Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 26 Jul 2018 13:18:34 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: Kees Cook <keescook@...gle.com>
Cc: Kernel Hardening <kernel-hardening@...ts.openwall.com>,
 PaX Team <pageexec@...email.hu>, Brad Spengler <spender@...ecurity.net>,
 Ingo Molnar <mingo@...nel.org>, Andy Lutomirski <luto@...nel.org>,
 Tycho Andersen <tycho@...ho.ws>, Laura Abbott <labbott@...hat.com>,
 Mark Rutland <mark.rutland@....com>,
 Ard Biesheuvel <ard.biesheuvel@...aro.org>, Borislav Petkov <bp@...en8.de>,
 Richard Sandiford <richard.sandiford@....com>,
 Thomas Gleixner <tglx@...utronix.de>, "H . Peter Anvin" <hpa@...or.com>,
 Peter Zijlstra <a.p.zijlstra@...llo.nl>, "Dmitry V . Levin"
 <ldv@...linux.org>, Emese Revfy <re.emese@...il.com>,
 Jonathan Corbet <corbet@....net>, Andrey Ryabinin <aryabinin@...tuozzo.com>,
 "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
 Thomas Garnier <thgarnie@...gle.com>,
 Andrew Morton <akpm@...ux-foundation.org>,
 Alexei Starovoitov <ast@...nel.org>, Josef Bacik <jbacik@...com>,
 Masami Hiramatsu <mhiramat@...nel.org>, Nicholas Piggin <npiggin@...il.com>,
 Al Viro <viro@...iv.linux.org.uk>, "David S . Miller" <davem@...emloft.net>,
 Ding Tianhong <dingtianhong@...wei.com>, David Woodhouse
 <dwmw@...zon.co.uk>, Josh Poimboeuf <jpoimboe@...hat.com>,
 Steven Rostedt <rostedt@...dmis.org>,
 Dominik Brodowski <linux@...inikbrodowski.net>,
 Juergen Gross <jgross@...e.com>,
 Linus Torvalds <torvalds@...ux-foundation.org>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 Dan Williams <dan.j.williams@...el.com>,
 Dave Hansen <dave.hansen@...ux.intel.com>,
 Mathias Krause <minipli@...glemail.com>,
 Vikas Shivappa <vikas.shivappa@...ux.intel.com>, Kyle Huey
 <me@...ehuey.com>, Dmitry Safonov <dsafonov@...tuozzo.com>,
 Will Deacon <will.deacon@....com>, Arnd Bergmann <arnd@...db.de>,
 Florian Weimer <fweimer@...hat.com>,
 Boris Lukashev <blukashev@...pervictus.com>,
 Andrey Konovalov <andreyknvl@...gle.com>, X86 ML <x86@...nel.org>,
 LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v14 7/7] stackleak, sysctl: Allow runtime disabling of
 kernel stack erasing

On 25.07.2018 02:59, Kees Cook wrote:
> On Tue, Jul 24, 2018 at 4:41 PM, Alexander Popov <alex.popov@...ux.com> wrote:
>> On 25.07.2018 01:56, Kees Cook wrote:
>>> On Thu, Jul 19, 2018 at 4:31 AM, Alexander Popov <alex.popov@...ux.com> wrote:
>>>> @@ -78,6 +113,11 @@ void __used stackleak_track_stack(void)
>>>>          */
>>>>         unsigned long sp = (unsigned long)&sp;
>>>>
>>>> +#ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
>>>> +       if (static_branch_unlikely(&stack_erasing_bypass))
>>>> +               return;
>>>> +#endif
>>>
>>> I would expect stackleak_erase() to be the expensive part, not the
>>> tracking part? Shouldn't timings be unchanged by leaving this in
>>> unconditionally, which would mean the sysctl could be re-enabled?
>>
>> Dropping the bypass in stackleak_track_stack() will not help against the
>> troubles with re-enabling stack erasing (tracking and erasing depend on each
> 
> Isn't the tracking checking "sp < current->lowest_stack", so if
> erasure was off, lowest_stack would only ever get further into the
> stack? And when erasure was turned back on, it would start getting
> reset correctly again. Or is the concern the poison searching could
> break? It seems like it would still work right? I must be missing
> something. :)

Umm.. You are right, that would be a solution. Let's assume that we:
 - allow stackleak_track_stack() to work,
 - skip stackleak_erase() giving most of performance penalty.
When we enable the 'stack_erasing_bypass', the 'lowest_stack' is not reset at
the end of syscall, it just continues to go down at next syscalls (because of
enabled tracking). In some sense it is similar to having a very long syscall.
Now if we re-enable erasing, the poison search in stackleak_erase() starts from
the _valid_ 'lowest_stack', which should work fine.

I'll send the improved version of the patch soon. Thanks!

Best regards,
Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.