Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2162284ybz; Thu, 23 Apr 2020 12:43:08 -0700 (PDT) X-Google-Smtp-Source: APiQypJQIUnleRclG5/lH6GcbmB8ybA9F+JSqVADq5qbmLEAOUPwO/qkAU975ziX0mtgzGVVL+hH X-Received: by 2002:a50:ea85:: with SMTP id d5mr4269649edo.380.1587670988730; Thu, 23 Apr 2020 12:43:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587670988; cv=none; d=google.com; s=arc-20160816; b=tvAAtbGOdn+iaIYeEMmNeSoRocKEmdSscm+Ei3QiczLK4fuvnsg5AhPEO+nTBxeeBf OiIQ5a1sNHvQlmnwVHClrFZ1iMCs8jzfsJmiFx1oYBdETBc7fdqyNW9cvpoaPgm2bcvl Tr2Axw4X5LzpuNAjdfHcpFJ49EXp4I2GUWbBML+VaERinmCae8Cm4tjeKiBxCwOtXDNJ H8OqfXTzVUJsT3GhM2va1Da+6DtPw/KnCY5bK7TowJv+6Y9VYdmc/Xz2LrRgvs2/VhhC Y9Vm9mqSttGImBQxVInWUkFsTkiTT1pjF5C5STbo5Cce71YSM2iBWFRFZtNN9Qwphcyq Esnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=TE9RqET8gb6yd/mF6jLNfjNMqySu661hmaTZlbyjNjA=; b=vlDJwmNUF3HtVCaG0kdhS5T/zIY+tAZX/yjeAL164tEVVRDlaQ5wyFlRDQ0jteAPc1 cg+GCysCMj9bM7ccntH5ytgxHPolhtritsoGOqB3wFA21GwOBWl3glpNt3IB+aqsNJhP szsLdlctUrQP6EID4nYDN4T7aIDnOASKCQouetoKxe9eIAXjKV6+Ydy6U2uLENInJcTK rwHZJmc0Zi0OXHh5J3C4pFpMGFDrfzsk5gwhsKbPmHgatez2yxg1IISDt+0qD497QtvU zYIBdyY2souR80I3tJcI/lplFVwun5djNSNcF3B7mG7mUwdmqAPTLxeUbFo2CP2fKzoj gIJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QtYUniZ4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e2si1813809edr.204.2020.04.23.12.42.45; Thu, 23 Apr 2020 12:43:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QtYUniZ4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726447AbgDWTki (ORCPT + 99 others); Thu, 23 Apr 2020 15:40:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36228 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726068AbgDWTki (ORCPT ); Thu, 23 Apr 2020 15:40:38 -0400 Received: from mail-pg1-x543.google.com (mail-pg1-x543.google.com [IPv6:2607:f8b0:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 248DDC09B042 for ; Thu, 23 Apr 2020 12:40:38 -0700 (PDT) Received: by mail-pg1-x543.google.com with SMTP id g6so3384132pgs.9 for ; Thu, 23 Apr 2020 12:40:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=TE9RqET8gb6yd/mF6jLNfjNMqySu661hmaTZlbyjNjA=; b=QtYUniZ49hKbdV3hvFwNdJ5y4uUsyzf+RyUgL6JP8MQQ5LSjf0xRb+d71f9Zq4KbCK pZNSXqaNnGVlbOiZoMsh/w6fH6AlFnQQ90BU9M8LmqPc60dIkjizrfNCgk82T57IU//k /gnqC9/8aIbdVB4pus9FUd7zsjgdpyfUzRrzs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=TE9RqET8gb6yd/mF6jLNfjNMqySu661hmaTZlbyjNjA=; b=rM3KvgV9xiNsLfSCVr2Osk7i2ELZiemQEHCladseMQYtnPtK2PHcbLViqRcVMilO+k 7eOVFoUG95/TeIWf5Hgmva0qbiP+DkyZMaBUHK/zgBGyu64FbFlzKsE1O7+1xGJOvr9g kW4B/t7SAZtZSsiJuTyFC0ELdX3eHE6gD7RKJFL2hfJqYV3DiI0U70JZhCcFilMAIeXF h13BlgTJx+JX0QlCijy614/nmaZ5QxkWNmY/y3xizPjCh+4aoveYDwWJcTcDna3aGUo4 q2g2ot9war2cLZ1mPSjT9N8Qlx/Z+CsNKCdrLr5c6DMioBSO+FYFh4p5B2AojKWbHJ3+ g1sA== X-Gm-Message-State: AGi0PuYzhyEehVA3G5YHkzfHEqNe9mDVpC1r7ct+y6u5AOjzVfC+TWsy kRh8Ttxud93bmIer8zRfHI1r1g== X-Received: by 2002:a62:7912:: with SMTP id u18mr5057190pfc.239.1587670837622; Thu, 23 Apr 2020 12:40:37 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 7sm2885473pga.15.2020.04.23.12.40.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2020 12:40:36 -0700 (PDT) Date: Thu, 23 Apr 2020 12:40:35 -0700 From: Kees Cook To: Borislav Petkov Cc: Nick Desaulniers , Michael Matz , Jakub Jelinek , Sergei Trofimovich , LKML , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Andy Lutomirski , Peter Zijlstra , x86@kernel.org, clang-built-linux , Martin =?utf-8?B?TGnFoWth?