Q1U5W6XqQ+pgwHiAjVO//a+Cr+xSDmzUtRGE0vOJkZGGiiBla1/W+h7jID/Gtje9VV
         gMtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version:dkim-signature;
        bh=Cux81Nb/mkGVNNBd664Ke7OVASRtYEGVnVz4ins3jKE=;
        b=LlK8BJWZyqMNctkKXrIB10zKyECUKv5n3p8iP2ioY6tIWDzrJjK9t9Fgm8xW2bF4qC
         RbWbWfEH3uPpN6j3BaJvFIYvJDQctnRmCcBafVidUV4ujeIvH2pApZimAgntM2earl1p
         89L935lPA9DQCrfdu6ZbYDiRbgtLVr5YXlQ/GNem8AMLCOqs567ZmxgPKqAAkzPZmT7M
         b9N/+2E6Ng3oPUWLOM5pAn+KLAafNXkXIJsDFtRxrJgrRrEmlDsf9NCbXFVnOrvkVTC5
         gBBOVY5jNSb3fU5+cdsumLe9ThvVZSaYSnmuHKzIE3lNSki8CbM7RA6mGKX6qKNzZcee
         xwvw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=b14RFkdi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e130si1767059pfc.264.2019.03.20.07.53.34;
        Wed, 20 Mar 2019 07:53:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=b14RFkdi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727490AbfCTOvE (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Wed, 20 Mar 2019 10:51:04 -0400
Received: from mail-pf1-f194.google.com ([209.85.210.194]:46145 "EHLO
        mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726123AbfCTOvE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 20 Mar 2019 10:51:04 -0400
Received: by mail-pf1-f194.google.com with SMTP id 9so1853636pfj.13
        for <linux-kernel@vger.kernel.org>; Wed, 20 Mar 2019 07:51:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amacapital-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=Cux81Nb/mkGVNNBd664Ke7OVASRtYEGVnVz4ins3jKE=;
        b=b14RFkdiigwlHIF0ccPOgC+3FEXNAdhmPZMIqMc/djtnb4z6S9eYBQBLveAg/6SBiq
         50AnSpqkCtZNAhMsCSOk7ZckvGparXfTWUQxl2m5JQTNnuOZ/1UlchIsiK7QvlwxazzY
         N5gNeA3oJcE3aSJhRWNigEH8KWq6ykos+llYrftPae2vDvuhc13qB0eXEm7UBM3J4O+C
         DH5tx5kSYkIrtbY2iUfqwas4TNdHu7Oj3j5iWuHXWynAkwrHLZalfX1F3rZzfiT3NxVE
         ycgJANRk3kD2zJTuo7M88q8gywzNMAc27pxIbH1eE5Dl/OKOKELQRq9UQB90wF0XAUXl
         NAQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=Cux81Nb/mkGVNNBd664Ke7OVASRtYEGVnVz4ins3jKE=;
        b=mKX/1h7J/AucLECjOHZZoQDWeAI+7VT50Y5bfVi4gP52oqfDP6DSs7lIkhhkb5BDYg
         ltpFGibgqIDrPGb7Pbd0//DKSykU3FHXTNXHDlpJz9Ad0gKz5G5RO83QthteK3zTV0je
         +A6FzxVZxqmjg0ea61weT8tmQVzp8EP2gb9bElghHGaJS7o83n/c116whmO7lKUaEtL/
         gc9RAe690aIwgFD7z+EmnjefFzwFWjXhSgvzAuiQM0B77KCnHe0KFGeEr0OajMwSWOo1
         4OPCIhDsOoC7K6XkdFEXBkLhET7Vg7HDM6Wokx4mn9V3GSwN48zDXKozglMLEDzQoHg8
         EvHQ==
X-Gm-Message-State: APjAAAXEjlAxOfG4yPi3E2gYKpa+z0ftORiJtpq4iyRSrT6M1OfJZFzt
        rgm6Puh7NGjA0bKVUiordLdYGw==
X-Received: by 2002:a63:c149:: with SMTP id p9mr7778882pgi.362.1553093463901;
        Wed, 20 Mar 2019 07:51:03 -0700 (PDT)
Received: from ?IPv6:2600:1010:b01f:ea94:84dd:9ed8:80e7:caaa? ([2600:1010:b01f:ea94:84dd:9ed8:80e7:caaa])
        by smtp.gmail.com with ESMTPSA id g188sm4798970pfc.24.2019.03.20.07.51.02
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 20 Mar 2019 07:51:02 -0700 (PDT)
Content-Type: text/plain;
        charset=utf-8
Mime-Version: 1.0 (1.0)
Subject: Re: [RFC PATCH] x86/entry/64: randomize kernel stack offset upon syscall
From:   Andy Lutomirski <luto@amacapital.net>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <30998bcd55a34ed38b681f9bb3e3fb87@AcuMS.aculab.com>
Date:   Wed, 20 Mar 2019 07:51:01 -0700
Cc:     Andy Lutomirski <luto@kernel.org>,
        Elena Reshetova <elena.reshetova@intel.com>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Kees Cook <keescook@chromium.org>,
        Jann Horn <jannh@google.com>,
        "Perla, Enrico" <enrico.perla@intel.com>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        Thomas Gleixner <tglx@linutronix.de>,
        LKML <linux-kernel@vger.kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Greg KH <gregkh@linuxfoundation.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <25395187-837A-4689-9387-5ACCE78E4DF3@amacapital.net>
References: <20190318094128.1488-1-elena.reshetova@intel.com> <CALCETrUxhzHyUQCAjPQcPNWwAw5UTxUX4ZaeGxpbf9VSCDdcPg@mail.gmail.com> <30998bcd55a34ed38b681f9bb3e3fb87@AcuMS.aculab.com>
To:     David Laight <David.Laight@aculab.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


> On Mar 20, 2019, at 4:12 AM, David Laight <David.Laight@aculab.com> wrote:=

>=20
> From: Andy Lutomirski
>> Sent: 18 March 2019 20:16
> ...
>>> As a result this patch introduces 8 bits of randomness
>>> (bits 4 - 11 are randomized, bits 0-3 must be zero due to stack alignmen=
t)
>>> after pt_regs location on the thread stack.
>>> The amount of randomness can be adjusted based on how much of the
>>> stack space we wish/can trade for security.
>>=20
>> Why do you need four zero bits at the bottom?  x86_64 Linux only
>> maintains 8 byte stack alignment.
>=20
> ISTR that the gcc developers arbitrarily changed the alignment
> a few years ago.
> If the stack is only 8 byte aligned and you allocate a variable that
> requires 16 byte alignment you need gcc to generate the extra stack
> frame to align the stack.
> I don't remember seeing the relevant gcc options on the linux
> gcc command lines.
>=20


On older gcc, you *can=E2=80=99t* set the relevant command line options beca=
use gcc was daft.  So we just crossed out fingers and hope led for the best.=
  On newer gcc, we set the options.  Fortunately, 32-byte stack variable ali=
gnment works regardless.

AFAIK x86_64 Linux has never aligned the stack to 16 bytes.=