From patchwork Wed Jul 11 20:36:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Popov X-Patchwork-Id: 10520493 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8FB5A603D7 for ; Wed, 11 Jul 2018 20:38:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6D1A4206E2 for ; Wed, 11 Jul 2018 20:38:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5C71628DE3; Wed, 11 Jul 2018 20:38:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 78F50206E2 for ; Wed, 11 Jul 2018 20:38:31 +0000 (UTC) Received: (qmail 5785 invoked by uid 550); 11 Jul 2018 20:38:05 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 5694 invoked from network); 11 Jul 2018 20:38:02 -0000 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=vwO1BBfEXPkgNz0TQnflBY6fkGxMxbnaawte4LVAuJE=; b=iwZwYk4rkhKifrUmJUJgtSkAGZXABS2Wb+ewZzDoES+ZFML5vvDp7HiKAcpFRrfWwH mi8qmhUvDwVmH/YW3zyILooz+jKEKag8myVKOv+vSEIxTTBsof9dNMYHWyuX0Ij8tvg0 y3jjy7fUmhBagCOtiBop1GJo+XqL6AzRe3lTu4zVdPcBJP5lT6ZwTGt9+Q7jIr6067mw 54RJKrOGgpE96tCbbNxXanA2FaKNC9UE0guR1z7iDDrVGclYNPQxwpX9EFOgdRDEI/VM Te8j5JH8hhnyc/tecWPHRfAtkkiwKlp/IEYOz49tRLWQ4HGTCVxGiOl7DEOoNDvZdxOZ tbxQ== X-Gm-Message-State: AOUpUlHjSWXp0tV8fawuDqh7fMoaVPBG7iZgWDB3HxFqjipUDoG7TvK6 Vua7gRLi7rqtQ7qJQUdTxv434ZnlBss= X-Google-Smtp-Source: AAOMgpf3AI+8a8XgJaQ1LVCpGCGucgD+zt80iPJpf0Lz3ynpPNiWUHwknCJbXuruc0NAIGqz0pCGQQ== X-Received: by 2002:a19:e307:: with SMTP id a7-v6mr75100lfh.125.1531341470786; Wed, 11 Jul 2018 13:37:50 -0700 (PDT) From: Alexander Popov To: kernel-hardening@lists.openwall.com, Kees Cook , PaX Team , Brad Spengler , Ingo Molnar , Andy Lutomirski , Tycho Andersen , Laura Abbott , Mark Rutland , Ard Biesheuvel , Borislav Petkov , Richard Sandiford , Thomas Gleixner , "H . Peter Anvin" , Peter Zijlstra , "Dmitry V . Levin" , Emese Revfy , Jonathan Corbet , Andrey Ryabinin , "Kirill A . Shutemov" , Thomas Garnier , Andrew Morton , Alexei Starovoitov , Josef Bacik , Masami Hiramatsu , Nicholas Piggin , Al Viro , "David S . Miller" , Ding Tianhong , David Woodhouse , Josh Poimboeuf , Steven Rostedt , Dominik Brodowski , Juergen Gross , Linus Torvalds , Greg Kroah-Hartman , Dan Williams , Dave Hansen , Mathias Krause , Vikas Shivappa , Kyle Huey , Dmitry Safonov , Will Deacon , Arnd Bergmann , Florian Weimer , Boris Lukashev , Andrey Konovalov , x86@kernel.org, linux-kernel@vger.kernel.org, alex.popov@linux.com Subject: [PATCH v14 6/6] doc: self-protection: Add information about STACKLEAK feature Date: Wed, 11 Jul 2018 23:36:40 +0300 Message-Id: <1531341400-12077-7-git-send-email-alex.popov@linux.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1531341400-12077-1-git-send-email-alex.popov@linux.com> References: <1531341400-12077-1-git-send-email-alex.popov@linux.com> X-Virus-Scanned: ClamAV using ClamSMTP Add information about STACKLEAK feature to "Stack depth overflow" and "Memory poisoning" sections of self-protection.rst. Signed-off-by: Alexander Popov --- Documentation/security/self-protection.rst | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst index e1ca698..452bc75 100644 --- a/Documentation/security/self-protection.rst +++ b/Documentation/security/self-protection.rst @@ -165,10 +165,15 @@ Stack depth overflow A less well understood attack is using a bug that triggers the kernel to consume stack memory with deep function calls or large stack allocations. With this attack it is possible to write beyond the end of -the kernel's preallocated stack space and into sensitive structures. Two -important changes need to be made for better protections: moving the -sensitive thread_info structure elsewhere, and adding a faulting memory -hole at the bottom of the stack to catch these overflows. +the kernel's preallocated stack space and into sensitive structures. +The combination of the following measures gives better protection: + +* moving the sensitive thread_info structure off the stack + (``CONFIG_THREAD_INFO_IN_TASK``); +* adding a faulting memory hole at the bottom of the stack to catch + these overflows (``CONFIG_VMAP_STACK``); +* runtime checking that alloca() calls don't overstep the stack boundary + (``CONFIG_GCC_PLUGIN_STACKLEAK``). Heap memory integrity --------------------- @@ -302,11 +307,11 @@ sure structure holes are cleared. Memory poisoning ---------------- -When releasing memory, it is best to poison the contents (clear stack on -syscall return, wipe heap memory on a free), to avoid reuse attacks that -rely on the old contents of memory. This frustrates many uninitialized -variable attacks, stack content exposures, heap content exposures, and -use-after-free attacks. +When releasing memory, it is best to poison the contents, to avoid reuse +attacks that rely on the old contents of memory. E.g., clear stack on a +syscall return (``CONFIG_GCC_PLUGIN_STACKLEAK``), wipe heap memory on a +free. This frustrates many uninitialized variable attacks, stack content +exposures, heap content exposures, and use-after-free attacks. Destination tracking --------------------