Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1023685iob; Fri, 13 May 2022 20:02:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzy/cc+e3tVA7sUPyrWbtHn8nH+y6hQaqcTmEJ+lMGFwfVRfu10Jjw1rZYWRUwGYxFzYkhc X-Received: by 2002:adf:fe10:0:b0:20c:4fd8:1d68 with SMTP id n16-20020adffe10000000b0020c4fd81d68mr6075862wrr.388.1652497376224; Fri, 13 May 2022 20:02:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652497376; cv=none; d=google.com; s=arc-20160816; b=g6UMEuYgipgQWKXH6cbGwG7C/nTJmyUFDhDtuPc/AAEb8CMy/jKygXjbCKAMDU5EXC 3MRAHFBya0ZfPHxPKNR4wgoktL2IuI6BA2qN+Kbl7k1q+OyP9gfABe8Hendg1NEOkYPZ qZRYZ/VoLu6TqzC0sC96UuitlBtmo4vK8+b21bmlzrLA6csCfaCSd3/ByQRiZ3U2AbXq rYsZq9xkQVKgufQNfuCdg988rfDH4TIUylbhwIvBsakDB2ga4669t83axL9H293mWMzy tv/YbJakx4EYv/f3Jb0Sj3Y2u9gjFcjgVVT1O/roJ0t3Y9mIFmCJ0hS3tdSP+7SqMFyq fpZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=9Xut3GyptZHigfNQ6dOK7EAMieOjhzt0HBLVkMTEDag=; b=vIiLGlu6psPxPcsnttGuK/t6JgE1iwCNFkxX2QllOsNGR0Gh1ijQqJsLbBszhBDeE/ o4LpjVUm5Q6FufMbWEyLN7kIjSiNAV9xrrt7vCyxtnmfa6c+ETkou4IpgnMEKxpFykfI VWh+zAYNUTS8PyblRX/vPR8YwF9wKfcsQwYmr9+8O11jIm0Ark3Vi0mqNy0AxXDtoTb2 URO2395grMAEUVDjbKt4wnjGsGoUOpr04H0wvrdSfcfSuS9fU5YeWVvV/0b/CY51X7/M Jy7bKRwQwaeFa0zmItYpmCQG4FVjip5tL89ex6JuJb8MEaBVe4yUm2CRZoDP99wcItQJ zR6Q== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id 15-20020a05600c020f00b00394946c413fsi3655339wmi.177.2022.05.13.20.02.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 20:02:56 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D03F33A9CAC; Fri, 13 May 2022 16:45:46 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351845AbiELJPF (ORCPT + 99 others); Thu, 12 May 2022 05:15:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42222 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242267AbiELJPD (ORCPT ); Thu, 12 May 2022 05:15:03 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 22B96223872 for ; Thu, 12 May 2022 02:15:02 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id BE739106F; Thu, 12 May 2022 02:15:01 -0700 (PDT) Received: from FVFF77S0Q05N (unknown [10.57.5.172]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 4A36F3F73D; Thu, 12 May 2022 02:15:00 -0700 (PDT) Date: Thu, 12 May 2022 10:14:53 +0100 From: Mark Rutland To: Kees Cook Cc: Alexander Popov , linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org, catalin.marinas@arm.com, linux-kernel@vger.kernel.org, luto@kernel.org, will@kernel.org Subject: Re: [PATCH v2 03/13] stackleak: remove redundant check Message-ID: References: <20220427173128.2603085-1-mark.rutland@arm.com> <20220427173128.2603085-4-mark.rutland@arm.com> <202205101958.2A33DE20@keescook> <33711C66-BB24-4A75-8756-3CDDA02BC0CD@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <33711C66-BB24-4A75-8756-3CDDA02BC0CD@chromium.org> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 11, 2022 at 07:44:41AM -0700, Kees Cook wrote: > > > On May 11, 2022 1:02:45 AM PDT, Mark Rutland wrote: > >On Tue, May 10, 2022 at 08:00:38PM -0700, Kees Cook wrote: > >> On Tue, May 10, 2022 at 12:46:48PM +0100, Mark Rutland wrote: > >> > On Sun, May 08, 2022 at 09:17:01PM +0300, Alexander Popov wrote: > >> > > On 27.04.2022 20:31, Mark Rutland wrote: > >> > > > In __stackleak_erase() we check that the `erase_low` value derived from > >> > > > `current->lowest_stack` is above the lowest legitimate stack pointer > >> > > > value, but this is already enforced by stackleak_track_stack() when > >> > > > recording the lowest stack value. > >> > > > > >> > > > Remove the redundant check. > >> > > > > >> > > > There should be no functional change as a result of this patch. > >> > > > >> > > Mark, I can't agree here. I think this check is important. > >> > > The performance profit from dropping it is less than the confidence decrease :) > >> > > > >> > > With this check, if the 'lowest_stack' value is corrupted, stackleak doesn't > >> > > overwrite some wrong kernel memory, but simply clears the whole thread > >> > > stack, which is safe behavior. > >> > > >> > If you feel strongly about it, I can restore the check, but I struggle to > >> > believe that it's worthwhile. The `lowest_stack` value lives in the > >> > task_struct, and if you have the power to corrupt that you have the power to do > >> > much more interesting things. > >> > > >> > If we do restore it, I'd like to add a big fat comment explaining the > >> > rationale (i.e. that it only matter if someone could corrupt > >> > `current->lowest_stack`, as otherwise that's guarnateed to be within bounds). > >> > >> Yeah, let's restore it and add the comment. While I do agree it's likely > >> that such an corruption would likely mean an attacker had significant > >> control over kernel memory already, it is not uncommon that an attack > >> only has a limited index from a given address, etc. Or some manipulation > >> is possible via weird gadgets, etc. It's unlikely, but not impossible, > >> and a bounds-check for that value is cheap compared to the rest of the > >> work happening. :) > > > >Fair enough; I can go spin a patch restoring this. I'm somewhat unhappy with > >silently fixing that up, though -- IMO it'd be better to BUG() or similar in > >that case. > > I share your desires, and this was exactly what Alexander originally proposed, but Linus rejected it violently. :( > https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/ I see. :/ Thinking about this some more, if we assume someone can corrupt *some* word of memory, then we need to consider that instead of corrupting task_struct::lowest_stack, they could corrupt task_struct::stack (or x86's cpu_current_top_of_stack prior to this series). With that in mind, if we detect that task_struct::lowest_stack is out-of-bounds, we have no idea whether it has been corrupted or the other bound values have been corrupted, and so we can't do the erase safely anyway. So AFAICT we must *avoid* erasing when that goes wrong. Maybe we could WARN() instead of BUG()? Thanks, Mark.