Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp3313931pxb; Fri, 4 Feb 2022 06:08:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJy0L3Iv8prmMN/aY+K8p/FVVmG49ERHYvbMTrgTc5+Uts3tVJB/VtLahd1ND/Q2iKCmPvsL X-Received: by 2002:a17:907:3ea4:: with SMTP id hs36mr2572300ejc.737.1643983730689; Fri, 04 Feb 2022 06:08:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643983730; cv=none; d=google.com; s=arc-20160816; b=IlY41G4SmLQNqpc0ZuqqMWzjJ8JrxjDtWJ0xs6gl2yw6A5THyb4ri7urUtH1k2ppE+ E/NTNhhoQ9JnUGJnN29w6e+1wVqfGDbZA/UP60C75Ag5EDyu451m6P33WeoyN69h6y/e VcZWp43JmjX3Ca6qOQ42VkqwEOEaeYtBwG80g+TWVs/wZkHMK6zetMkxD0nhBkFScnaU 8wWraokXpfZLjFzOuOwv5Kq4X3fgRHw6FAgGSYCNwMhY6EeIXEsoBIiYoPePnF6+R3Hm kzFaffwfVruCE+Z2wdyMiJfjmkUiXHT/BMFIbCmVeqBdiSeN6QCbvbNOQu6EMOCmzl1G h/TA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=pcT8Frn0n3Hw9SbN/loP8iSe8IeaLdSI0AOmRzA0azM=; b=LiWOPiC78dlODxWQY9uokv33Ns6J/o6u8UYHFnxQCsj8360/nZnltST7shDPD8TzD2 G4+TlJ/qDcy4k/T0WBTbEiegSb28FYQZTjzlQnH8ug3RpwHlSx3B3syOxKBXycIUtpek KDGE6x9XzW8JVXdHc4w3JLXVNDyrFiYB0mIx+ZWMXeGaCBEnOtxcvJyey7SjjxbI3gpo v2PPk6A/r5hsBHPCNFU21j1JmziJN2W6i0s/xNPsb7Z0wJ4J6BfBUnvgwTeAjnF1GSqa cKChN3HVkMcLNhix1eud8BQ623Yp+o+yA46D+ek4KzYSrrMCk4MQLveJ5Xm/lWtyEqvj YwKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=hKzVGBGb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j6si1264955ejo.751.2022.02.04.06.08.24; Fri, 04 Feb 2022 06:08:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=hKzVGBGb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237210AbiBALSe (ORCPT + 99 others); Tue, 1 Feb 2022 06:18:34 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37890 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236928AbiBALSc (ORCPT ); Tue, 1 Feb 2022 06:18:32 -0500 Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7027BC061714 for ; Tue, 1 Feb 2022 03:18:32 -0800 (PST) Received: by mail-oi1-x232.google.com with SMTP id t199so15926985oie.10 for ; Tue, 01 Feb 2022 03:18:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pcT8Frn0n3Hw9SbN/loP8iSe8IeaLdSI0AOmRzA0azM=; b=hKzVGBGbfsCPYJ7HefyXr6bWuywoKmYQ1742/PdhXYVL1PPYWI/07d9VBKqIDjQKlG AnjyTkWXbTrOui9wEp9Ws/Obt6FXRwK3bogt36ZFKq/2FesmgQhkOtU0Dwdm6g5NExQz evPsi84gy9SKtMvgVLeUNRdk5zTgXWxKul8/dDs/VuNoEfqgf+h9cyHuQPsO54btyTyF DeqENVu1pV0fem6L4ajx7cvL9IcVau2AH7EWFNtQniJxePcfsA3yBYGT3T/LDabMKlgw MFJv8z5GPDcZTCIRSz6oijDhwbdCdy8wRWf1SE7atFeRCLswZe7ZLh5VHO//32pFY91U PWjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pcT8Frn0n3Hw9SbN/loP8iSe8IeaLdSI0AOmRzA0azM=; b=0JBkqAD0Xd9QNxfkGA0kjOAlTPhycoa7UHK9t/QP9YWrGM8R+QCdp3ikZIUFvh/gfm lBUsn7KAfvHooZxlSL02w0DqhfIM2CrqlpuG8MgH8reY/7IHM0ier9v2FF8oucJce3FH Y7t+N0biGbII1x94bbTrBD358FWB8gO7BfCLgmMo5ToAuV3SwB6lOOVKxoxef+apovU0 sDyhuqbCMXyC95mpEalvWFP/L30xM7FIA4cZA/8fLazDIjbtvcxcui19kiEJivPVtMXf lEIYUFV/UjPYnUXUcx+z+qfBlvPnQF+LmqU1l+xh6ciTWmnjvf4xY4V33j2B1dvzFZ7L sZCg== X-Gm-Message-State: AOAM532hHj41tScYTg7TxUniCniG3FbABoiSXhxdR8E/5QlF79pZP0Wg N22isbLyoH5KXBVL/PyHaT/ZZXfI0rIbaG9LEUpipg== X-Received: by 2002:aca:2b16:: with SMTP id i22mr746926oik.128.1643714311558; Tue, 01 Feb 2022 03:18:31 -0800 (PST) MIME-Version: 1.0 References: <20220131090521.1947110-1-elver@google.com> <20220131090521.1947110-2-elver@google.com> <202201311315.B9FDD0A@keescook> In-Reply-To: <202201311315.B9FDD0A@keescook> From: Marco Elver Date: Tue, 1 Feb 2022 12:18:19 +0100 Message-ID: Subject: Re: [PATCH v2 2/2] stack: Constrain and fix stack offset randomization with Clang builds To: Kees Cook Cc: Thomas Gleixner , Peter Zijlstra , Ingo Molnar , Elena Reshetova , Nathan Chancellor , Nick Desaulniers , Alexander Potapenko , llvm@lists.linux.dev, kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 31 Jan 2022 at 22:15, Kees Cook wrote: > On Mon, Jan 31, 2022 at 10:05:21AM +0100, Marco Elver wrote: > > All supported versions of Clang perform auto-init of __builtin_alloca() > > when stack auto-init is on (CONFIG_INIT_STACK_ALL_{ZERO,PATTERN}). > > > > add_random_kstack_offset() uses __builtin_alloca() to add a stack > > offset. This means, when CONFIG_INIT_STACK_ALL_{ZERO,PATTERN} is > > enabled, add_random_kstack_offset() will auto-init that unused portion > > of the stack used to add an offset. > > > > There are several problems with this: > > > > 1. These offsets can be as large as 1023 bytes. Performing > > memset() on them isn't exactly cheap, and this is done on > > every syscall entry. > > > > 2. Architectures adding add_random_kstack_offset() to syscall > > entry implemented in C require them to be 'noinstr' (e.g. see > > x86 and s390). The potential problem here is that a call to > > memset may occur, which is not noinstr. > > > > A x86_64 defconfig kernel with Clang 11 and CONFIG_VMLINUX_VALIDATION shows: > > > > | vmlinux.o: warning: objtool: do_syscall_64()+0x9d: call to memset() leaves .noinstr.text section > > | vmlinux.o: warning: objtool: do_int80_syscall_32()+0xab: call to memset() leaves .noinstr.text section > > | vmlinux.o: warning: objtool: __do_fast_syscall_32()+0xe2: call to memset() leaves .noinstr.text section > > | vmlinux.o: warning: objtool: fixup_bad_iret()+0x2f: call to memset() leaves .noinstr.text section > > > > Clang 14 (unreleased) will introduce a way to skip alloca initialization > > via __builtin_alloca_uninitialized() (https://reviews.llvm.org/D115440). > > > > Constrain RANDOMIZE_KSTACK_OFFSET to only be enabled if no stack > > auto-init is enabled, the compiler is GCC, or Clang is version 14+. Use > > __builtin_alloca_uninitialized() if the compiler provides it, as is done > > by Clang 14. > > > > Link: https://lkml.kernel.org/r/YbHTKUjEejZCLyhX@elver.google.com > > Fixes: 39218ff4c625 ("stack: Optionally randomize kernel stack offset each syscall") > > Signed-off-by: Marco Elver > > Thanks for the tweaks; this looks good to me now. > > Acked-by: Kees Cook Kees, which tree do randomize_kstack changes go through these days? I've seen previous patches went through -tip via Thomas. Thanks, -- Marco