Received: by 10.223.164.202 with SMTP id h10csp325513wrb; Fri, 10 Nov 2017 06:59:23 -0800 (PST) X-Google-Smtp-Source: AGs4zMZRkgal21Q1GgxTyzo+mcYbCykCouuFlgedWoLKv0B6/tzHx+yQHy38rYyFPIjYvL4lrPyg X-Received: by 10.99.170.1 with SMTP id e1mr636256pgf.12.1510325963228; Fri, 10 Nov 2017 06:59:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510325963; cv=none; d=google.com; s=arc-20160816; b=wwdg9hOE9MOCEWRwi1k4IodbESGBRiAW723BCdv2ygM00wjlQdcxJzSI1UyoV+hf/N 1KMJwA6KEcbY5IqvrApBzVWr5QobD/e8wU3evDykLxeEB1E2nBcOm1t1lk+CkDeMORwV HA6awQaGKWMC3C5MfcKFEvvTEu2VGr5cTxy9LoNwduMsWmyPWOlGlmgW+WY9xjU61L0L +o66ffiJ6O8hBT6Wtf+ixPk1SEfGh7trDGT/vnxskUIvWvcOuwDzJU75YrwzeSB1vuQb CWrtdM05sKPjDGD3abTnbeRdrjUhVOG0ozIi4M8mXgR+YK0b9UgGRZ5sa3LAscmnqXM8 gEmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=GJWoebLySrmXmaw6Moo5QthxjFA7+r+HPAmGoQJ53r8=; b=AaWrdcTCv9uZdkNGF4c5zO0H0t3zv0XHkMXh5gEosvK0nHZ0UAhRYD2hQ7Cn/i/MQG Hy6PZfvA3VIuB0R7bPRzuxHV09K0Rm8gjUWt7txJvMg/kvbxzDXvbspAHBSIS3n4VSrg k1T+fZJmNdHXptjCPT5m5FQmCWtHagjZSJ4mSOFOMkTwVqyluQT8QTeq/TbWFoI4IaRd 6g1mygXLhabDA04Z8KWTsRXucn5tQ398r+VPaMAKKgpxjKJ//k4vkKA/BthZ7YfrSjjt 5tBGDt5amFu6uFNQCgm3D4naqRLz5zQD/cX/CzBb+inJT7CvH6JRd6sZnjv+IP1QIj/p beJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=r77xjdab; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 33si8884165plk.555.2017.11.10.06.59.11; Fri, 10 Nov 2017 06:59:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=r77xjdab; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753196AbdKJO6R (ORCPT + 82 others); Fri, 10 Nov 2017 09:58:17 -0500 Received: from mail-io0-f175.google.com ([209.85.223.175]:50468 "EHLO mail-io0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751455AbdKJO6Q (ORCPT ); Fri, 10 Nov 2017 09:58:16 -0500 Received: by mail-io0-f175.google.com with SMTP id 97so13823921iok.7 for ; Fri, 10 Nov 2017 06:58:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GJWoebLySrmXmaw6Moo5QthxjFA7+r+HPAmGoQJ53r8=; b=r77xjdab1ntevFv6sUWRa8+Di8GJMLS8u1eAqU6ZLqbPFWogjpa9jw1QYwN9QS9MX3 EXwvMPqnL+tQUnGKswEXyYf+S/ev4vfF8LEhf29PnTpZg3yf0Ye1MovoMRDheK2uMWAd 9w9p9j0i38B2u78MOAkmZMqx+HncIZd+WAHQRnuA2l9rUols1JJLu147/evpGjnIWVN7 lL269Jn0/qXiSbhi8dlD2jTUd7oASrGHyLwwuhHwbDMMAy790/1j21NP3Fi+WsBouyhc uTJEdo26JsaopvexvBScf95j8dA5yvbf+941+icnpz+Wann5tUXvJFJuqEZ/t03Vo9LO 3TDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=GJWoebLySrmXmaw6Moo5QthxjFA7+r+HPAmGoQJ53r8=; b=WUKH8vISG0A15dlPLa5+KGpAuKaFAkI1V+ptAPRiDz8+cge9JhvW9m7AMF02qV2exi z03SJjcRjldb0MYFW/y7eMr+ir9kMR9UQ5TlgALqk2xD+9RXmxC5qliLPUSOhya1Og56 mTAXZzgiQ8oMOUM1QvOZ35FOjAJWAocWA58Znd/KzxDzpl40jsdzhV2gyX6exdMcUtWJ xHZuWnm0m/DKxOkCAe0w4BvKo/1JI2JJpk3KI6enEavuqCpdG3A3fdf85WmP9aYleaik f+/EWYIXr328NYq3iY7/7c5xAaO8v0AFfF5vKIwGpRI4Tzu4Ag1MssAQ9KGfmANPQgv+ 6Pwg== X-Gm-Message-State: