Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5jJ9xis_X9qd-GxCM=oDDoynMrW=GZbfeOKKt_FpAuK83Q@mail.gmail.com>
Date: Thu, 16 Feb 2017 16:54:21 -0800
From: Kees Cook <keescook@...omium.org>
To: James Morse <james.morse@....com>
Cc: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, Will Deacon <will.deacon@....com>, 
	Catalin Marinas <catalin.marinas@....com>, Mark Rutland <mark.rutland@....com>, 
	Pratyush Anand <panand@...hat.com>, keun-o.park@...kmatter.ae
Subject: Re: [PATCH v4 0/3] arm64: usercopy: Implement stack frame object validation

On Thu, Feb 16, 2017 at 10:29 AM, James Morse <james.morse@....com> wrote:
> Hi all,
>
> This version of Sahara's arch_within_stack_frames() series replaces the
> open-coded stack walker with a call to arm64's existing walker.
>
> Patch 2 can be tested independently with this change[0].
>
> lkdtm's use of unallocated stack regions is a separate problem, patch 3
> tries to address this.
>
> Sahara, it would be good to get your review of this!
> I'm afraid I omitted your patch-3 as it stopped the lkdtm test from working,
> I suspect its not tricking the compiler, but I haven't investigated.
>
>
> Thanks,
>
> James
>
> [0] Change to lkdtm to generate accesses that overlap stack frames.
> --------------%<--------------
> diff --git a/drivers/misc/lkdtm_usercopy.c b/drivers/misc/lkdtm_usercopy.c
> index 1dd611423d8b..fcbba3a14387 100644
> --- a/drivers/misc/lkdtm_usercopy.c
> +++ b/drivers/misc/lkdtm_usercopy.c
> @@ -57,7 +57,8 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
>
>         /* This is a pointer to outside our current stack frame. */
>         if (bad_frame) {
> -               bad_stack = do_usercopy_stack_callee((uintptr_t)&bad_stack);
> +               bad_stack = __builtin_frame_address(0);
> +               bad_stack -= sizeof(good_stack)/2;

Ah, sneaky, yeah, that'll work nicely.

(Though it should likely get wrapped in a CONFIG_STACK_GROWSUP/DOWN test...)

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.