Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 22 Mar 2018 23:56:53 +0300
From: Alexander Popov <>
To: Dave Hansen <>,
 Peter Zijlstra <>, Laura Abbott <>,
 Linus Torvalds <>,
 Kees Cook <>, Andy Lutomirski <>
Cc: PaX Team <>, Brad Spengler <>,
 Ingo Molnar <>, Tycho Andersen <>,
 Mark Rutland <>,
 Ard Biesheuvel <>, Borislav Petkov <>,
 Richard Sandiford <>,
 Thomas Gleixner <>, "H . Peter Anvin" <>,
 "Dmitry V . Levin" <>, Emese Revfy <>,
 Jonathan Corbet <>, Andrey Ryabinin <>,
 "Kirill A . Shutemov" <>,
 Thomas Garnier <>,
 Andrew Morton <>,
 Alexei Starovoitov <>, Josef Bacik <>,
 Masami Hiramatsu <>, Nicholas Piggin <>,
 Al Viro <>, "David S . Miller" <>,
 Ding Tianhong <>, David Woodhouse
 <>, Josh Poimboeuf <>,
 Steven Rostedt <>,
 Dominik Brodowski <>,
 Juergen Gross <>,
 Greg Kroah-Hartman <>,
 Dan Williams <>,
 Mathias Krause <>,
 Vikas Shivappa <>, Kyle Huey
 <>, Dmitry Safonov <>,
 Will Deacon <>, Arnd Bergmann <>,,,
 "" <>
Subject: Re: [PATCH RFC v9 2/7] x86/entry: Add STACKLEAK erasing the kernel
 stack at the end of syscalls

On 21.03.2018 18:33, Dave Hansen wrote:
> On 03/21/2018 04:04 AM, Alexander Popov wrote:
>> The main obstacle:
>> erase_kstack() must save and restore any modified registers, because it is
>> called from the trampoline stack (introduced by Andy Lutomirski), when all
>> registers except RDI are live.
> Wow, cool, thanks for doing this!
> PTI might also cause you some problems here because it probably won't
> map your function.  Did you have to put it in one of the sections that
> gets mapped by the user page tables?

No, I didn't have to do that: erase_kstack() works fine, it is called just

There is also a way not to offend KASAN. erase_kstack() C code can be put in a
separate source file and compiled with "KASAN_SANITIZE_erase.o := n".

So, as I wrote, the only critical drawback of the C implementation is that it
needs no_caller_saved_registers attribute, which is provided by gcc since version 7.

Can you recommend any solution?

By the way, during my work on STACKLEAK, I've found one case when we get to the
userspace directly from the thread stack. Please see sysret32_from_system_call
in entry_64_compat.S. I checked that.

IMO it seems odd, can the adversary use that to bypass PTI?

Best regards,

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.