From patchwork Thu Aug 16 22:16:57 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Popov <alex.popov@linux.com>
X-Patchwork-Id: 10568249
Return-Path: 
 <kernel-hardening-return-13913-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id ECA5114E1
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Thu, 16 Aug 2018 22:17:48 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB44B2B85F
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Thu, 16 Aug 2018 22:17:48 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CE4E32B8B3; Thu, 16 Aug 2018 22:17:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 9C1D72B85F
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Thu, 16 Aug 2018 22:17:47 +0000 (UTC)
Received: (qmail 28053 invoked by uid 550); 16 Aug 2018 22:17:44 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 28033 invoked from network); 16 Aug 2018 22:17:44 -0000
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:date:message-id;
        bh=TNrOccgN9EqhtS/2YvosZv1w8IPwHXyWAtodeNCpeFc=;
        b=Gynk4HjlIwPeeuj0U151kr0jm8GxvCWZPovdDH/U6EzglTg5H/aDM8OEoiFbkXyfzY
         63YYcKV27ZN5C6omY3DR5ceE99/KZxN0yX/RHHYzO5rQBJcY6s28ZVd9gmPP1GPwCiQR
         3oPFqGFI03nVVkaeEGdCMinktRoXTS2fJ48IBSmW+UQJz8wBFnVTLHfjgTHHKC8znMum
         NKxXfwjfHKZqI5aYiU+MLyqIaVyB95l/sIuI7nCnGxIahWMWmTX9HvfCeZSWbhFQ67Ps
         d3n+QuaDozDHkb0xhlAyt5ZScuXRn22sVua8meHzqfpNhRnpnUdhvkuW9xYocP9VJ13S
         hI3Q==
X-Gm-Message-State: AOUpUlGnswHJl12FgA22tudhH4s7eIBAS4lTeehfKafLnq5T/T5+pUpF
	LsrgTd8DRxgWLfEUZ5q6HP/bMiGVa64=
X-Google-Smtp-Source: 
 AA+uWPy0/NMtmt4oKwLUdA3TmGHP7XXA6rlGqhE1K2GoOFc3zKbZet2+V5UgzJNSVstFDOUPE2ujYA==
X-Received: by 2002:a19:129e:: with SMTP id
 30-v6mr2345653lfs.29.1534457852684;
        Thu, 16 Aug 2018 15:17:32 -0700 (PDT)
From: Alexander Popov <alex.popov@linux.com>
To: kernel-hardening@lists.openwall.com,
	Kees Cook <keescook@chromium.org>,
	PaX Team <pageexec@freemail.hu>,
	Brad Spengler <spender@grsecurity.net>,
	Ingo Molnar <mingo@kernel.org>,
	Andy Lutomirski <luto@kernel.org>,
	Tycho Andersen <tycho@tycho.ws>,
	Laura Abbott <labbott@redhat.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Borislav Petkov <bp@alien8.de>,
	Richard Sandiford <richard.sandiford@arm.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	"H . Peter Anvin" <hpa@zytor.com>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	"Dmitry V . Levin" <ldv@altlinux.org>,
	Emese Revfy <re.emese@gmail.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Andrey Ryabinin <aryabinin@virtuozzo.com>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	Thomas Garnier <thgarnie@google.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Josef Bacik <jbacik@fb.com>,
	Masami Hiramatsu <mhiramat@kernel.org>,
	Nicholas Piggin <npiggin@gmail.com>,
	Al Viro <viro@zeniv.linux.org.uk>,
	"David S . Miller" <davem@davemloft.net>,
	Ding Tianhong <dingtianhong@huawei.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Dominik Brodowski <linux@dominikbrodowski.net>,
	Juergen Gross <jgross@suse.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Dan Williams <dan.j.williams@intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Mathias Krause <minipli@googlemail.com>,
	Vikas Shivappa <vikas.shivappa@linux.intel.com>,
	Kyle Huey <me@kylehuey.com>,
	Dmitry Safonov <dsafonov@virtuozzo.com>,
	Will Deacon <will.deacon@arm.com>,
	Arnd Bergmann <arnd@arndb.de>,
	Florian Weimer <fweimer@redhat.com>,
	Boris Lukashev <blukashev@sempervictus.com>,
	Andrey Konovalov <andreyknvl@google.com>,
	x86@kernel.org,
	linux-kernel@vger.kernel.org,
	alex.popov@linux.com
Subject: [PATCH v15 0/7] Introduce the STACKLEAK feature and a test for it
Date: Fri, 17 Aug 2018 01:16:57 +0300
Message-Id: <1534457824-7211-1-git-send-email-alex.popov@linux.com>
X-Mailer: git-send-email 2.7.4
X-Virus-Scanned: ClamAV using ClamSMTP

