Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3952469yba; Sun, 12 May 2019 01:28:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqw7yJYuhFZBYcL3GPY6EL9Ry64ISXRADfVZPw2CkFB7q/GISsWSvN19WP1TuH3vM5USR3Fb X-Received: by 2002:a62:e10f:: with SMTP id q15mr26392372pfh.56.1557649724026; Sun, 12 May 2019 01:28:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557649724; cv=none; d=google.com; s=arc-20160816; b=a3+B2CnUr7bb7Sfe/8XMBG7IP8BcWinph6pRFF+5aesmxZ1uu6rZd8pyLKhcB07z/j ChdsDNApGRAuZVsVWMfTfjdshcmo5Mxw5U2tj7wDHli+Ht0ynRTn7FS80cC5dFXTDhlD vdsTyiLdwKL5f9qXfzSnpiXFhSPTPX7BOuaSFP5D7vTXQOXIK+KXzyTLHaQuPvtZRB8n KLePGKXZJ3gTJSQTACrlEH6BrJ7fDV1QsMM0zKuCFMgI9oc7FdEPUbOl8VXYcUebc4nT zYfe/5BQJH+J4DHk+r0igW0/SarWC8hJVopKoikCOg89ruPDzf/HmCeT0Lew8FrBfgLU 23fQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=az2NvBw/j6sKFx3ItUU3E4tKs04UFXT+eEsNSTjgcOk=; b=Rxhgw22tTwJkyxll7L6kE/tslefVMWIBtjV797HZHbkLf/8qucQbSobdPRgcvpiVjY cDwehx0wHneFb3ahWVEov7EE8kDo1ou66dxu0AseAXGCqyCywYZl6L77t9zTTB2nA9XO WOmYjUL0HNAw7heMAsqrXBHSRmLnVFhEKv+CNjreMJO/R9UYhEvVaSwcuG/9S8FsCc8F aYoeMgV0YwKFUXje4mQyvzwCFVrQEgA91w5fU1LTBvIcTabZsS5ynVf9B6Kqod9UcqqT cWWWkIo4KnCPZrR3zeX928iCcZcfKkykZfb+PdDFwph94v0UJpveledOZ80PL+tDzpjS l6Kw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=MtG+xbcX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f1si8526733pln.23.2019.05.12.01.27.56; Sun, 12 May 2019 01:28:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=MtG+xbcX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726409AbfELICw (ORCPT + 99 others); Sun, 12 May 2019 04:02:52 -0400 Received: from mail-wm1-f65.google.com ([209.85.128.65]:34623 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726274AbfELICv (ORCPT ); Sun, 12 May 2019 04:02:51 -0400 Received: by mail-wm1-f65.google.com with SMTP id m20so9069038wmg.1 for ; Sun, 12 May 2019 01:02:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=az2NvBw/j6sKFx3ItUU3E4tKs04UFXT+eEsNSTjgcOk=; b=MtG+xbcXBmHQ4IcxpcWKC11SCKZq+OSTqMHyXCPi3JpftuK38K7VD3qLs9v7st1HUT KJslOQ3ydVQtYDnWPOnUn74A2rmXAspsgG4ef+88P39xZiYN/ow6lLsJOH5w3gMZY9Nj gY3aNEThPCg8C+wk+VHUlSyLqq33JIrWrP7560qtrREcwChnxmckl5RJ4I8zMr4/GgNU nYwGRjPdwu2BZ4ou5myfZIx1EWlV08tKcnX3BVPQ6Ac/pi6YYU0yP+FPO+PMvXDnFGTm ieyt1XWOzRBdJpi6/4vBzXEcOr8KStrptVcwSmEj+bLl4j05vePYfEJURfCHNn3gqGGZ bvQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=az2NvBw/j6sKFx3ItUU3E4tKs04UFXT+eEsNSTjgcOk=; b=lGHtbnbFw9u+ZGu6+0dX1WntNOcZPCNWLUiHbL8PWhwyDzBYZGcBpCNaDIuTp2CVGc RDsyjRh8JakbWWrq0WmvZiSbJ4oKJ9Wm5SI2v78375AlsveOasxnvQRlofIORqmcVW50 EBqZHDQ6uXO6by7+afw6TVhaXKtBpPGMkg+YtRSNA9IjVNBPnwVxNUUgOHlP2F8QnlLD SfbP7MAD85NAX3j9p7RfxSj9TYrVH3REQMBv04Gwk6OqE9fr5O5sh2JL9v2RqiNvTmvG Kg+1Junket1QZOA6NBNScHYm/8Bex6ror57/+GOIuiJG+QMNA1pQiGOq4ilCc71ZhUt+ A8HA== X-Gm-Message-State: APjAAAW+9sKMHsvDbQ1l6bmNe/LLnl6SWXZStiJsbuuXhP5tsJcQRva1 XadWAIoy/2S07w/ZHInyaUU= X-Received: by 2002:a1c:7f10:: with SMTP id a16mr11686869wmd.30.1557648169896; Sun, 12 May 2019 01:02:49 -0700 (PDT) Received: from gmail.com (2E8B0CD5.catv.pool.telekom.hu. [46.139.12.213]) by smtp.gmail.com with ESMTPSA id l14sm7040797wrt.57.2019.05.12.01.02.47 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 12 May 2019 01:02:48 -0700 (PDT) Date: Sun, 12 May 2019 10:02:45 +0200 From: Ingo Molnar To: Kees Cook Cc: Andy Lutomirski , "Reshetova, Elena" , David Laight , Theodore Ts'o , Eric Biggers , "ebiggers@google.com" , "herbert@gondor.apana.org.au" , Peter Zijlstra , Daniel Borkmann , "linux-kernel@vger.kernel.org" , "jpoimboe@redhat.com" , "jannh@google.com" , "Perla, Enrico" , "mingo@redhat.com" , "bp@alien8.de" , "tglx@linutronix.de" , "gregkh@linuxfoundation.org" , "Edgecombe, Rick P" , Linus Torvalds , Peter Zijlstra Subject: Re: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall Message-ID: <20190512080245.GA7827@gmail.com> References: <2236FBA76BA1254E88B949DDB74E612BA4C6F523@IRSMSX102.ger.corp.intel.com> <2236FBA76BA1254E88B949DDB74E612BA4C760A7@IRSMSX102.ger.corp.intel.com> <20190508113239.GA33324@gmail.com> <2236FBA76BA1254E88B949DDB74E612BA4C762F7@IRSMSX102.ger.corp.intel.com> <20190509055915.GA58462@gmail.com> <2236FBA76BA1254E88B949DDB74E612BA4C7741F@IRSMSX102.ger.corp.intel.com> <20190509084352.GA96236@gmail.com> <201905111703.5998DF5F@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201905111703.5998DF5F@keescook> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Kees Cook wrote: > On Sat, May 11, 2019 at 03:45:19PM -0700, Andy Lutomirski wrote: > > ISTM maybe a better first step would be to make get_random_bytes() be > > much faster? :) > > I'm not opposed to that, but I want to make sure we don't break it for > "real" crypto uses... I'm quite sure Andy implied that. > I still think just using something very simply like rdtsc would be good > enough. > > This isn't meant to be a perfect defense: it's meant to disrupt the > ability to trivially predict (usually another thread's) stack offset. But aren't most local kernel exploit attacks against the current task? Are there any statistics about this? > And any sufficiently well-positioned local attacker can defeat this no > matter what the entropy source, given how small the number of bits > actually ends up being, assuming they can just keep launching whatever > they're trying to attack. (They can just hold still and try the same > offset until the randomness aligns: but that comes back to us also > needing a brute-force exec deterance, which is a separate subject...) > > The entropy source bikeshedding doesn't seem helpful given how few bits > we're dealing with. The low number of bits is still useful in terms of increasing the probability of crashing the system if the attacker cannot guess the stack offset. With 5 bits there's a ~96.9% chance of crashing the system in an attempt, the exploit cannot be used for a range of attacks, including spear attacks and fast-spreading worms, right? A crashed and inaccessible system also increases the odds of leaving around unfinished attack code and leaking a zero-day attack. Thanks, Ingo