Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp634093pxb; Tue, 5 Apr 2022 16:42:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzrPrtX9LvsZc1dK4MFQvJYB49sawE8Sku7sb+7sAuTOxRpM53/YD0v9F6jTVbjThRvTgtE X-Received: by 2002:a17:902:6b44:b0:154:4bee:c434 with SMTP id g4-20020a1709026b4400b001544beec434mr5948715plt.43.1649202161228; Tue, 05 Apr 2022 16:42:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649202161; cv=none; d=google.com; s=arc-20160816; b=C+4mkQmTYK3CvRrdcI7Xd/iq7kl9G87E+v799PEM1fRsypptsHUnA4xYjwaAR/CZkJ vDT+qDq0p0TNyK2kt7QszflWsMrucCGj6cR54h8iSbbQtrO1OXXAzpDSrtDWLCePzHwC Q0PjZAKqR8d4F81yBCTGMlOqnoZFK0ibAowlszDq/l5PG1Dbl14zIwbj5X0F1GXgTmo0 uhlJZj/J8U7MD+ifUG8kzb6jT/OkFVGb1d+1vgwtrqWkItXOe5Ztd/aHWlYfdC62W66f VePzKLgomDP5CilfAxgUv6EGS+i2s+Y5OOsp6ZKcr51VAMD67mJAe2dsfPyI789iMP9E 5uwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sGGHE9n03E5IPsxo6+diiJxWBhGqiQ+BP4Zaf6Ql1gM=; b=bMxzGdkP0BIeGzYjrap2IlDfH0RWxl6owiZSZUirbbGSON8H1a8Euv8wRZfjTj7x+g 3JEcm/611jiPsFbdKzRqjtMCr9Q7XbX0JHMZwdT5/lzZ2r0luoPiZcwKrk4CGVzFRBtg /wCcfM2WptDw+L1Az1ZH73EKj/DzXHd+C4AZmYul0H/cFcJftRZHrH1gSWgS/ZsGJLFo xeyPsSMPk9K7WeHjyZk46KHmzUdEVSCIrOxN35PL+O6HEpb+mcOc3Wa7EKSbqK06eqrS Vwe+8hcPyyyw7j9CiWJB32tfXsCAMSWvm+oyyN77vpHcWDAHTgxF36zhyD5h2FHUjCIi EZiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AK4yUI5O; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id cq14-20020a056a00330e00b004fe06f66c57si6418129pfb.156.2022.04.05.16.42.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 16:42:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AK4yUI5O; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7AD7020A979; Tue, 5 Apr 2022 16:27:00 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378112AbiDELbh (ORCPT + 99 others); Tue, 5 Apr 2022 07:31:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47636 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244358AbiDEIv7 (ORCPT ); Tue, 5 Apr 2022 04:51:59 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4B0C6D4451; Tue, 5 Apr 2022 01:40:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6CF4AB81C69; Tue, 5 Apr 2022 08:40:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D181DC385A4; Tue, 5 Apr 2022 08:40:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649148047; bh=xMTWoOG1DuSsSOJTpFqmJoGyzRzHLywWkD5GWPh5E4I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AK4yUI5OBuT2YeExfw4jDmAbq2uNIBx+0RsCfwxvzRr2XF6LaoLhPYVe0t7AWrh1j r8MvETcvvEKGLlWei5GN+E8eGJXKgqkkodjAu6Wm8Gx1IeDZeAxz2eoZ4r/w1V3JBs yg1+oZzAXxGxJN9y1/dv55eV/ZoBUOcS17NDIqFA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marco Elver , Nathan Chancellor , Kees Cook , Sasha Levin Subject: [PATCH 5.16 0214/1017] stack: Constrain and fix stack offset randomization with Clang builds Date: Tue, 5 Apr 2022 09:18:47 +0200 Message-Id: <20220405070400.603149784@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070354.155796697@linuxfoundation.org> References: <20220405070354.155796697@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marco Elver [ Upstream commit efa90c11f62e6b7252fb75efe2787056872a627c ] All supported versions of Clang perform auto-init of __builtin_alloca() when stack auto-init is on (CONFIG_INIT_STACK_ALL_{ZERO,PATTERN}). add_random_kstack_offset() uses __builtin_alloca() to add a stack offset. This means, when CONFIG_INIT_STACK_ALL_{ZERO,PATTERN} is enabled, add_random_kstack_offset() will auto-init that unused portion of the stack used to add an offset. There are several problems with this: 1. These offsets can be as large as 1023 bytes. Performing memset() on them isn't exactly cheap, and this is done on every syscall entry. 