Re: [PATCH 1/5] gcc-plugins/stackleak: Exclude alloca() from the instrumentation logic

From: Kees Cook
Date: Tue Jun 09 2020 - 14:39:18 EST

Next message: Matt Helsley: "Re: [RFC][PATCH v4 02/32] objtool: Make recordmcount into mcount subcmd"
Previous message: Nitin Gupta: "Re: [PATCH v6] mm: Proactive compaction"
Next in thread: Alexander Popov: "Re: [PATCH 1/5] gcc-plugins/stackleak: Exclude alloca() from the instrumentation logic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 04, 2020 at 06:23:38PM +0300, Alexander Popov wrote:
> On 04.06.2020 17:01, Jann Horn wrote:
> > On Thu, Jun 4, 2020 at 3:51 PM Alexander Popov <alex.popov@xxxxxxxxx> wrote:
> >> Some time ago Variable Length Arrays (VLA) were removed from the kernel.
> >> The kernel is built with '-Wvla'. Let's exclude alloca() from the
> >> instrumentation logic and make it simpler. The build-time assertion
> >> against alloca() is added instead.
> > [...]
> >> + /* Variable Length Arrays are forbidden in the kernel */
> >> + gcc_assert(!is_alloca(stmt));
> >
> > There is a patch series from Elena and Kees on the kernel-hardening
> > list that deliberately uses __builtin_alloca() in the syscall entry
> > path to randomize the stack pointer per-syscall - see
> > <https://lore.kernel.org/kernel-hardening/20200406231606.37619-4-keescook@xxxxxxxxxxxx/>.
>
> Thanks, Jann.
>
> At first glance, leaving alloca() handling in stackleak instrumentation logic
> would allow to integrate stackleak and this version of random_kstack_offset.

Right, it seems there would be a need for this coverage to remain,
otherwise the depth of stack erasure might be incorrect.

It doesn't seem like the other patches strictly depend on alloca()
support being removed, though?

> Kees, Elena, did you try random_kstack_offset with upstream stackleak?

I didn't try that combination yet, no. It seemed there would likely
still be further discussion about the offset series first (though the
thread has been silent -- I'll rebase and resend it after rc2).

> It looks to me that without stackleak erasing random_kstack_offset can be
> weaker. I mean, if next syscall has a bigger stack randomization gap, the data
> on thread stack from the previous syscall is not overwritten and can be used. Am
> I right?

That's correct. I think the combination is needed, but I don't think
they need to be strictly tied together.

> Another aspect: CONFIG_STACKLEAK_METRICS can be used for guessing kernel stack
> offset, which is bad. It should be disabled if random_kstack_offset is on.

Agreed.

--
Kees Cook

Next message: Matt Helsley: "Re: [RFC][PATCH v4 02/32] objtool: Make recordmcount into mcount subcmd"
Previous message: Nitin Gupta: "Re: [PATCH v6] mm: Proactive compaction"
Next in thread: Alexander Popov: "Re: [PATCH 1/5] gcc-plugins/stackleak: Exclude alloca() from the instrumentation logic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]