Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3224469ybt; Mon, 22 Jun 2020 19:01:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfkbeNGP/MgXFvTqp6RueoBFmPdwMReKZWZJYM/HMPZ6l1GkhIeLaM4g5hLHrbxjnb39uB X-Received: by 2002:a17:906:fa13:: with SMTP id lo19mr9733340ejb.213.1592877689312; Mon, 22 Jun 2020 19:01:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592877689; cv=none; d=google.com; s=arc-20160816; b=BGREzDegOCQjCpy91NLLJ8NuUwjZtF9NVgeiyMW5AKUqD2NGbaQsYgFcCtQodr8wBs Vi8b50bQIa86rfZlj6DQ2SrGiN2BqKYLPHQr+Q84Eb2jbWRquW+ztO52wS338oHw6FTy am29UnXhN9wiyHlizqNTNzWesSyljQeWsFkiqnXldA42XodbPJVxseQAL1crKYMC6DIp gJktC7MLgltgZo+9BlGd7b2N9Mwxva0lsSaa1CusEBDn5VIIT2s+0Xp4w6i1uKLck6tT wVrLgpSUu5Nv+5hmiRE5Z17wMQ7O4AiCFCmQXh+u9Fuqth07AV0obtZI7Bxjd7KESR7v /zKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:date:from :dkim-signature; bh=ci1H/D9yRBKgCOs8CwvIjI+cliPNnLJY+ZZdvthmHrE=; b=T/HX5bFl+VTxLgqWy7ogW7VHsb0qWHD8Op/d3hJj/s4FoNsjsotJEuSZcAxZ570cZk BrldvrPJJ8Fm20YcrBaFGCNXbfpIIkVaKGykQ/DhFKnN52gSKZDW/1m6yGxxQn4qcLrT SxYDOSg3THIG/6tlSIoIyEyhL9rvahal098HEdVJ2jehAEpaHSZtOAvfBwzFNIVeeZ61 iiMSafeaiRdaJJzcOt1rzaJvCRuC6XSRKLYK2QTWDJbkY5jA50Q9gKZpCQclM67vVeHu NHcGQEoU31NUGS+lK+Zk6Ug/rgGmaPt9cUsTph0OE0bqKycwPmQyYMx4OKuB9A3iwMV7 83+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=bZnR5cxj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a22si9829400ejr.529.2020.06.22.19.01.07; Mon, 22 Jun 2020 19:01:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=bZnR5cxj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731118AbgFWAFP (ORCPT + 99 others); Mon, 22 Jun 2020 20:05:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33900 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730227AbgFWAFO (ORCPT ); Mon, 22 Jun 2020 20:05:14 -0400 Received: from mail-qt1-x844.google.com (mail-qt1-x844.google.com [IPv6:2607:f8b0:4864:20::844]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 592CBC061573 for ; Mon, 22 Jun 2020 17:05:13 -0700 (PDT) Received: by mail-qt1-x844.google.com with SMTP id u17so14167931qtq.1 for ; Mon, 22 Jun 2020 17:05:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:date:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=ci1H/D9yRBKgCOs8CwvIjI+cliPNnLJY+ZZdvthmHrE=; b=bZnR5cxj0yVhupPYbVTZrUAGY9nNkIrFLLNIPmuoAvUQ4OHK1sHDJWoL2/SJRkwpMI m7Prz2r4QOf6lv5YTO11dfUPOF7IdsLIzGE0bbPrwh0Jqu3SwX4PVrjDyEqr2hhiOwnd 8ZhWv03Dhkn/QmOUGiO+wbhlnkTVoyz0ypeJQhxVs+38DxTgnv8VKRIqiXcRvjAjFL2B PY3M7tpF+3Cje3f8ltlW1ZoL/ABW7ca3n/B+EM/ouagHylGpp4Fnj9zLrVUfXu2HmB2c rMGukrOiBhktkdYYOtt74ENxCSvvGBtzzC/JD9jGDjulPVNC8e2L3Rw63kb/ditJ9R4B 48CQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:date:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=ci1H/D9yRBKgCOs8CwvIjI+cliPNnLJY+ZZdvthmHrE=; b=GuXurFBbvig8TUYyZPJThtQX2KyHUX+dL8Mjcdevh8HTyCUiOWXfSlwRQZKGqx40Ht cRiU+sApvWMYHpI/dEaIGl6srWU6wusz6VfXVlO8H2vGTQpAsd0jhJUUvdMuMxaXcN6U Ygw6mqa+95OWm/UpuB5VexFxANU7T+/zEGsTF3IB8/opgSejUKm9Xp0Lf9mX+10RfdW4 9mgou6fyBojI8eWXIodUTkRtJeoh4NuU7MYqW+xVi2w33xe8w9k4dgo5OJ11R/O0UIt+ I1SlomNb0lUJ0RnAvfklsiA+0Pr46oU63ZEV6ptApaDpx/bkId9QKIpmEAveq8/k+AAd 9QKw== X-Gm-Message-State: AOAM532cdLE87N9Fh/ZHw4Ty7nYPaB+/P+UbqV0GuchclhCzp0vrnpz0 XApd2XayW47snLUUmsFSMDw= X-Received: by 2002:ac8:6602:: with SMTP id c2mr11641275qtp.243.1592870712468; Mon, 22 Jun 2020 17:05:12 -0700 (PDT) Received: from rani.riverdale.lan ([2001:470:1f07:5f3::b55f]) by smtp.gmail.com with ESMTPSA id p80sm3965934qke.19.2020.06.22.17.05.