This is the 15th version of the patch series introducing STACKLEAK to
the mainline kernel for x86. This version comes with changes according
to the feedback from Linus Torvalds:
 1. BUG_ON() in stackleak_erase() is safely eliminated;
 2. Stack Clash detection (alloca() check) is completely dropped, since global
    '-Wvla' should arrive soon (https://patchwork.kernel.org/patch/10489873).
    stackleak_check_alloca() for arm64 is dropped as well in a separate commit.

This version is rebased onto Linus' tree.

Previous version discussion:
  https://lore.kernel.org/lkml/20180813214328.GA15137@beast/T/#u

Motivation
==========

STACKLEAK (initially developed by PaX Team):

 1. reduces the information that can be revealed through kernel stack leak bugs.
    The idea of erasing the thread stack at the end of syscalls is similar to
    CONFIG_PAGE_POISONING and memzero_explicit() in kernel crypto, which all
    comply with FDP_RIP.2 (Full Residual Information Protection) of the
    Common Criteria standard.

 2. blocks some uninitialized stack variable attacks (e.g. CVE-2017-17712,
    CVE-2010-2963). That kind of bugs should be killed by improving C compilers
    in future, which might take a long time.

Performance impact
==================

Hardware: Intel Core i7-4770, 16 GB RAM

Test #1: building the Linux kernel on a single core
	0.91% slowdown

Test #2: hackbench -s 4096 -l 2000 -g 15 -f 25 -P
	4.2% slowdown

So the STACKLEAK description in Kconfig includes:
"The tradeoff is the performance impact: on a single CPU system kernel
compilation sees a 1% slowdown, other systems and workloads may vary and you are
advised to test this feature on your expected workload before deploying it".


Alexander Popov (7):
  x86/entry: Add STACKLEAK erasing the kernel stack at the end of
    syscalls
  gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack
  lkdtm: Add a test for STACKLEAK
  fs/proc: Show STACKLEAK metrics in the /proc file system
  doc: self-protection: Add information about STACKLEAK feature
  stackleak: Allow runtime disabling of kernel stack erasing
  arm64: Drop unneeded stackleak_check_alloca()

 Documentation/security/self-protection.rst |  10 +-
 Documentation/sysctl/kernel.txt            |  18 ++
 Documentation/x86/x86_64/mm.txt            |   2 +
 arch/Kconfig                               |   7 +
 arch/arm64/kernel/process.c                |  22 --
 arch/x86/Kconfig                           |   1 +
 arch/x86/entry/calling.h                   |  14 +
 arch/x86/entry/entry_32.S                  |   7 +
 arch/x86/entry/entry_64.S                  |   3 +
 arch/x86/entry/entry_64_compat.S           |   5 +
 drivers/misc/lkdtm/Makefile                |   2 +
 drivers/misc/lkdtm/core.c                  |   1 +
 drivers/misc/lkdtm/lkdtm.h                 |   3 +
 drivers/misc/lkdtm/stackleak.c             |  73 +++++
 fs/proc/base.c                             |  18 ++
 include/linux/sched.h                      |   5 +
 include/linux/stackleak.h                  |  35 +++
 kernel/Makefile                            |   4 +
 kernel/fork.c                              |   3 +
 kernel/stackleak.c                         | 132 +++++++++
 kernel/sysctl.c                            |  15 +-
 scripts/Makefile.gcc-plugins               |  10 +
 scripts/gcc-plugins/Kconfig                |  51 ++++
 scripts/gcc-plugins/stackleak_plugin.c     | 427 +++++++++++++++++++++++++++++
 24 files changed, 840 insertions(+), 28 deletions(-)
 create mode 100644 drivers/misc/lkdtm/stackleak.c
 create mode 100644 include/linux/stackleak.h
 create mode 100644 kernel/stackleak.c
 create mode 100644 scripts/gcc-plugins/stackleak_plugin.c
Tested-by: Laura Abbott <labbott@redhat.com>