Message ID | 1594613013-13059-1-git-send-email-guoren@kernel.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | arm64: Make TSK_STACK_CANARY more accurate defined | expand |
On Mon, Jul 13, 2020 at 04:03:33AM +0000, guoren@kernel.org wrote: > From: Guo Ren <guoren@linux.alibaba.com> > > TSK_STACK_CANARY only used in arm64/Makefile with > CONFIG_STACKPROTECTOR_PER_TASK wrap. So use the same policy in > asm-offset.c. > > Signed-off-by: Guo Ren <guoren@linux.alibaba.com> > Co-developed-by: Kees Cook <keescook@chromium.org> > Cc: Catalin Marinas <catalin.marinas@arm.com> > Cc: Will Deacon <will@kernel.org> > --- > arch/arm64/kernel/asm-offsets.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c > index 0577e21..37d5d3d 100644 > --- a/arch/arm64/kernel/asm-offsets.c > +++ b/arch/arm64/kernel/asm-offsets.c > @@ -39,7 +39,7 @@ int main(void) > DEFINE(TSK_TI_SCS_SP, offsetof(struct task_struct, thread_info.scs_sp)); > #endif > DEFINE(TSK_STACK, offsetof(struct task_struct, stack)); > -#ifdef CONFIG_STACKPROTECTOR > +#ifdef CONFIG_STACKPROTECTOR_PER_TASK > DEFINE(TSK_STACK_CANARY, offsetof(struct task_struct, stack_canary)); > #endif I don't think this really makese much sense. The 'stack_canary' field in 'struct task_struct' is defined as: #ifdef CONFIG_STACKPROTECTOR /* Canary value for the -fstack-protector GCC feature: */ unsigned long stack_canary; #endif so I think it makes sense to follow that in asm-offsets.c Does the current code actually cause a problem? Will
On 2020/7/14 下午4:37, Will Deacon wrote: > On Mon, Jul 13, 2020 at 04:03:33AM +0000, guoren@kernel.org wrote: >> From: Guo Ren <guoren@linux.alibaba.com> >> >> TSK_STACK_CANARY only used in arm64/Makefile with >> CONFIG_STACKPROTECTOR_PER_TASK wrap. So use the same policy in >> asm-offset.c. >> >> Signed-off-by: Guo Ren <guoren@linux.alibaba.com> >> Co-developed-by: Kees Cook <keescook@chromium.org> >> Cc: Catalin Marinas <catalin.marinas@arm.com> >> Cc: Will Deacon <will@kernel.org> >> --- >> arch/arm64/kernel/asm-offsets.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c >> index 0577e21..37d5d3d 100644 >> --- a/arch/arm64/kernel/asm-offsets.c >> +++ b/arch/arm64/kernel/asm-offsets.c >> @@ -39,7 +39,7 @@ int main(void) >> DEFINE(TSK_TI_SCS_SP, offsetof(struct task_struct, thread_info.scs_sp)); >> #endif >> DEFINE(TSK_STACK, offsetof(struct task_struct, stack)); >> -#ifdef CONFIG_STACKPROTECTOR >> +#ifdef CONFIG_STACKPROTECTOR_PER_TASK >> DEFINE(TSK_STACK_CANARY, offsetof(struct task_struct, stack_canary)); >> #endif > I don't think this really makese much sense. The 'stack_canary' field in > 'struct task_struct' is defined as: > > #ifdef CONFIG_STACKPROTECTOR > /* Canary value for the -fstack-protector GCC feature: */ > unsigned long stack_canary; > #endif > > so I think it makes sense to follow that in asm-offsets.c > > Does the current code actually cause a problem? No, I just want to know how arm64 reply, ref: https://lore.kernel.org/linux-riscv/1594397998-10221-1-git-send-email-guoren@kernel.org/T/#t Best Regards Guo Ren
BTW, Jim found a GCC security leak in arm64, and would you want to have a look at it? ------- I notice in the epilogue I get ld a4, 8(sp) ld a5, 100(t6) xor a5, a4, a5 bne a5,zero,.L4 This looks like a security leak that the canary value is left in a4. The i386 implementation operates directly on memory without loading into registers. The rs6000 implementation is careful to load 0 into the other register in the stack_protector_test code after the xor. I think this is a bug in the aarch64 code that it isn't clearing the other register. And I think it is a bug in your code too. If we don't need to clear the canary from the two registers, then you should eliminate the xor and just use "bne a5,a4,.L4". But I think the way you have it is right, you just need to clear the a4 register after the xor. -------- [1] https://gcc.gnu.org/pipermail/gcc-patches/2020-July/549910.html On Tue, Jul 14, 2020 at 4:37 PM Will Deacon <will@kernel.org> wrote: > > On Mon, Jul 13, 2020 at 04:03:33AM +0000, guoren@kernel.org wrote: > > From: Guo Ren <guoren@linux.alibaba.com> > > > > TSK_STACK_CANARY only used in arm64/Makefile with > > CONFIG_STACKPROTECTOR_PER_TASK wrap. So use the same policy in > > asm-offset.c. > > > > Signed-off-by: Guo Ren <guoren@linux.alibaba.com> > > Co-developed-by: Kees Cook <keescook@chromium.org> > > Cc: Catalin Marinas <catalin.marinas@arm.com> > > Cc: Will Deacon <will@kernel.org> > > --- > > arch/arm64/kernel/asm-offsets.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c > > index 0577e21..37d5d3d 100644 > > --- a/arch/arm64/kernel/asm-offsets.c > > +++ b/arch/arm64/kernel/asm-offsets.c > > @@ -39,7 +39,7 @@ int main(void) > > DEFINE(TSK_TI_SCS_SP, offsetof(struct task_struct, thread_info.scs_sp)); > > #endif > > DEFINE(TSK_STACK, offsetof(struct task_struct, stack)); > > -#ifdef CONFIG_STACKPROTECTOR > > +#ifdef CONFIG_STACKPROTECTOR_PER_TASK > > DEFINE(TSK_STACK_CANARY, offsetof(struct task_struct, stack_canary)); > > #endif > > I don't think this really makese much sense. The 'stack_canary' field in > 'struct task_struct' is defined as: > > #ifdef CONFIG_STACKPROTECTOR > /* Canary value for the -fstack-protector GCC feature: */ > unsigned long stack_canary; > #endif > > so I think it makes sense to follow that in asm-offsets.c > > Does the current code actually cause a problem? > > Will -- Best Regards Guo Ren ML: https://lore.kernel.org/linux-csky/
On Fri, Jul 17, 2020 at 08:56:23AM +0800, Guo Ren wrote: > BTW, Jim found a GCC security leak in arm64, and would you want to > have a look at it? Thanks. This seems to be tracked in their bugzilla here: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96191 I agree with Jim that this should be fixed. Will
diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c index 0577e21..37d5d3d 100644 --- a/arch/arm64/kernel/asm-offsets.c +++ b/arch/arm64/kernel/asm-offsets.c @@ -39,7 +39,7 @@ int main(void) DEFINE(TSK_TI_SCS_SP, offsetof(struct task_struct, thread_info.scs_sp)); #endif DEFINE(TSK_STACK, offsetof(struct task_struct, stack)); -#ifdef CONFIG_STACKPROTECTOR +#ifdef CONFIG_STACKPROTECTOR_PER_TASK DEFINE(TSK_STACK_CANARY, offsetof(struct task_struct, stack_canary)); #endif BLANK();