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jun 2020 17:05:11 -0700 (PDT) From: Arvind Sankar X-Google-Original-From: Arvind Sankar Date: Mon, 22 Jun 2020 20:05:10 -0400 To: Kees Cook Cc: Arvind Sankar , Thomas Gleixner , Elena Reshetova , x86@kernel.org, Andy Lutomirski , Peter Zijlstra , Catalin Marinas , Will Deacon , Mark Rutland , Alexander Potapenko , Alexander Popov , Ard Biesheuvel , Jann Horn , kernel-hardening@lists.openwall.com, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v4 3/5] stack: Optionally randomize kernel stack offset each syscall Message-ID: <20200623000510.GA3542245@rani.riverdale.lan> References: <20200622193146.2985288-1-keescook@chromium.org> <20200622193146.2985288-4-keescook@chromium.org> <20200622225615.GA3511702@rani.riverdale.lan> <202006221604.871B13DE3@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <202006221604.871B13DE3@keescook> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 22, 2020 at 04:07:11PM -0700, Kees Cook wrote: > On Mon, Jun 22, 2020 at 06:56:15PM -0400, Arvind Sankar wrote: > > On Mon, Jun 22, 2020 at 12:31:44PM -0700, Kees Cook wrote: > > > + > > > +#define add_random_kstack_offset() do { \ > > > + if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ > > > + &randomize_kstack_offset)) { \ > > > + u32 offset = this_cpu_read(kstack_offset); \ > > > + u8 *ptr = __builtin_alloca(offset & 0x3FF); \ > > > + asm volatile("" : "=m"(*ptr)); \ > > > + } \ > > > +} while (0) > > > > This feels a little fragile. ptr doesn't escape the block, so the > > compiler is free to restore the stack immediately after this block. In > > fact, given that all you've said is that the asm modifies *ptr, but > > nothing uses that output, the compiler could eliminate the whole thing, > > no? > > > > https://godbolt.org/z/HT43F5 > > > > gcc restores the stack immediately, if no function calls come after it. > > > > clang completely eliminates the code if no function calls come after. > > nothing uses the stack in your example. And adding a barrier (which is > what the "=m" is, doesn't change it. Yeah, I realized that that was what's going on. And clang isn't actually DCE'ing it, it's taking advantage of the red zone since my alloca was small enough. But I still don't see anything _stopping_ the compiler from optimizing this better in the future. The "=m" is not a barrier: it just informs the compiler that the asm produces an output value in *ptr (and no other outputs). If nothing can consume that output, it doesn't stop the compiler from freeing the allocation immediately after the asm instead of at the end of the function. I'm talking about something like asm volatile("" : : "r" (ptr) : "memory"); which tells the compiler that the asm may change memory arbitrarily. Here, we don't use it really as a barrier, but to tell the compiler that the asm may have stashed the value of ptr somewhere in memory, so it's not free to reuse the space that it pointed to until the function returns (unless it can prove that nothing accesses memory, not just that nothing accesses ptr).