Re: [PATCH] arm64: Clear the stack

From: Kees Cook
Date: Fri Jun 29 2018 - 16:19:54 EST

Next message: Andy Shevchenko: "Re: [PATCH 0/3] IIO: st_sensors_i2c: improve device enumeration"
Previous message: Vineet Gupta: "Re: [PATCH] arc/Kconfig: include mm/Kconfig inside "ARC system configuration""
In reply to: Kees Cook: "Re: [PATCH] arm64: Clear the stack"
Next in thread: Laura Abbott: "Re: [PATCH] arm64: Clear the stack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 29, 2018 at 12:05 PM, Laura Abbott <labbott@xxxxxxxxxx> wrote:
> Implementation of stackleak based heavily on the x86 version
>
> Signed-off-by: Laura Abbott <labbott@xxxxxxxxxx>
> [...]
> +#define current_top_of_stack() (task_stack_page(current) + THREAD_SIZE)
> +#define on_thread_stack() (on_task_stack(current, current_stack_pointer))

nit on types here. I get some warnings:

kernel/stackleak.c:55:12: warning: assignment makes integer from
pointer without a cast [-Wint-conversion]
boundary = current_top_of_stack();
^
kernel/stackleak.c:65:24: warning: assignment makes integer from
pointer without a cast [-Wint-conversion]
current->lowest_stack = current_top_of_stack() - THREAD_SIZE / 64;
^

So I think this needs to be:

+#define current_top_of_stack() ((unsigned long)task_stack_page(current) + \
+ THREAD_SIZE)

> diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins
> index a535742a1c06..972ce4ca7f6a 100644
> --- a/scripts/Makefile.gcc-plugins
> +++ b/scripts/Makefile.gcc-plugins
> @@ -37,11 +37,14 @@ ifdef CONFIG_GCC_PLUGINS
>
> gcc-plugin-$(CONFIG_GCC_PLUGIN_STACKLEAK) += stackleak_plugin.so
> gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) += -DSTACKLEAK_PLUGIN -fplugin-arg-stackleak_plugin-track-min-size=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE)
> + ifdef CONFIG_GCC_PLUGIN_STACKLEAK
> + DISABLE_STACKLEAK_PLUGIN += -fplugin-arg-stackleak_plugin-disable
> + endif
>
> GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y))
>
> export PLUGINCC GCC_PLUGINS_CFLAGS GCC_PLUGIN GCC_PLUGIN_SUBDIR
> - export SANCOV_PLUGIN DISABLE_LATENT_ENTROPY_PLUGIN
> + export SANCOV_PLUGIN DISABLE_LATENT_ENTROPY_PLUGIN DISABLE_STACKLEAK_PLUGIN
>
> ifneq ($(PLUGINCC),)
> # SANCOV_PLUGIN can be only in CFLAGS_KCOV because avoid duplication.

If there is a v14, I think this hunk should be taken there, since it's
part of the common code.

Otherwise, this works for me and passes the lkdtm tests.

-Kees

--
Kees Cook
Pixel Security

Next message: Andy Shevchenko: "Re: [PATCH 0/3] IIO: st_sensors_i2c: improve device enumeration"
Previous message: Vineet Gupta: "Re: [PATCH] arc/Kconfig: include mm/Kconfig inside "ARC system configuration""
In reply to: Kees Cook: "Re: [PATCH] arm64: Clear the stack"
Next in thread: Laura Abbott: "Re: [PATCH] arm64: Clear the stack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]