|
Message-ID: <202003241604.7269C810B@keescook> Date: Tue, 24 Mar 2020 16:07:53 -0700 From: Kees Cook <keescook@...omium.org> To: Jann Horn <jannh@...gle.com> Cc: Thomas Gleixner <tglx@...utronix.de>, Elena Reshetova <elena.reshetova@...el.com>, the arch/x86 maintainers <x86@...nel.org>, Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>, Mark Rutland <mark.rutland@....com>, Alexander Potapenko <glider@...gle.com>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, linux-arm-kernel@...ts.infradead.org, Linux-MM <linux-mm@...ck.org>, kernel list <linux-kernel@...r.kernel.org> Subject: Re: [PATCH v2 0/5] Optionally randomize kernel stack offset each syscall [-enrico, who is bouncing] On Tue, Mar 24, 2020 at 10:28:35PM +0100, Jann Horn wrote: > On Tue, Mar 24, 2020 at 9:32 PM Kees Cook <keescook@...omium.org> wrote: > > This is a continuation and refactoring of Elena's earlier effort to add > > kernel stack base offset randomization. In the time since the previous > > discussions, two attacks[1][2] were made public that depended on stack > > determinism, so we're no longer in the position of "this is a good idea > > but we have no examples of attacks". :) > [...] > > [1] https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html > > This one only starts using the stack's location after having parsed > it out of dmesg (which in any environment that wants to provide a > reasonable level of security really ought to be restricted to root), > right? If you give people read access to dmesg, they can leak all > sorts of pointers; not just the stack pointer, but also whatever else > happens to be in the registers at that point - which is likely to give > the attacker more ways to place controlled data at a known location. > See e.g. <https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html>, > which leaks the pointer to a BPF map out of dmesg. It was mentioned that it would re-use the base across syscalls, so this defense would have frustrated it. More to my point was that there still are attacks using a deterministic stack as part of the exploit chain. We have a low-cost way to make that go away. > Also, are you sure that it isn't possible to make the syscall that > leaked its stack pointer never return to userspace (via ptrace or > SIGSTOP or something like that), and therefore never realign its > stack, while keeping some controlled data present on the syscall's > stack? > > > [2] https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf > > That's a moderately large document; which specific part are you referencing? IIRC, section 3.3 discusses using the stack for CFI bypass, though thinking about it again, it may have been targeting pt_regs. I'll double check and remove this reference if that's the case. But, as I mention, this is proactive and I'd like to stop yet more things from being able to depend on the stack location. -- Kees Cook
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.