AJaThX4niuV4rK8V9Puc07UKjY+2trSxKdp4O4E/UlPYYlEa0DgglMG1 17i9yO8b+RGMgDAlMwmHLIxKRpeEI/wAfYNyyAq9OIoW X-Received: by 10.107.63.67 with SMTP id m64mr720847ioa.272.1510325895884; Fri, 10 Nov 2017 06:58:15 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.76.86 with HTTP; Fri, 10 Nov 2017 06:57:55 -0800 (PST) In-Reply-To: References: From: Andy Lutomirski Date: Fri, 10 Nov 2017 06:57:55 -0800 Message-ID: Subject: Re: vDSO maximum stack usage, stack probes, and -fstack-check To: "Hector Martin 'marcan'" Cc: LKML , "kernel-hardening@lists.openwall.com" , X86 ML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 10, 2017 at 2:40 AM, Hector Martin 'marcan' wrote: > As far as I know, the vDSO specs (both Documentation/ABI/stable/vdso and > `man 7 vdso`) make no mention of how much stack the vDSO functions are > allowed to use. They just say "the usual C ABI", which makes no guarantees. > > It turns out that Go has been assuming that those functions use less > than 104 bytes of stack space, because it calls them directly on its > tiny stack allocations with no guard pages or other hardware overflow > protection [1]. On most systems, this is fine. > > However, on my system the stars aligned and turned it into a > nondeterministic crash. I use Gentoo Hardened, which builds its > toolchain with -fstack-check on by default. It turns out that with the > combination of GCC 6.4.0, -fstack-protect, linux-4.13.9-gentoo, and > CONFIG_OPTIMIZE_INLINING=n, gcc decides to *not* inline vread_tsc (it's > not marked inline, so it's perfectly within its right not to do that, > though for some reason it does inline when CONFIG_OPTIMIZE_INLINING=y > even though that nominally gives it greater freedom *not* to inline > things marked inline). That turns __vdso_clock_gettime and > __vdso_gettimeofday into non-leaf functions, and GCC then inserts a > stack probe (full objdump at [2]): > > 0000000000000030 <__vdso_clock_gettime>: > 30: 55 push %rbp > 31: 48 89 e5 mov %rsp,%rbp > 34: 48 81 ec 20 10 00 00 sub $0x1020,%rsp > 3b: 48 83 0c 24 00 orq $0x0,(%rsp) > 40: 48 81 c4 20 10 00 00 add $0x1020,%rsp This code is so wrong I don't even no where to start. Seriously, sub, orq, add? How about just orq with an offset? How about a *load* instead of a store? But stepping back even further, an offset > 4096 is just bogus. That's big enough to skip right over the guard page. Anyway, my recollection is that GCC's stack check code is busted until much newer gcc versions. I suppose we could try to make the kernel fail to build at all on a broken configuration like this. --Andy From 1583675421897144493@xxx Fri Nov 10 10:42:55 +0000 2017 X-GM-THRID: 1583675421897144493 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread