Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20151128091945.GG32190@chrystal.uk.oracle.com>
Date: Sat, 28 Nov 2015 10:19:45 +0100
From: Quentin Casasnovas <quentin.casasnovas@...cle.com>
To: kernel-hardening@...ts.openwall.com
Cc: Quentin Casasnovas <quentin.casasnovas@...cle.com>
Subject: Re: Re: status: GRKERNSEC_KSTACKOVERFLOW

On Fri, Nov 27, 2015 at 12:09:31PM -0800, Kees Cook wrote:
> On Thu, Nov 26, 2015 at 8:39 AM, Quentin Casasnovas
> <quentin.casasnovas@...cle.com> wrote:
> > On Thu, Nov 26, 2015 at 12:45:42AM +0100, Quentin Casasnovas wrote:
> >> On Tue, Nov 24, 2015 at 11:10:09AM -0800, Kees Cook wrote:
> >>
> >> [snip/]
> >>
> >> It should also be noted that I did not find that the struct thread_info
> >> (which is stuffed at the end of the stack) was protected in any way either.
> >> So even if a write/read _below_ the stack could still be trapped if nothing
> >> is currently mapped there, it looks like deep stack usage could still
> >> overflow it and go unoticed.  Here again, I didn't spend a lot of time on
> >> this and it might just be that I'm missing something.
> >>
> >> In the very unlikely event where I didn't miss anything and the struct
> >> thread_info can still be overflown and there isn't any guard page, maybe we
> >> can improve on the current KSTACK_OVERFLOW feature by putting the struct
> >> thread_info on a different page than the kernel stack, and not vmap() it
> >> like the rest of the stack pages, but instead map a PROT_NONE page there.
> >> That would mean the struct thread_info can still be accessed by using its
> >> lowmem mapping (i.e. legit usage from the kernel) but not by deep kernel
> >> stack usage.  Maybe the cost of adding an extra page per kernel stack is
> >> too high though.
> >
> > As expected I missed some other changes:
> >
> > /* Load thread_info address into "reg" */
> > #define GET_THREAD_INFO(reg) \
> > -       _ASM_MOV PER_CPU_VAR(cpu_current_top_of_stack),reg ; \
> > -       _ASM_SUB $(THREAD_SIZE),reg ;
> > +       _ASM_MOV PER_CPU_VAR(current_tinfo),reg ;
> >
> > and
> >
> > +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
> > +
> > static inline struct thread_info *current_thread_info(void)
> > {
> > -       return (struct thread_info *)(current_top_of_stack() - THREAD_SIZE);
> > +       return this_cpu_read_stable(current_tinfo);
> > }
> >
> > So no more thread_info on the stack in the default configuration, which
> > isn't correlated with the KSTACKOVERFLOW config option.
> 
> Good find! This seems like it should be its own patch, distinct from
> KSTACKOVERFLOW?
>

We should probably make KSTACKOVERFLOW depend on moving the thread_info off
the stack, since otherwise the thread_info could still be hijacked and that
would counterfeit the KSTACKOVERFLOW purpose.

Quentin

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.