Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp5985267iob; Tue, 10 May 2022 08:00:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyuX33B0QJfeG56N+0OYFY5+oY2G7ZdW2ClATCzm1m5MirirHjKHBqeAUJuR/hzYbuxmVDD X-Received: by 2002:a17:903:244b:b0:15e:8844:1578 with SMTP id l11-20020a170903244b00b0015e88441578mr21180580pls.13.1652194839951; Tue, 10 May 2022 08:00:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652194839; cv=none; d=google.com; s=arc-20160816; b=d50PEVa10c897sAzJGt+7XFhAobHYLWJnUoutd1516ebsYopg9RWz4IFBGYqZammQX dUsbqO3yxDoOjaxyEp4c6bkDG/UWmtQY/tNn67yjDbJQhgHxKztA1KCG+CsQYx8t9DMr 3IMrPFOQZRYPcxX+gG4FBSyDBUWpNhKFRbBlgW1os8JZdpKAAEV8kHe3G0oqrDSZYuFu 6peHlwON3rN+zFhjClPDMrHL2zF2Cf6D6uNnPO/Msb2juApcEfhpiMorGeM3BfoaB0nY BvBMVzASru0FdQzIMWOqHsReMdibZlWSGZCotobY/QQfSGycGHbypmTcEMZIOkAuWr+u aWaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=VnuJnBYZL2lI3mtvwdJgWYVU8Yw+TZbasVU+k+EQe9Q=; b=l9GtxWxrmjifYviXayAKJTGhuyoW8vbBdQFmpIgZ5rVcpmD3sOwf3TTOlQ5VQp2ken R+6+9O50iRkspDwERybtciL3SbBsbZyDM1mT9teC2N3SDnDtf1SMf17BWw1pIhFuUSO6 FUMI+tTP9SfrWczMRbj3COIe7Ly0H4BIa9IL5mzX3E1h4s80vQF/q7REhlwGFuIebeXb /S5zJRkrY0FnzdTbQXJO4SoqgOqIpoYigRFPgZaHe/z/3SrVaxewBDPChJLjb4RSRHSZ Ie1T+fNOsF4t7bWiTog37uWLvMOqRGuk0yonw88Qebn5NjpbHZOaYudIs3poANngr4cr S7Fw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d20-20020a170902729400b0015ea137dd51si3132027pll.608.2022.05.10.08.00.24; Tue, 10 May 2022 08:00:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241220AbiEJLvP (ORCPT + 99 others); Tue, 10 May 2022 07:51:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53526 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241218AbiEJLu4 (ORCPT ); Tue, 10 May 2022 07:50:56 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 565EF235C04 for ; Tue, 10 May 2022 04:46:54 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 20CDC11FB; Tue, 10 May 2022 04:46:54 -0700 (PDT) Received: from FVFF77S0Q05N (unknown [10.57.1.67]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id A60163F66F; Tue, 10 May 2022 04:46:52 -0700 (PDT) Date: Tue, 10 May 2022 12:46:48 +0100 From: Mark Rutland To: Alexander Popov Cc: linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org, catalin.marinas@arm.com, keescook@chromium.org, linux-kernel@vger.kernel.org, luto@kernel.org, will@kernel.org Subject: Re: [PATCH v2 03/13] stackleak: remove redundant check Message-ID: References: <20220427173128.2603085-1-mark.rutland@arm.com> <20220427173128.2603085-4-mark.rutland@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, May 08, 2022 at 09:17:01PM +0300, Alexander Popov wrote: > On 27.04.2022 20:31, Mark Rutland wrote: > > In __stackleak_erase() we check that the `erase_low` value derived from > > `current->lowest_stack` is above the lowest legitimate stack pointer > > value, but this is already enforced by stackleak_track_stack() when > > recording the lowest stack value. > > > > Remove the redundant check. > > > > There should be no functional change as a result of this patch. > > Mark, I can't agree here. I think this check is important. > The performance profit from dropping it is less than the confidence decrease :) > > With this check, if the 'lowest_stack' value is corrupted, stackleak doesn't > overwrite some wrong kernel memory, but simply clears the whole thread > stack, which is safe behavior. If you feel strongly about it, I can restore the check, but I struggle to believe that it's worthwhile. The `lowest_stack` value lives in the task_struct, and if you have the power to corrupt that you have the power to do much more interesting things. If we do restore it, I'd like to add a big fat comment explaining the rationale (i.e. that it only matter if someone could corrupt `current->lowest_stack`, as otherwise that's guarnateed to be within bounds). Thanks, Mark. > > Signed-off-by: Mark Rutland > > Cc: Alexander Popov > > Cc: Andrew Morton > > Cc: Andy Lutomirski > > Cc: Kees Cook > > --- > > kernel/stackleak.c | 4 ---- > > 1 file changed, 4 deletions(-) > > > > diff --git a/kernel/stackleak.c b/kernel/stackleak.c > > index 753eab797a04d..f7a0f8cf73c37 100644 > > --- a/kernel/stackleak.c > > +++ b/kernel/stackleak.c > > @@ -78,10 +78,6 @@ static __always_inline void __stackleak_erase(void) > > unsigned int poison_count = 0; > > const unsigned int depth = STACKLEAK_SEARCH_DEPTH / sizeof(unsigned long); > > - /* Check that 'lowest_stack' value is sane */ > > - if (unlikely(kstack_ptr - boundary >= THREAD_SIZE)) > > - kstack_ptr = boundary; > > - > > /* Search for the poison value in the kernel stack */ > > while (kstack_ptr > boundary && poison_count <= depth) { > > if (*(unsigned long *)kstack_ptr == STACKLEAK_POISON) >