Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp6880765ybi; Wed, 31 Jul 2019 23:37:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqyXucwau1I1z/qtbpGlUiNqkwRbcVa1N6LHLCT76loecR5I7GeiuPCftyFCPa+dtzCbEzc5 X-Received: by 2002:a63:e5a:: with SMTP id 26mr113183621pgo.3.1564641420898; Wed, 31 Jul 2019 23:37:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564641420; cv=none; d=google.com; s=arc-20160816; b=K1LoSrk2PqFYalnT0C9Uncb/eu8RIVxeofRdBnO3kL+zNrVhM9IXmUJMw9Cd4LfFID 21xp5xt8G/MxSD6X0s6Zf8a896rsu8ElgRcSlcMMmH1bpSn3uwOQqAlS8R7NaZZ/Vsdn 9Cex8cgLUxBSP8lnvJiLvQvWE7XddOSdgwatb5UWNfDF6RwZSkE+dwO2IXhO9kfDH5aa GmRgru+BTjwzQNX+GKeERaSHQZHSRciMEJthgtLMmDIkqjwhuknaB266bSdtsYFkel8f vVXjndC72upBNZyh98uK3Q/OrxKMzzuRJOJ0No2mRPyEqyUM0p+QWB66uSPifhMISuW/ vGJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-version:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from; bh=7BP24UqVR4QaL2csuzYelBUyOY1OpkXGuXVZFdKXrOU=; b=l8gEtol2gC7uV76R0l+AFO8kUeIVvYuOvOss4dhO0cTCwj4lEfD73R6rbQQWf4oiGQ 0ZGIk2z2Ber3smfuQQfCd8b2dMOKq5KWGBjFVkbaGoyc5EYahSg8Nsd6fww3VDof+u5N LtSK/pzbIMwk2AzcjBgrMXgwnmcujZFocgqe5A3A5fJ5jm+GanFHp8R3AOeJeSfX63t/ /vcd4KHJCxy0URuyG0h12N33A42GxngsyX57jAntkhU+UVNlrD1DZGukeNqCL+3jH5DF uwGdA9WyF2YTKTb3d12pq/a2PI8vIB3xagD+fs5hUpqgXkyW2X4EHtIk4GGyYK269wm3 iIOQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f18si33936996pfq.169.2019.07.31.23.36.45; Wed, 31 Jul 2019 23:37:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729657AbfHAGfw convert rfc822-to-8bit (ORCPT + 99 others); Thu, 1 Aug 2019 02:35:52 -0400 Received: from mga05.intel.com ([192.55.52.43]:52715 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728884AbfHAGfw (ORCPT ); Thu, 1 Aug 2019 02:35:52 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Jul 2019 23:35:51 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,333,1559545200"; d="scan'208";a="371909439" Received: from irsmsx153.ger.corp.intel.com ([163.33.192.75]) by fmsmga005.fm.intel.com with ESMTP; 31 Jul 2019 23:35:48 -0700 Received: from irsmsx102.ger.corp.intel.com ([169.254.2.59]) by IRSMSX153.ger.corp.intel.com ([169.254.9.166]) with mapi id 14.03.0439.000; Thu, 1 Aug 2019 07:35:47 +0100 From: "Reshetova, Elena" To: 'Kees Cook' , 'Ingo Molnar' , 'Andy Lutomirski' CC: 'Theodore Ts'o' , 'David Laight' , 'Eric Biggers' , "'ebiggers@google.com'" , "'herbert@gondor.apana.org.au'" , 'Peter Zijlstra' , 'Daniel Borkmann' , "'linux-kernel@vger.kernel.org'" , "'jpoimboe@redhat.com'" , "'jannh@google.com'" , "Perla, Enrico" , "'mingo@redhat.com'" , "'bp@alien8.de'" , "'tglx@linutronix.de'" , "'gregkh@linuxfoundation.org'" , "Edgecombe, Rick P" , 'Linus Torvalds' , 'Peter Zijlstra' Subject: RE: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall Thread-Topic: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall Thread-Index: AQHU81HQwzT9MH4dM0y/JZXnSwiYT6Y8wW2AgAAdM1CAAXexAIAANZ3ggAAW1gCAAApRgIAAMeKAgAAd+PCAAQuGgIAAYQuAgAAKhwCACsPi4IADJTwAgAAcagCAAExngIAEBbGAgACIbACAAbyQ8IAA626AgAGZfXCAAARpgIAAWpuAgAAF74CAABf/AIAAAvkAgAGZnrD///dzgIAHjbaA///31ICAAC4VAIABBxmAgAAfuaCAAA5FAIAED8OAgAAYaYCAAINWgIAAbRaAgBjvMfCAACWEgIABZK1ggACCc4CAX3oCYIAEYVlA Date: Thu, 1 Aug 2019 06:35:47 +0000 Message-ID: <2236FBA76BA1254E88B949DDB74E612BA4D530F0@IRSMSX102.ger.corp.intel.com> References: <20190509055915.GA58462@gmail.com> <2236FBA76BA1254E88B949DDB74E612BA4C7741F@IRSMSX102.ger.corp.intel.com> <20190509084352.GA96236@gmail.com> <201905111703.5998DF5F@keescook> <20190512080245.GA7827@gmail.com> <201905120705.4F27DF3244@keescook> <2236FBA76BA1254E88B949DDB74E612BA4CA8DBF@IRSMSX102.ger.corp.intel.com> <20190528133347.GD19149@mit.edu> <2236FBA76BA1254E88B949DDB74E612BA4CABA56@IRSMSX102.ger.corp.intel.com> <201905291136.FD61FF42@keescook> <2236FBA76BA1254E88B949DDB74E612BA4D4BFCA@IRSMSX102.ger.corp.intel.com> In-Reply-To: <2236FBA76BA1254E88B949DDB74E612BA4D4BFCA@IRSMSX102.ger.corp.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [163.33.239.181] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >> The in-stack randomization is really a very small change both code wise and >> logic wise. >> It does not affect real workloads and does not require enablement of other >> features (such as GCC plugins). >> So, I think we should really reconsider its inclusion. >I'd agree: the code is tiny and while the benefit can't point to a >specific issue, it does point to the general weakness of the stack >offset being predictable which has been a core observation for many >stack-based attacks. >If we're going to save state between syscalls (like the 4096 random >bytes pool), how about instead we just use a single per-CPU long mixed >with rdtsc saved at syscall exit. That should be a reasonable balance >between all the considerations and make it trivial for the feature to >be a boot flag without the extra page of storage, etc. Sounds like a viable compromise for me. Ingo, Andy? Best Regards, Elena.