Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp2748441pxb;
        Mon, 31 Jan 2022 03:32:08 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzjpa31qdY6SLOtU73SRg2hEBXlLQjTE746+jKG+iNbpGI6Y/x8oeKm4gkr/EiuTlCMHBP2
X-Received: by 2002:a17:902:e844:: with SMTP id t4mr20170880plg.104.1643628728012;
        Mon, 31 Jan 2022 03:32:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643628728; cv=none;
        d=google.com; s=arc-20160816;
        b=f41ULJUJTd736rx3dBkg/boZ9kkVaJfpmsRIQJEr4Hsm/qH/0yAQIjZiPhcdjWavRV
         Q/HAdcXRq3ssmThXL4UmRDkUL70QviG9Jv3273314tmPJlRCPFUgzNgn6jafFrmUPaMt
         MkxMVLQEWDFOkKDyYc3SsVYmHZwlxcIVZyGW7lFiK3vlF2j4CR/GdYFZXKNvYSXuoo/K
         4n1t9i3o7lFl6lIAlzlkFeYK3YdxyjsjoM1mFdm9pO6sfNmlUXDzOAole/lgY1jP6isR
         9mVg3l8KRp3H4P0qsRioVpSErF0dCqcXmVGEAPdQ0KtI/2n3apPkzWiHkkPZuESatJ1y
         EJpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=k+KRxXOu730X8LGDY8ibWFrqzfk6XaCWgUlQ/FJX/1g=;
        b=rCxLq50UMVlruivF4uy9Ve/KLVNJXsfRl8HbBUAN/pZboTedrHweT9LvMn4h+qYE+X
         ooc5QMFwtit2VzOC+T0mo//T8G4dz4OdjsXkdh2mPVmYX9nBOPe5Czz4fuDpOBf1hSyq
         9Pq4lHf7bjhg4vB5v4jjPNCcy0rWhWzX0cvecQOGlpTCwopg9WBoZiAWUfjcHYTC9moC
         LCkoOSHm18pHkPo9WO/K2QWw0Yq0mResm2cZO9tFHmtWJpRXa/BXzIoOhMnTQl2jjuFr
         7/BhJ7ZxLthojw1Qq5p+JUVLWHmNq/yrD4ephYDq7WnHuPvz54lcq+kp2jJ16jIn5pWo
         e9ew==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=QzY57hp7;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u8si14728692plh.177.2022.01.31.03.31.57;
        Mon, 31 Jan 2022 03:32:08 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=QzY57hp7;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239884AbiA1T7b (ORCPT <rfc822;sshegde.linux@gmail.com>
        + 99 others); Fri, 28 Jan 2022 14:59:31 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34686 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232875AbiA1T7a (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 28 Jan 2022 14:59:30 -0500
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31D44C061714
        for <linux-kernel@vger.kernel.org>; Fri, 28 Jan 2022 11:59:30 -0800 (PST)
Received: by mail-pl1-x635.google.com with SMTP id h14so7149414plf.1
        for <linux-kernel@vger.kernel.org>; Fri, 28 Jan 2022 11:59:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=k+KRxXOu730X8LGDY8ibWFrqzfk6XaCWgUlQ/FJX/1g=;
        b=QzY57hp7L7C4IZbQuK3maGb3nj+uWYpqF0Yyk5wwLy6/eJqluG4XaJR5X9c6vaBhca
         +4eW4VquXi25Krzxq/EFw4Jf45zqP9xeHpsX+yvvP8hH1WFNrNHqwwapMmFbvrCgnuEd
         huCEf62r6D+yDp31w66z0o2a9sMjTQoSXNUmw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=k+KRxXOu730X8LGDY8ibWFrqzfk6XaCWgUlQ/FJX/1g=;
        b=aJVBytcKrPa0BzAmoz1lGJFyPd0x67f6rdY8EVG/DENeMCBTXSH6Rmiyix7As8KcX/
         m1yJojivRS60/RWIx4JVHfCG00HAi1bxr7/+M/NTxwu0XDuiEp0hioHZeju77y/FHAJL
         axt8P1mOEhnfe9m7LpL8zjmjfmGXetMGT/u51Q6dFB21uqy8S0ld+N/rUIW6J5yOIqyg
         RxCYFuPE6WA3Cx1jCpMY+J49vaWaZCXZKiwn2GEO+NqyUetieQPjd4fFfFIE5hthwdeo
         rEoGmgJBRvFG71aud4zuAqsOLg2zGLqflMJtVEGH7R2IIJx5GRXFQAM1l8VCzywlG+Gz
         yVGw==
X-Gm-Message-State: AOAM533zfLlTYkpBItJ3uuhk9k4GUgaWukG1knEJHvqJ/jWwVLWVEYhI
        gt/nOHFuQ6AB0tHhOuuEzBu5dg==
X-Received: by 2002:a17:90b:1c8d:: with SMTP id oo13mr11600468pjb.59.1643399969749;
        Fri, 28 Jan 2022 11:59:29 -0800 (PST)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id o11sm22920833pgj.33.2022.01.28.11.59.29
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 28 Jan 2022 11:59:29 -0800 (PST)
Date:   Fri, 28 Jan 2022 11:59:28 -0800
From:   Kees Cook <keescook@chromium.org>
To:     Marco Elver <elver@google.com>
Cc:     Thomas Gleixner <tglx@linutronix.de>,
        Peter Zijlstra <peterz@infradead.org>,
        Ingo Molnar <mingo@kernel.org>,
        Nathan Chancellor <nathan@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Elena Reshetova <elena.reshetova@intel.com>,
        Alexander Potapenko <glider@google.com>, llvm@lists.linux.dev,
        kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] stack: Constrain stack offset randomization with
 Clang builds
Message-ID: <202201281141.2491039E@keescook>
References: <20220128114446.740575-1-elver@google.com>
 <20220128114446.740575-2-elver@google.com>
 <202201281058.83EC9565@keescook>
 <CANpmjNNaQ=06PfmPudBsLG7r9RsFXYo-NQR4CSM=iO11LFSHKw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CANpmjNNaQ=06PfmPudBsLG7r9RsFXYo-NQR4CSM=iO11LFSHKw@mail.gmail.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jan 28, 2022 at 08:23:02PM +0100, Marco Elver wrote:
> On Fri, 28 Jan 2022 at 20:10, Kees Cook <keescook@chromium.org> wrote:
> [...]
> > >       2. Architectures adding add_random_kstack_offset() to syscall
> > >          entry implemented in C require them to be 'noinstr' (e.g. see
> > >          x86 and s390). The potential problem here is that a call to
> > >          memset may occur, which is not noinstr.
> [...]
> > > --- a/arch/Kconfig
> > > +++ b/arch/Kconfig
> > > @@ -1163,6 +1163,7 @@ config RANDOMIZE_KSTACK_OFFSET
> > >       bool "Support for randomizing kernel stack offset on syscall entry" if EXPERT
> > >       default y
> > >       depends on HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
> > > +     depends on INIT_STACK_NONE || !CC_IS_CLANG || CLANG_VERSION >= 140000
> >
> > This makes it _unavailable_ for folks with Clang < 14, which seems
> > too strong, especially since it's run-time off by default. I'd prefer
> > dropping this hunk and adding some language to the _DEFAULT help noting
> > the specific performance impact on Clang < 14.
> 
> You're right, if it was only about performance. But there's the
> correctness issue with ARCH_WANTS_NOINSTR architectures, where we
> really shouldn't emit a call. In those cases, even if compiled in,
> enabling the feature may cause trouble.

Hrm. While I suspect instrumentation of memset() from a C function that is
about to turn on instrumentation is likely quite safe, I guess the size
of the venn diagram overlap of folks wanting to use kstack randomization
and an older Clang quickly approaches zero. But everyone building with
an older Clang gets warnings spewed, so I agree: let's opt for complete
correctness here, and make this >= 14 as you have done.

-- 
Kees Cook