From patchwork Tue Jan 23 13:03:02 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 10180173
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	257CD6037F for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue, 23 Jan 2018 13:04:00 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 117B828459
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue, 23 Jan 2018 13:04:00 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0620328474; Tue, 23 Jan 2018 13:04:00 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
	[65.50.211.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 14A0228459
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue, 23 Jan 2018 13:03:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References:
	In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Owner;
	bh=I7YWJdUD4oeqpZcmYTkJwF3w2//lty1SH0mpAMb1dEI=;
	b=cItE1UJYwF2/6kASzYnPhmjGGW
	a145Vza9JU4TdtuCf7Zvo03qIrBD99OXlh0XIHFv0VaZuvcpukqgqhtXngRZaSaEaBuKHakbsKTzR
	EPs/JCqCiqzsjGTe36dNgVhKHA+FwEK5N+QfuXqC16Ev52aEYPL/KBStumxOmpCDsH05vTQkvA1/P
	pqY/6t3LcJv0Bu7UB99icV4WIrpwEJ2EtA5kIWRK0DV5gtpWoxf2I2MYI497fV6xoAXjuC4pwxLAq
	1IG1iYEU2+EFdgUosuUwjmsBgNJVBXNg6ESsOgtbxzFwROj8l+fHPiIX7D2vdLUibn9SSn9hgc6bo
	4Fs03JoA==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux))
	id 1edyF1-0004ND-Is; Tue, 23 Jan 2018 13:03:55 +0000
Received: from mail-wr0-x244.google.com ([2a00:1450:400c:c0c::244])
	by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux))
	id 1edyEZ-0003te-Dm for linux-arm-kernel@lists.infradead.org;
	Tue, 23 Jan 2018 13:03:33 +0000
Received: by mail-wr0-x244.google.com with SMTP id d9so486934wre.3
	for <linux-arm-kernel@lists.infradead.org>;
	Tue, 23 Jan 2018 05:03:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=95RCUGSTHE+nCFzeWGhrazzzx8a3F8Kdg3c0plI2UA0=;
	b=Czsfc02nGhijKb15KYZZTkdzT0jvCTCFCUut3hxo7IHC3er6mtCwHh9jqOE9GDAPQB
	AE0vRJVCEd5/GglgItRb/s7V7SXC4Mr8JX9tgIVj/Z8DDikOBeeFBXipweys9y86DwKN
	i03lO06XGW6rxV0Xb4Jz0u6XC+wk8x1lrXGOU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=95RCUGSTHE+nCFzeWGhrazzzx8a3F8Kdg3c0plI2UA0=;
	b=KzGg6OUl805Lqma1rP7oB0qa+/nJvXyk9veKAs/KkjjOYji5JBK2h4EO82TOnWQ/nU
	yKluiasq0uEpD4KoR+Fi3NdthKgk5sGCgRmzl+aWbptp77kuAw0IQfBKutLSpvrdZrHf
	0dMd/H1p0GakdDhDJSyg+kceKa6EKMGNvXKq3bLvzQGYPQTINdum1jSKVOdChafK582N
	KDuKHLAtpIcOOCfNZyrb8nBKmCN+AJO7gzD7l0T4d5wE6WG8CEOADfjkOM5q7xWXvOdD
	H2EOhHgN+iVLRJQGkKiomju/PJj3/wSLxq+Djh8g/MpJsY71Ua4O2xZzxIrY5mf37Q8m
	gduw==
X-Gm-Message-State: AKwxyteLryPkcYPqJ/WVKFHLE9wjAoKi0Bxvfqoj3bcnU4r+OUdQSkcE
	6Lcwue8rG0KVbAfnSmxxXzbMcGtECx8=
X-Google-Smtp-Source: 
 AH8x225qvewCNkEC/u4dJRCL7bjI/UMSu3Qsr021e9UixVQ6lZJJ61lvMzE9Whptl0IDXm5O+cubQw==
X-Received: by 10.223.199.137 with SMTP id l9mr2146338wrg.237.1516712595519;
	Tue, 23 Jan 2018 05:03:15 -0800 (PST)
Received: from localhost.localdomain ([160.163.176.196])
	by smtp.gmail.com with ESMTPSA id
	h194sm22973018wma.8.2018.01.23.05.03.12
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 23 Jan 2018 05:03:14 -0800 (PST)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-arm-kernel@lists.infradead.org,
	will.deacon@arm.com
Subject: [RFC/RFT PATCH 2/2] arm64: kernel: use a unique stack canary value
	for each task
Date: Tue, 23 Jan 2018 13:03:02 +0000
Message-Id: <20180123130302.29409-3-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180123130302.29409-1-ard.biesheuvel@linaro.org>
References: <20180123130302.29409-1-ard.biesheuvel@linaro.org>
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: mark.rutland@arm.com, linux-hardened@lists.openwall.com,
	keescook@chromium.org, Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	luto@kernel.org, ramana.radhakrishnan@arm.com, uros@gcc.gnu.org,
	thgarnie@google.com, labbott@fedoraproject.org
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

Enable the support plugin and expose an appropriate value for
__stack_chk_guard_tsk_offset so that function prologues and
epilogues emitted by GCC read the stack canary value straight
from the task_struct. This sidesteps any concurrency issues
resulting from the use of per-CPU variables to store the canary
value of the currently running task.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm64/Kconfig                      | 7 +++++++
 arch/arm64/include/asm/stackprotector.h | 4 +++-
 arch/arm64/kernel/asm-offsets.c         | 3 +++
 arch/arm64/kernel/process.c             | 4 ++++
 arch/arm64/kernel/vmlinux.lds.S         | 8 ++++++++
 5 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index d1515fdf7d82..096f23ebfa02 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1083,6 +1083,13 @@ config RANDOMIZE_MODULE_REGION_FULL
 	  a limited range that contains the [_stext, _etext] interval of the
 	  core kernel, so branch relocations are always in range.
 
+config CC_STACK_PROTECTOR_PER_TASK
+	bool "Use a unique stack canary value for each task"
+	depends on GCC_PLUGINS
+	select GCC_PLUGIN_ARM64_SSP_PER_TASK
+	help
+	  Use a unique value for the stack canary value for each task.
+
 endmenu
 
 menu "Boot options"
diff --git a/arch/arm64/include/asm/stackprotector.h b/arch/arm64/include/asm/stackprotector.h
index 58d15be11c4d..fc17a66ec400 100644
--- a/arch/arm64/include/asm/stackprotector.h
+++ b/arch/arm64/include/asm/stackprotector.h
@@ -17,6 +17,7 @@
 #include <linux/version.h>
 
 extern unsigned long __stack_chk_guard;
+extern unsigned long __stack_chk_guard_tsk_offset;
 
 /*
  * Initialize the stackprotector canary value.
@@ -34,7 +35,8 @@ static __always_inline void boot_init_stack_canary(void)
 	canary &= CANARY_MASK;
 
 	current->stack_canary = canary;
-	__stack_chk_guard = current->stack_canary;
+	if (!IS_ENABLED(CONFIG_CC_STACK_PROTECTOR_PER_TASK))
+		__stack_chk_guard = current->stack_canary;
 }
 
 #endif	/* _ASM_STACKPROTECTOR_H */
diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c
index 71bf088f1e4b..ef1ff04ec064 100644
--- a/arch/arm64/kernel/asm-offsets.c
+++ b/arch/arm64/kernel/asm-offsets.c
@@ -43,6 +43,9 @@ int main(void)
   DEFINE(TSK_TI_TTBR0,		offsetof(struct task_struct, thread_info.ttbr0));
 #endif
   DEFINE(TSK_STACK,		offsetof(struct task_struct, stack));
+#ifdef CONFIG_CC_STACK_PROTECTOR_PER_TASK
+  DEFINE(TSK_STACK_CANARY,	offsetof(struct task_struct, stack_canary));
+#endif
   BLANK();
   DEFINE(THREAD_CPU_CONTEXT,	offsetof(struct task_struct, thread.cpu_context));
   BLANK();
diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
index 6b7dcf4310ac..d9fd04748f95 100644
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -62,8 +62,12 @@
 
 #ifdef CONFIG_CC_STACKPROTECTOR
 #include <linux/stackprotector.h>
+#ifndef CONFIG_CC_STACK_PROTECTOR_PER_TASK
 unsigned long __stack_chk_guard __read_mostly;
 EXPORT_SYMBOL(__stack_chk_guard);
+#else
+EXPORT_SYMBOL(__stack_chk_guard_tsk_offset);
+#endif
 #endif
 
 /*
diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
index 7da3e5c366a0..633cfc1f940c 100644
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -6,6 +6,7 @@
  */
 
 #include <asm-generic/vmlinux.lds.h>
+#include <asm/asm-offsets.h>
 #include <asm/cache.h>
 #include <asm/kernel-pgtable.h>
 #include <asm/thread_info.h>
@@ -239,3 +240,10 @@ ASSERT(__hibernate_exit_text_end - (__hibernate_exit_text_start & ~(SZ_4K - 1))
  * If padding is applied before .head.text, virt<->phys conversions will fail.
  */
 ASSERT(_text == (KIMAGE_VADDR + TEXT_OFFSET), "HEAD is misaligned")
+
+#ifdef CONFIG_CC_STACK_PROTECTOR_PER_TASK
+PROVIDE(__stack_chk_guard_tsk_offset = ABSOLUTE(TSK_STACK_CANARY));
+
+ASSERT(__stack_chk_guard_tsk_offset < 0x1000,
+       "__stack_chk_guard_tsk_offset out of range")
+#endif