Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Nov 2017 13:17:18 -0800
From: Andy Lutomirski <luto@...nel.org>
To: Alexander Popov <alex.popov@...ux.com>
Cc: Mark Rutland <mark.rutland@....com>, Andy Lutomirski <luto@...nel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Kees Cook <keescook@...omium.org>, 
	PaX Team <pageexec@...email.hu>, Brad Spengler <spender@...ecurity.net>, 
	Ingo Molnar <mingo@...nel.org>, Peter Zijlstra <peterz@...radead.org>, 
	Tycho Andersen <tycho@...ker.com>, Laura Abbott <labbott@...hat.com>, 
	Ard Biesheuvel <ard.biesheuvel@...aro.org>, Borislav Petkov <bp@...en8.de>, 
	Thomas Gleixner <tglx@...utronix.de>, "H . Peter Anvin" <hpa@...or.com>, X86 ML <x86@...nel.org>
Subject: Re: [PATCH RFC v5 2/5] gcc-plugins: Add STACKLEAK plugin for tracking
 the kernel stack

On Tue, Nov 14, 2017 at 1:09 PM, Alexander Popov <alex.popov@...ux.com> wrote:
> Thanks, Mark!
>
> Please see my comments below.
>
> On 14.11.2017 19:33, Mark Rutland wrote:
>> On Tue, Nov 14, 2017 at 08:13:43AM -0800, Andy Lutomirski wrote:
>>> What does the STEAKLACK plugin actually do?  I haven't followed this enough.
>>
>> The plugin adds instrumentation to track the maximum stack depth, though only
>> functions with a sufficiently large stackframe are instrumented.
>
> Yes. Functions with a big stack frame call track_stack() to update the
> lowest_stack value. If CONFIG_VMAP_STACK is disabled, track_stack() is compiled
> with a check for detecting stack depth overflow. This check is what I'm asking
> about.

Then you'll probably have to do something like what I did in the
VMAP_STACK code.

That being said, I don't entirely see the point.  If you want a
hardened kernel, you're going to enable VMAP_STACK.  Are there really
users of hardened 32-bit kernels?

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