From patchwork Thu Oct 21 16:51:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 12575843 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41DCBC433EF for ; Thu, 21 Oct 2021 16:51:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 26211610A1 for ; Thu, 21 Oct 2021 16:51:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230187AbhJUQxx (ORCPT ); Thu, 21 Oct 2021 12:53:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:54238 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229702AbhJUQxx (ORCPT ); Thu, 21 Oct 2021 12:53:53 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E35966141B; Thu, 21 Oct 2021 16:51:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1634835097; bh=DrDmhjNEwrPqWEIACeKCn0BWBaWjrLtuoCQkwugBP6M=; h=From:To:Cc:Subject:Date:From; b=mWknZ40p4U29CEculaGRlC1ihYtlmbTPCZYknrOgqlKo7I1Wcz0VNIAA0jgz4Xyid OaJVGAzbY3dAaztaWqOOOkjJ5R31rOMlUGJfaEeAXJDP66IcsioX8BVb3/o4qfmELH ZIDkdpJFEE+ZWZDpnmxkBrNgDv/A/hcAtzivf+AQRG965TwgKF85Sj9Jvv7iggaRBW 4Xp+PKURVntqZjRsW5k9IyTaRJ/Yk1Ut912ZyS39jfzboHbRUIwrP3VYZkYjTRKC2J R3ror/z0F4OBDITRN1clMiDh+NVCxHipueZgQmvlatNWZkw4h+4qscoqWd6Z1CJ5m7 AISLV9NGWE1mQ== From: Ard Biesheuvel To: linux-hardening@vger.kernel.org Cc: keescook@chromium.org, Ard Biesheuvel , Keith Packard , thomas.preudhomme@celest.fr, adhemerval.zanella@linaro.org, Qing Zhao , Richard Sandiford , gcc-patches@gcc.gnu.org Subject: [RFC PATCH v2 0/1] implement TLS register based stack canary for ARM Date: Thu, 21 Oct 2021 18:51:18 +0200 Message-Id: <20211021165119.2136543-1-ardb@kernel.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Bugzilla: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102352 In the Linux kernel, user processes calling into the kernel are essentially threads running in the same address space, of a program that never terminates. This means that using a global variable for the stack protector canary value is problematic on SMP systems, as we can never change it unless we reboot the system. (Processes that sleep for any reason will do so on a call into the kernel, which means that there will always be live kernel stack frames carrying copies of the canary taken when the function was entered) AArch64 implements -mstack-protector-guard=sysreg for this purpose, as this permits the kernel to use different memory addresses for the stack canary for each CPU, and context switch the chosen system register with the rest of the process, allowing each process to use its own unique value for the stack canary. This patch implements something similar, but for the 32-bit ARM kernel, which will start using the user space TLS register TPIDRURO to index per-process metadata while running in the kernel. This means we can just add an offset to TPIDRURO to obtain the address from which to load the canary value. As for the spilling issues that have been fixed in this code in the past: I suppose a register carrying the TLS register value will never get spilled to begin with? Comments/suggestions welcome. Cc: Keith Packard Cc: thomas.preudhomme@celest.fr Cc: adhemerval.zanella@linaro.org Cc: Qing Zhao Cc: Richard Sandiford Cc: gcc-patches@gcc.gnu.org Ard Biesheuvel (1): [ARM] Add support for TLS register based stack protector canary access gcc/config/arm/arm-opts.h | 6 ++ gcc/config/arm/arm-protos.h | 2 + gcc/config/arm/arm.c | 52 ++++++++++++++++ gcc/config/arm/arm.md | 62 +++++++++++++++++++- gcc/config/arm/arm.opt | 22 +++++++ gcc/doc/invoke.texi | 9 +++ 6 files changed, 151 insertions(+), 2 deletions(-)