From patchwork Tue Mar 30 20:57:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12173749 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2CE60C433DB for ; Tue, 30 Mar 2021 21:03:21 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6519D619B1 for ; Tue, 30 Mar 2021 21:03:20 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6519D619B1 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=zCVvBFeDEbP4bQMOgeV8B2IAMPelGO10d/KiP5ZRZPQ=; b=LDA4bmZDkRDQNzijqizzieyb7S XH+b1QY+iX1MVH8PpcXhRYjpSqiwVPQdqRAW4SCYgjAdjoFI/a+A43MSrB43dHMDnMy9A86Q9q0VB WCQaXF+JtEvD7F5fSq/AkMsGKZTSyYeqPfJpA+3RadF2OpoxKUImobsG5Xh5/zadB8lHUDOUTPSq9 nR+nBGhkK1VXmGHlds2dfiXDQwYetgeKvLAjSzJZVwCn771I1Wv64u0jTgxsqVLTOyW71o1rXkMOe oSoJRUkxzjw1XzW14w9jImTLCxDCzm3brixGGwu3WXA+8gFJxJVO8dlseBNtCTwpSqapIUwh0XVuK nOjEksnA==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lRLTK-004rE6-Jh; Tue, 30 Mar 2021 21:00:22 +0000 Received: from mail-pg1-x535.google.com ([2607:f8b0:4864:20::535]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lRLQx-004qUF-Ir for linux-arm-kernel@lists.infradead.org; Tue, 30 Mar 2021 20:58:04 +0000 Received: by mail-pg1-x535.google.com with SMTP id y32so11451132pga.11 for ; Tue, 30 Mar 2021 13:57:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=D7CDuN0kcTG5E4rLGLoBOZMdEpNX3hnRAZy+axf+Z2Y=; b=EpxdDbKBd+kExY3AERQ4rSbWmke5d1dCIniTON3YHk0ZMTIFDZ1vR8v0LqOzMXp+ip TdsvXQ1R/Izppj9SR1d9FJ7E3AUWsZBfmXYOPMRqpaLVRbXnLINoXPZNi+B+5K7QCc9k F56KDBOdVK30V1mKz6jtKX3d5PFiZYcFrth+k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=D7CDuN0kcTG5E4rLGLoBOZMdEpNX3hnRAZy+axf+Z2Y=; b=ghkd3tSlRZ81Fgj/J+8+VloMWIvcIAiVc4qw57zCNGH9k1FvWFs1gfDofXmPdj+9xo G+TWtVBzEA2ryto4WKs5T/yB176Au233Gi4mKki/j9RMm9Berd7ATGbGx6Fv0yU5oXMP pwvhByZgMc/lHbtBf6Xcy9MVDzqE2cr+Zuc1TYDRQTseMREgiQXL3PMEbYyYZNHomfEg VJDLqlTRcOvt015IaTpHK3LAAgXHdjiWSj8l+LhHLx56FvyKHxmCJBkxNzyn7MHtr8Gr IeG8PuxY776r1DoKKT6BY7UWxI4HjydFrCxD58v+Ap8hjhMkIJ0IoGzEoKRcDVSVUbAe Dxxg== X-Gm-Message-State: AOAM533FTocB1+mAsPYidMh/SRrUQz7mTI3E/U/W7xgM5AfGf6bYLzrt +ue6vRKcHHQ/kcbifEcoCEGQ8g== X-Google-Smtp-Source: ABdhPJysGbXLhUI2OgRSxc4W5Ox+SEoMSRBLI61WnQnGp2mzR8IKvbq9d8ziJEjFtVvsv6YNKgNa3g== X-Received: by 2002:a63:2bc4:: with SMTP id r187mr29953pgr.131.1617137873803; Tue, 30 Mar 2021 13:57:53 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id f21sm34839pjj.52.2021.03.30.13.57.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 13:57:53 -0700 (PDT) From: Kees Cook To: Thomas Gleixner Cc: Kees Cook , Elena Reshetova , x86@kernel.org, Andy Lutomirski , Peter Zijlstra , Catalin Marinas , Will Deacon , Mark Rutland , Alexander Potapenko , Alexander Popov , Ard Biesheuvel , Jann Horn , Vlastimil Babka , David Hildenbrand , Mike Rapoport , Andrew Morton , Jonathan Corbet , Randy Dunlap , kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH v8 0/6] Optionally randomize kernel stack offset each syscall Date: Tue, 30 Mar 2021 13:57:44 -0700 Message-Id: <20210330205750.428816-1-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210330_215756_114802_F7AF99C3 X-CRM114-Status: GOOD ( 18.00 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org v8: - switch to __this_cpu_*() (tglx) - improve commit log