Re: [GIT PULL] gcc-plugin updates for v4.19-rc1

From: Kees Cook
Date: Wed Aug 15 2018 - 15:45:50 EST

Next message: Al Viro: "Re: A far fetched goal to clean up code quality"
Previous message: Alexander Popov: "Re: [GIT PULL] gcc-plugin updates for v4.19-rc1"
In reply to: Alexander Popov: "Re: [GIT PULL] gcc-plugin updates for v4.19-rc1"
Next in thread: Linus Torvalds: "Re: [GIT PULL] gcc-plugin updates for v4.19-rc1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 15, 2018 at 12:04 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Wed, Aug 15, 2018 at 11:35 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>>
>> I swear I'm doing my best. Are you speaking of
>> stackleak_check_alloca() or stackleak_erase()? These were both
>> discussed on the list, and we weren't able to come up with
>> alternatives: in both cases we're off the stack, and recovery is
>> seemingly impossible.
>
> Why do you even *test* that thing? Why don't you just allocate stack
> and clear it.

I feel like we're talking cross purposes. The BUG() cases were for
places where we detect that we're executing with an impossible stack
pointer. It seems like trying to recover from that would just hide the
corruption for a later time that would be much harder to debug. These
weren't left in here to upset you. :) I have tried to take your "make
it debuggable" declaration to heart.

> Dammit, the whole f*cking point of this patch-set is to clear the
> stack used. It is *not* supposed to do anything else. If the process
> runs out of stack, that's caught by the vmalloc'ed stack.

It also handles VLA abuse, since those could (and have in past
exploits) been used to jump over guard pages. If you're saying you
want to see VLAs entirely removed and this feature dropped from the
plugin before you'll accept it, that's what we can do. I was trying to
help things develop in parallel since we're now three releases into
removing VLAs and it continues to be slow work.

> And if you don't have vmalloc'ed stack, then clearly you don't care.

Agreed: this is why the plugin already does an "imply VMAP_STACK" for
Kconfig. Are you suggesting we should make it a hard "depends on
VMAP_STACK"?

> I refuse to take this kind of code that does stupid things, and then
> *because* it does those initial stupid things it does even more stupid
> things to correct for it.
>
> I hated the thing to begin with, told people that there are better
> approaches that don't have the downsides, got ignored, and then I'm
> pushed crap.

I tried to detail in the pull request how we absolutely did not ignore
you. Something like 15 people have been helping to remove VLAs, and
I've been testing both gcc's stack forced-initialization patch and
Clang's, and doing it via a plugin (none are really "there" yet).

-Kees

--
Kees Cook
Pixel Security

Next message: Al Viro: "Re: A far fetched goal to clean up code quality"
Previous message: Alexander Popov: "Re: [GIT PULL] gcc-plugin updates for v4.19-rc1"
In reply to: Alexander Popov: "Re: [GIT PULL] gcc-plugin updates for v4.19-rc1"
Next in thread: Linus Torvalds: "Re: [GIT PULL] gcc-plugin updates for v4.19-rc1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]