Received: by 10.223.164.202 with SMTP id h10csp399613wrb; Fri, 10 Nov 2017 08:05:43 -0800 (PST) X-Google-Smtp-Source: AGs4zMbo+KgYqTzFY5cGbhp+F/p3AF18eFZ5k8JkkWJ6hHJXe/xIsEIJFrDbWfp8xlND3JQwNU47 X-Received: by 10.98.28.215 with SMTP id c206mr843865pfc.191.1510329943088; Fri, 10 Nov 2017 08:05:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510329943; cv=none; d=google.com; s=arc-20160816; b=LQigDi1XdyDkPByLmcClajFSFNlTCX/+EK6tMxa3UqT21AKHDmUVFPyWknwb3VbmUI PctkSh1kBvIjARwQEvwTLVNfrgjKgATvXaThOWIRVV6+7dT65dRjGTzrzOTnRx2A9B0U 7BhD47A5rW3jAar0Evac2TOzmmIKW5v2PB9279rMrpsNLpiDVFrxwKBMlrr9GnRabB0H LpLfBSTFbSMi2cQFWOPSMFwqeWvsH5NknC9m4QKeSsiiB/QolWGZ0pVvP2Is9qCLx86L liJ2OEEBLoNSFj+M/7Q1xFs2NUZ5OdbqGPxtwUk88yrHgHqyWiV9AitTL+JmdPM/95G5 4fmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=7qKsWu/mcFjgKdfco/NsV4Kfs6O4AHwKmlwMKwufcdo=; b=fkMNRpaC6OA9nqqC66BnaMRc1sskg/HCUjaaC8IYvmddcIaWdy67l5KLEwP8KMIraH mg5nPKQBPTTUDYCGQ+Q9IE06k2OL+M1WVkdpiQ52RPtSYmnvLvsc/oTfrUkIEICH+B2X fyBw3pfiYkcVlS1YcFLYmdEFG4iQKfiV9bxMNV0mORWwNsjVxkifz9IIVVXUmUmV0VI0 pZFc9RqaNu2Fmgon1gW8JBV6Ve/VOymrtMqUCVMenVQV1vcw/iBt87atqwmGn/4Cg0xQ YIg+2otaHaCUKX7+gyvFsXxrZ19l39fHisetvoL21P85m/fnYnV3pvWSnpVpPdyoLUOH p9mQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3si9111223plz.518.2017.11.10.08.05.25; Fri, 10 Nov 2017 08:05:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753292AbdKJQDB (ORCPT + 82 others); Fri, 10 Nov 2017 11:03:01 -0500 Received: from marcansoft.com ([212.63.210.85]:49844 "EHLO mail.marcansoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753194AbdKJQC7 (ORCPT ); Fri, 10 Nov 2017 11:02:59 -0500 Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: marcan@marcansoft.com) by mail.marcansoft.com (Postfix) with ESMTPSA id E146D43220; Fri, 10 Nov 2017 16:02:56 +0000 (UTC) Subject: Re: [kernel-hardening] Re: vDSO maximum stack usage, stack probes, and -fstack-check To: Andy Lutomirski Cc: LKML , "kernel-hardening@lists.openwall.com" , X86 ML References: From: Hector Martin 'marcan' Message-ID: <06a4b0b4-4b36-91b6-d146-9fc1300b785f@marcan.st> Date: Sat, 11 Nov 2017 01:02:53 +0900 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2017-11-10 23:57, Andy Lutomirski wrote: > This code is so wrong I don't even no where to start. Seriously, sub, > orq, add? How about just orq with an offset? How about a *load* > instead of a store? Stores should be cheaper than loads (since they don't stall), but apparently the rationale for using orq is: gcc/config/i386/i386.md: ;; Use IOR for stack probes, this is shorter. Saves bytes I guess? Though being read-modify-write it probably hurts performance; I don't know what real CPUs would do with it. I suspect the sub, add is there to guarantee that the stack pointer is actually below the probed location. IIRC the x86-64 ABI specifies a 128-byte redzone that you can freely mess with; going beyond that would require actually changing the stack pointer. > But stepping back even further, an offset > 4096 is just bogus. > That's big enough to skip right over the guard page. The code (gcc/config/i386/i386.c) says: /* We skip the probe for the first interval + a small dope of 4 words and probe that many bytes past the specified size to maintain a protection area at the botton of the stack. */ Not entirely sure what's going on here. OTOH I'm not sure why it's probing at all, since AIUI it only needs to probe for stack frames >4k to begin with. > Anyway, my recollection is that GCC's stack check code is busted until > much newer gcc versions. I suppose we could try to make the kernel > fail to build at all on a broken configuration like this. Well, the original point still stands. Even if what GCC is doing is stupid here, it's not illegal (it's just eating stack space), and the kernel still currently makes no guarantees about that. So I think the conversation regarding vDSO stack usage guarantees is still worth having. -- Hector Martin "marcan" (marcan@marcan.st) Public Key: https://mrcn.st/pub From 1583691556744234436@xxx Fri Nov 10 14:59:22 +0000 2017 X-GM-THRID: 1583675421897144493 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread