Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Oct 2017 09:22:24 -0700
From: Kees Cook <keescook@...omium.org>
To: Greg KH <greg@...ah.com>
Cc: Masahiro Yamada <yamada.masahiro@...ionext.com>, 
	Andrew Morton <akpm@...ux-foundation.org>, Michal Marek <mmarek@...e.com>, 
	Ingo Molnar <mingo@...nel.org>, Laura Abbott <labbott@...hat.com>, 
	Nicholas Piggin <npiggin@...il.com>, Al Viro <viro@...iv.linux.org.uk>, 
	Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>, Yoshinori Sato <ysato@...rs.sourceforge.jp>, 
	Rich Felker <dalias@...c.org>, "David S. Miller" <davem@...emloft.net>, 
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, linux-sh <linux-sh@...r.kernel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Mark Rutland <mark.rutland@....com>
Subject: Re: Re: [PATCH 2/3] Makefile: Move stackprotector
 availability out of Kconfig

On Wed, Oct 4, 2017 at 8:13 AM, Greg KH <greg@...ah.com> wrote:
> On Wed, Oct 04, 2017 at 11:33:38PM +0900, Masahiro Yamada wrote:
>> Hi Kees,
>>
>>
>> 2017-10-03 4:20 GMT+09:00 Kees Cook <keescook@...omium.org>:
>> > Various portions of the kernel, especially per-architecture pieces,
>> > need to know if the compiler is building it with the stack protector.
>> > This was done in the arch/Kconfig with 'select', but this doesn't
>> > allow a way to do auto-detected compiler support. In preparation for
>> > creating an on-if-available default, move the logic for the definition of
>> > CONFIG_CC_STACKPROTECTOR into the Makefile.
>> >
>> > Cc: Masahiro Yamada <yamada.masahiro@...ionext.com>
>> > Cc: Michal Marek <mmarek@...e.com>
>> > Cc: Andrew Morton <akpm@...ux-foundation.org>
>> > Cc: Ingo Molnar <mingo@...nel.org>
>> > Cc: Laura Abbott <labbott@...hat.com>
>> > Cc: Nicholas Piggin <npiggin@...il.com>
>> > Cc: Al Viro <viro@...iv.linux.org.uk>
>> > Cc: linux-kbuild@...r.kernel.org
>> > Signed-off-by: Kees Cook <keescook@...omium.org>
>> > ---
>> >  Makefile     | 7 +++++--
>> >  arch/Kconfig | 8 --------
>> >  2 files changed, 5 insertions(+), 10 deletions(-)
>> >
>> > diff --git a/Makefile b/Makefile
>> > index d1119941261c..e122a9cf0399 100644
>> > --- a/Makefile
>> > +++ b/Makefile
>> > @@ -688,8 +688,11 @@ else
>> >    stackp-flag := $(call cc-option, -fno-stack-protector)
>> >  endif
>> >  endif
>> > -# Find arch-specific stack protector compiler sanity-checking script.
>> > -ifdef CONFIG_CC_STACKPROTECTOR
>> > +ifdef stackp-name
>> > +  # If the stack protector has been selected, inform the rest of the build.
>> > +  KBUILD_CFLAGS += -DCONFIG_CC_STACKPROTECTOR
>> > +  KBUILD_AFLAGS += -DCONFIG_CC_STACKPROTECTOR
>> > +  # Find arch-specific stack protector compiler sanity-checking script.
>> >    stackp-path := $(srctree)/scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh
>> >    stackp-check := $(wildcard $(stackp-path))
>> >  endif
>>
>>
>> I have not tested this series,
>> but I think this commit is bad (with the follow-up patch applied).
>>
>>
>> I thought of this scenario:
>>
>> [1] Kernel is configured with CONFIG_CC_STACKPROTECTOR_AUTO
>>
>> [2] Kernel is built with a compiler without stack protector support.
>>
>> [3] CONFIG_CC_STACKPROTECTOR is not defined,
>>     so __stack_chk_fail() is not compiled.
>>
>> [4] Out-of-tree modules are compiled with a compiler with
>>     stack protector support.
>>     __stack_chk_fail() is inserted to functions of the modules.
>
> We don't ever support the system of loading a module built with anything
> other than the _exact_ same compiler than the kernel was.  So this will
> not happen (well, if someone tries it, they get to keep the pieces their
> kernel image is now in...)
>
>> [5] insmod fails because reference to __stack_chk_fail()
>>     can not be resolved.
>
> Even nicer, we failed "cleanly" :)
>
> This isn't a real-world issue, sorry.

If we wanted a slightly different failure, we could simply add the
stack protection feature to the VERMAGIC_STRING define:

diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
index af6c03f7f986..300163aba666 100644
--- a/include/linux/vermagic.h
+++ b/include/linux/vermagic.h
@@ -30,11 +30,19 @@
 #else
 #define MODULE_RANDSTRUCT_PLUGIN
 #endif
+#if defined(__SSP__)
+#define MODULE_STACKPROTECTOR "stack-protector "
+#elif define (__SSP_STRONG__)
+#define MODULE_STACKPROTECTOR "stack-protector-strong "
+#else
+#define MODULE_STACKPROTECTOR ""
+#endif

 #define VERMAGIC_STRING                                                \
        UTS_RELEASE " "                                                 \
        MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT                     \
        MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS       \
        MODULE_ARCH_VERMAGIC                                            \
+       MODULE_STACKPROTECTOR                                           \
        MODULE_RANDSTRUCT_PLUGIN


Do you want me to send this patch, or should we allow it to fail with
the "missing reference" (which may actually be more expressive...) I
think the way it is right now is better, but I'm open to either.

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.