= Subject: Re: [PATCH] x86: Fix early boot crash on gcc-10, next try Message-ID: <202004231237.AB249F90@keescook> References: <20200422102309.GA26846@zn.tnic> <20200422192113.GG26846@zn.tnic> <20200422212605.GI26846@zn.tnic> <20200423125300.GC26021@zn.tnic> <20200423161126.GD26021@zn.tnic> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20200423161126.GD26021@zn.tnic> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 23, 2020 at 06:12:24PM +0200, Borislav Petkov wrote: > Ok, > > I have tried to summarize our odyssey so far and here's what I came up > with. Just built latest gcc from the git repo and it seems to work. > > Next I need to come up with a slick way of testing the compiler... > > Thx. > > --- > From: Borislav Petkov > > ... or the odyssey of trying to disable the stack protector for the > function which generates the stack canary value. > > The whole story started with Sergei reporting a boot crash with a kernel > built with gcc-10: > > Kernel panic — not syncing: stack-protector: Kernel stack is corrupted in: start_secondary > CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5—00235—gfffb08b37df9 #139 > Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M—D3H, BIOS F12 11/14/2013 > Call Trace: > dump_stack > panic > ? start_secondary > __stack_chk_fail > start_secondary > secondary_startup_64 > -—-[ end Kernel panic — not syncing: stack—protector: Kernel stack is corrupted in: start_secondary > > This happens because gcc-10 tail-call optimizes the last function call > in start_secondary() - cpu_startup_entry() - and thus emits a stack > canary check which fails because the canary value changes after the > boot_init_stack_canary() call. > > To fix that, the initial attempt was to mark the one function which > generates the stack canary with: > > __attribute__((optimize("-fno-stack-protector"))) ... start_secondary(void *unused) > > however, using the optimize attribute doesn't work cumulatively > as the attribute does not add to but rather replaces previously > supplied optimization options - roughly all -fxxx options. > > The key one among them being -fno-omit-frame-pointer and thus leading to > not present frame pointer - frame pointer which the kernel needs. > > The next attempt to prevent compilers from tail-call optimizing > the last function call cpu_startup_entry(), shy of carving out > start_secondary() into a separate compilation unit and building it with > -fno-stack-protector, is this one. > > The current solution is short and sweet, and reportedly, is supported by > both compilers so let's see how far we'll get this time. > > Reported-by: Sergei Trofimovich > Signed-off-by: Borislav Petkov Reviewed-by: Kees Cook I'm glad to have the gcc bug opened for the function attribute; thanks Nick! I needed that for the syscall entry code, but instead went with a compilation-unit down-grade[1]. I'd much prefer the attribute. :) -Kees [1] https://lore.kernel.org/lkml/20200406231606.37619-5-keescook@chromium.org/ > Link: https://lkml.kernel.org/r/20200314164451.346497-1-slyfox@gentoo.org > --- > arch/x86/kernel/smpboot.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c > index 3b9bf8c7e29d..e9f44727fccd 100644 > --- a/arch/x86/kernel/smpboot.c > +++ b/arch/x86/kernel/smpboot.c > @@ -266,6 +266,14 @@ static void notrace start_secondary(void *unused) > > wmb(); > cpu_startup_entry(CPUHP_AP_ONLINE_IDLE); > + > + /* > + * Prevent tail call to cpu_startup_entry() because the stack protector > + * guard has been changed a couple of functions up, in > + * boot_init_stack_canary() and must not be checked before tail calling > + * another function. > + */ > + asm (""); > } > > /** > -- > 2.21.0 > > > -- > Regards/Gruss, > Boris. > > https://people.kernel.org/tglx/notes-about-netiquette -- Kees Cook