From patchwork Fri Mar 19 21:28:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12151951 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D181BC433DB for ; Fri, 19 Mar 2021 21:29:17 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 231226193A for ; Fri, 19 Mar 2021 21:29:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 231226193A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-21006-kernel-hardening=archiver.kernel.org@lists.openwall.com Received: (qmail 16102 invoked by uid 550); 19 Mar 2021 21:28:52 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Received: (qmail 16042 invoked from network); 19 Mar 2021 21:28:51 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=COYequ/Al4vh0bS6DyJKs6KMlXrnC5mSUzfXzkBff1k=; b=I8TknAyVLcDhMIatOxfg+fdU62BWJHBXwg3Rx8TWavaNLBa3eNY1/bJ+QswJecZL+u dxQZJxpcqrjERo37QE97Ja+SJjY29erRLfmXZqZDZ0A18U3QnAljIYefhpB0s3kMil0o OHt2KyuJ0VnoNR446RaOmtyETkgphZPoeTESE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=COYequ/Al4vh0bS6DyJKs6KMlXrnC5mSUzfXzkBff1k=; b=bxzTa4qYq/ivLS9ZuvlaRAe+9FeqgUWsNVsfcWIv6153nUJ/BEgHea1rU4KxRaHWaG GMGVWTjc6uL9M8aGS7nECUgi6H9pI3PnBshIWoOe5xmWVssXME96cpDdq8+2yHyIfqyc pXWXG5kHVJmcU+jC79grUXI7ud0sMqV/jsUxC63Hdg6ypHnMiQPeE0pX82xyRwjnUWMS FX86YK3tjaVDH3gZ4PzJJR1mFGKDgeVonX0jUbDU/AIzPznq9VUimE088HFJZpJzVtXb aj59EUT6T3lNClvRLJYxirjrY+EJdpnuoJnORWIY0XuZd4NGOpduyxfnwb3U38tpzDM5 RitA== X-Gm-Message-State: AOAM5315a5BLOT94trxiuePyZaCVjkfU7DDAaxQinKffTf9LhQO3L5Vn 5uDi/0US1ilpijPw8pHtqylY8Q== X-Google-Smtp-Source: ABdhPJyZr4/GDEamWBieVEFuuZx6Q7tu0xmdbWTaLaDKNdCcZA75rRto0XPpcUkqhpQvA6Nqpe018g== X-Received: by 2002:aa7:9081:0:b029:1f9:26c9:1609 with SMTP id i1-20020aa790810000b02901f926c91609mr10885048pfa.54.1616189319323; Fri, 19 Mar 2021 14:28:39 -0700 (PDT) From: Kees Cook To: Thomas Gleixner Cc: Kees Cook , Elena Reshetova , x86@kernel.org, Andy Lutomirski , Peter Zijlstra , Catalin Marinas , Will Deacon , Mark Rutland , Alexander Potapenko , Alexander Popov , Ard Biesheuvel , Jann Horn , Vlastimil Babka , David Hildenbrand , Mike Rapoport , Andrew Morton , Jonathan Corbet , Randy Dunlap , kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH v7 0/6] Optionally randomize kernel stack offset each syscall Date: Fri, 19 Mar 2021 14:28:29 -0700 Message-Id: <20210319212835.3928492-1-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 v7: - fix copy/paste-o from v6 CONFIG additions. v6: https://lore.kernel.org/lkml/20210315180229.1224655-1-keescook@chromium.org/ v5: https://lore.kernel.org/lkml/20210309214301.678739-1-keescook@chromium.org/ v4: https://lore.kernel.org/lkml/20200622193146.2985288-1-keescook@chromium.org/ v3: https://lore.kernel.org/lkml/20200406231606.37619-1-keescook@chromium.org/ v2: https://lore.kernel.org/lkml/20200324203231.64324-1-keescook@chromium.org/ rfc: https://lore.kernel.org/kernel-hardening/20190329081358.30497-1-elena.reshetova@intel.com/ Hi, This is a continuation and refactoring of Elena's earlier effort to add kernel stack base offset randomization. In the time since the earlier discussions, two attacks[1][2] were made public that depended on stack determinism, so we're no longer in the position of "this is a good idea but we have no examples of attacks". :) Earlier discussions also devolved into debates on entropy sources, which is mostly a red herring, given the already low entropy available due to stack size. Regardless, entropy can be changed/improved separately from this series as needed. Earlier discussions also got stuck debating how much syscall overhead was too much, but this is also a red herring since the feature itself needs to be selectable at boot with no cost for those that don't want it: this is solved here with static branches. So, here is the latest improved version, made as arch-agnostic as possible, with usage added for x86 and arm64. It also includes some small static branch clean ups, and addresses some surprise performance issues due to the stack canary[3]. At the very least, the first two patches can land separately (already Acked and Reviewed), since they're kind of "separate", but introduce macros that are used in the core stack changes. If I can get an Ack from an arm64 maintainer, I think this could all land via -tip to make merging easiest. Thanks! -Kees [1] https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html [2] https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf [3] https://lore.kernel.org/lkml/202003281520.A9BFF461@keescook/ Kees Cook (6): jump_label: Provide CONFIG-driven build state defaults init_on_alloc: Optimize static branches stack: Optionally randomize kernel stack offset each syscall x86/entry: Enable random_kstack_offset support arm64: entry: Enable random_kstack_offset support lkdtm: Add REPORT_STACK for checking stack offsets .../admin-guide/kernel-parameters.txt | 11 +++++ Makefile | 4 ++ arch/Kconfig | 23 ++++++++++ arch/arm64/Kconfig | 1 + arch/arm64/kernel/Makefile | 5 +++ arch/arm64/kernel/syscall.c | 10 +++++ arch/x86/Kconfig | 1 + arch/x86/entry/common.c | 3 ++ arch/x86/include/asm/entry-common.h | 8 ++++ drivers/misc/lkdtm/bugs.c | 17 ++++++++ drivers/misc/lkdtm/core.c | 1 + drivers/misc/lkdtm/lkdtm.h | 1 + include/linux/jump_label.h | 19 +++++++++ include/linux/mm.h | 10 +++-- include/linux/randomize_kstack.h | 42 +++++++++++++++++++ init/main.c | 23 ++++++++++ mm/page_alloc.c | 4 +- mm/slab.h | 6 ++- 18 files changed, 181 insertions(+), 8 deletions(-) create mode 100644 include/linux/randomize_kstack.h