2. Architectures adding add_random_kstack_offset() to syscall entry implemented in C require them to be 'noinstr' (e.g. see x86 and s390). The potential problem here is that a call to memset may occur, which is not noinstr. A x86_64 defconfig kernel with Clang 11 and CONFIG_VMLINUX_VALIDATION shows: | vmlinux.o: warning: objtool: do_syscall_64()+0x9d: call to memset() leaves .noinstr.text section | vmlinux.o: warning: objtool: do_int80_syscall_32()+0xab: call to memset() leaves .noinstr.text section | vmlinux.o: warning: objtool: __do_fast_syscall_32()+0xe2: call to memset() leaves .noinstr.text section | vmlinux.o: warning: objtool: fixup_bad_iret()+0x2f: call to memset() leaves .noinstr.text section Clang 14 (unreleased) will introduce a way to skip alloca initialization via __builtin_alloca_uninitialized() (https://reviews.llvm.org/D115440). Constrain RANDOMIZE_KSTACK_OFFSET to only be enabled if no stack auto-init is enabled, the compiler is GCC, or Clang is version 14+. Use __builtin_alloca_uninitialized() if the compiler provides it, as is done by Clang 14. Link: https://lkml.kernel.org/r/YbHTKUjEejZCLyhX@elver.google.com Fixes: 39218ff4c625 ("stack: Optionally randomize kernel stack offset each syscall") Signed-off-by: Marco Elver Reviewed-by: Nathan Chancellor Acked-by: Kees Cook Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220131090521.1947110-2-elver@google.com Signed-off-by: Sasha Levin --- arch/Kconfig | 1 + include/linux/randomize_kstack.h | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/arch/Kconfig b/arch/Kconfig index d3c4ab249e9c..a825f8251f3d 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -1159,6 +1159,7 @@ config HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET config RANDOMIZE_KSTACK_OFFSET_DEFAULT bool "Randomize kernel stack offset on syscall entry" depends on HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET + depends on INIT_STACK_NONE || !CC_IS_CLANG || CLANG_VERSION >= 140000 help The kernel stack offset can be randomized (after pt_regs) by roughly 5 bits of entropy, frustrating memory corruption diff --git a/include/linux/randomize_kstack.h b/include/linux/randomize_kstack.h index bebc911161b6..d373f1bcbf7c 100644 --- a/include/linux/randomize_kstack.h +++ b/include/linux/randomize_kstack.h @@ -16,8 +16,20 @@ DECLARE_PER_CPU(u32, kstack_offset); * alignment. Also, since this use is being explicitly masked to a max of * 10 bits, stack-clash style attacks are unlikely. For more details see * "VLAs" in Documentation/process/deprecated.rst + * + * The normal __builtin_alloca() is initialized with INIT_STACK_ALL (currently + * only with Clang and not GCC). Initializing the unused area on each syscall + * entry is expensive, and generating an implicit call to memset() may also be + * problematic (such as in noinstr functions). Therefore, if the compiler + * supports it (which it should if it initializes allocas), always use the + * "uninitialized" variant of the builtin. */ -void *__builtin_alloca(size_t size); +#if __has_builtin(__builtin_alloca_uninitialized) +#define __kstack_alloca __builtin_alloca_uninitialized +#else +#define __kstack_alloca __builtin_alloca +#endif + /* * Use, at most, 10 bits of entropy. We explicitly cap this to keep the * "VLA" from being unbounded (see above). 10 bits leaves enough room for @@ -36,7 +48,7 @@ void *__builtin_alloca(size_t size); if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ &randomize_kstack_offset)) { \ u32 offset = raw_cpu_read(kstack_offset); \ - u8 *ptr = __builtin_alloca(KSTACK_OFFSET_MAX(offset)); \ + u8 *ptr = __kstack_alloca(KSTACK_OFFSET_MAX(offset)); \ /* Keep allocation even after "ptr" loses scope. */ \ asm volatile("" :: "r"(ptr) : "memory"); \ } \ -- 2.34.1