details, comments, and masking (ingo, tglx) v7: https://lore.kernel.org/lkml/20210319212835.3928492-1-keescook@chromium.org/ v6: https://lore.kernel.org/lkml/20210315180229.1224655-1-keescook@chromium.org/ v5: https://lore.kernel.org/lkml/20210309214301.678739-1-keescook@chromium.org/ v4: https://lore.kernel.org/lkml/20200622193146.2985288-1-keescook@chromium.org/ v3: https://lore.kernel.org/lkml/20200406231606.37619-1-keescook@chromium.org/ v2: https://lore.kernel.org/lkml/20200324203231.64324-1-keescook@chromium.org/ rfc: https://lore.kernel.org/kernel-hardening/20190329081358.30497-1-elena.reshetova@intel.com/ Hi, This is a continuation and refactoring of Elena's earlier effort to add kernel stack base offset randomization. In the time since the earlier discussions, two attacks[1][2] were made public that depended on stack determinism, so we're no longer in the position of "this is a good idea but we have no examples of attacks". :) Earlier discussions also devolved into debates on entropy sources, which is mostly a red herring, given the already low entropy available due to stack size. Regardless, entropy can be changed/improved separately from this series as needed. Earlier discussions also got stuck debating how much syscall overhead was too much, but this is also a red herring since the feature itself needs to be selectable at boot with no cost for those that don't want it: this is solved here with static branches. So, here is the latest improved version, made as arch-agnostic as possible, with usage added for x86 and arm64. It also includes some small static branch clean ups, and addresses some surprise performance issues due to the stack canary[3]. At the very least, the first two patches can land separately (already Acked and Reviewed), since they're kind of "separate", but introduce macros that are used in the core stack changes. If I can get an Ack from an arm64 maintainer, I think this could all land via -tip to make merging easiest. Thanks! -Kees [1] https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html [2] https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf [3] https://lore.kernel.org/lkml/202003281520.A9BFF461@keescook/ Kees Cook (6): jump_label: Provide CONFIG-driven build state defaults init_on_alloc: Optimize static branches stack: Optionally randomize kernel stack offset each syscall x86/entry: Enable random_kstack_offset support arm64: entry: Enable random_kstack_offset support lkdtm: Add REPORT_STACK for checking stack offsets .../admin-guide/kernel-parameters.txt | 11 ++++ Makefile | 4 ++ arch/Kconfig | 23 ++++++++ arch/arm64/Kconfig | 1 + arch/arm64/kernel/Makefile | 5 ++ arch/arm64/kernel/syscall.c | 16 ++++++ arch/x86/Kconfig | 1 + arch/x86/entry/common.c | 3 + arch/x86/include/asm/entry-common.h | 16 ++++++ drivers/misc/lkdtm/bugs.c | 17 ++++++ drivers/misc/lkdtm/core.c | 1 + drivers/misc/lkdtm/lkdtm.h | 1 + include/linux/jump_label.h | 19 +++++++ include/linux/mm.h | 10 ++-- include/linux/randomize_kstack.h | 55 +++++++++++++++++++ init/main.c | 23 ++++++++ mm/page_alloc.c | 4 +- mm/slab.h | 6 +- 18 files changed, 208 insertions(+), 8 deletions(-) create mode 100644 include/linux/randomize_kstack.h