|
Message-Id: <1526488097-20611-1-git-send-email-alex.popov@linux.com> Date: Wed, 16 May 2018 19:28:11 +0300 From: Alexander Popov <alex.popov@...ux.com> To: kernel-hardening@...ts.openwall.com, Kees Cook <keescook@...omium.org>, PaX Team <pageexec@...email.hu>, Brad Spengler <spender@...ecurity.net>, Ingo Molnar <mingo@...nel.org>, Andy Lutomirski <luto@...nel.org>, Tycho Andersen <tycho@...ho.ws>, Laura Abbott <labbott@...hat.com>, Mark Rutland <mark.rutland@....com>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, Borislav Petkov <bp@...en8.de>, Richard Sandiford <richard.sandiford@....com>, Thomas Gleixner <tglx@...utronix.de>, "H . Peter Anvin" <hpa@...or.com>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, "Dmitry V . Levin" <ldv@...linux.org>, Emese Revfy <re.emese@...il.com>, Jonathan Corbet <corbet@....net>, Andrey Ryabinin <aryabinin@...tuozzo.com>, "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>, Thomas Garnier <thgarnie@...gle.com>, Andrew Morton <akpm@...ux-foundation.org>, Alexei Starovoitov <ast@...nel.org>, Josef Bacik <jbacik@...com>, Masami Hiramatsu <mhiramat@...nel.org>, Nicholas Piggin <npiggin@...il.com>, Al Viro <viro@...iv.linux.org.uk>, "David S . Miller" <davem@...emloft.net>, Ding Tianhong <dingtianhong@...wei.com>, David Woodhouse <dwmw@...zon.co.uk>, Josh Poimboeuf <jpoimboe@...hat.com>, Steven Rostedt <rostedt@...dmis.org>, Dominik Brodowski <linux@...inikbrodowski.net>, Juergen Gross <jgross@...e.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Dan Williams <dan.j.williams@...el.com>, Dave Hansen <dave.hansen@...ux.intel.com>, Mathias Krause <minipli@...glemail.com>, Vikas Shivappa <vikas.shivappa@...ux.intel.com>, Kyle Huey <me@...ehuey.com>, Dmitry Safonov <dsafonov@...tuozzo.com>, Will Deacon <will.deacon@....com>, Arnd Bergmann <arnd@...db.de>, Florian Weimer <fweimer@...hat.com>, Boris Lukashev <blukashev@...pervictus.com>, Andrey Konovalov <andreyknvl@...gle.com>, x86@...nel.org, linux-kernel@...r.kernel.org, alex.popov@...ux.com Subject: [PATCH v12 0/6] Introduce the STACKLEAK feature and a test for it This is the 12th version of the patch series introducing STACKLEAK to the mainline kernel for x86. Some code is made common for easier porting to arm64 (will be done by Laura Abbott). Motivation ========== STACKLEAK (initially developed by PaX Team): 1. reduces the information that can be revealed through kernel stack leak bugs. The idea of erasing the thread stack at the end of syscalls is similar to CONFIG_PAGE_POISONING and memzero_explicit() in kernel crypto, which all comply with FDP_RIP.2 (Full Residual Information Protection) of the Common Criteria standard. 2. blocks some uninitialized stack variable attacks (e.g. CVE-2017-17712, CVE-2010-2963). That kind of bugs should be killed by improving C compilers in future, which might take a long time. 3. blocks stack depth overflow caused by alloca (aka Stack Clash attack). That is orthogonal to the mainline kernel VLA cleanup and protects un-upstreamed code. Performance impact ================== Hardware: Intel Core i7-4770, 16 GB RAM Test #1: building the Linux kernel on a single core 0.91% slowdown Test #2: hackbench -s 4096 -l 2000 -g 15 -f 25 -P 4.2% slowdown So the STACKLEAK description in Kconfig includes: "The tradeoff is the performance impact: on a single CPU system kernel compilation sees a 1% slowdown, other systems and workloads may vary and you are advised to test this feature on your expected workload before deploying it". Changes in v12 ============== 1. Some code is made common for easier porting to other platforms. Also introduced lowest_stack structure according to Kees' feedback. 2. Changes according to the feedback from Mark Rutland (kudos!): - improved stack depth overflow detection and reporting in check_alloca(); - disabled KCOV instrumentation for erase_kstack() and track_stack(); - added comments with assumptions about the compiler behaviour in erase_kstack(). 3. Added a new STACKLEAK_RECURSION_WITH_ALLOCA test. 4. Included Laura's patch for the RTL traversal in the STACKLEAK gcc plugin. 5. Added missing SPDX-License-Identifiers. Previous version: http://www.openwall.com/lists/kernel-hardening/2018/04/06/2 Alexander Popov (6): gcc-plugins: Clean up the cgraph_create_edge* macros x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack lkdtm: Add a test for STACKLEAK fs/proc: Show STACKLEAK metrics in the /proc file system doc: self-protection: Add information about STACKLEAK feature Documentation/security/self-protection.rst | 23 +- Documentation/x86/x86_64/mm.txt | 2 + arch/Kconfig | 53 ++++ arch/x86/Kconfig | 1 + arch/x86/entry/calling.h | 14 + arch/x86/entry/entry_32.S | 7 + arch/x86/entry/entry_64.S | 3 + arch/x86/entry/entry_64_compat.S | 5 + arch/x86/include/asm/processor.h | 3 + arch/x86/kernel/dumpstack.c | 31 ++ arch/x86/kernel/process_32.c | 8 + arch/x86/kernel/process_64.c | 8 + drivers/misc/lkdtm/Makefile | 2 + drivers/misc/lkdtm/core.c | 3 + drivers/misc/lkdtm/lkdtm.h | 5 + drivers/misc/lkdtm/stackleak.c | 147 +++++++++ fs/proc/base.c | 18 ++ include/linux/stackleak.h | 22 ++ kernel/Makefile | 4 + kernel/stackleak.c | 106 +++++++ scripts/Makefile.gcc-plugins | 3 + scripts/gcc-plugins/gcc-common.h | 26 +- scripts/gcc-plugins/stackleak_plugin.c | 474 +++++++++++++++++++++++++++++ 23 files changed, 949 insertions(+), 19 deletions(-) create mode 100644 drivers/misc/lkdtm/stackleak.c create mode 100644 include/linux/stackleak.h create mode 100644 kernel/stackleak.c create mode 100644 scripts/gcc-plugins/stackleak_plugin.c -- 2.7.4
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.