From patchwork Mon Mar 15 18:02:23 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12140443
Return-Path: <SRS0=uvia=IN=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-11.6 required=3.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7AA7AC433DB
	for <linux-mm@archiver.kernel.org>; Mon, 15 Mar 2021 18:43:19 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 25B5D64F4A
	for <linux-mm@archiver.kernel.org>; Mon, 15 Mar 2021 18:43:19 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 25B5D64F4A
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=none dis=none) header.from=chromium.org
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id A80CC6B007D; Mon, 15 Mar 2021 14:43:18 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id A31176B007E; Mon, 15 Mar 2021 14:43:18 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8F87A6B0080; Mon, 15 Mar 2021 14:43:18 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0138.hostedemail.com
 [216.40.44.138])
	by kanga.kvack.org (Postfix) with ESMTP id 72DA36B007D
	for <linux-mm@kvack.org>; Mon, 15 Mar 2021 14:43:18 -0400 (EDT)
Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id E3DC8173086E
	for <linux-mm@kvack.org>; Mon, 15 Mar 2021 18:43:17 +0000 (UTC)
X-FDA: 77922981234.07.337C828
Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com
 [209.85.216.42])
	by imf07.hostedemail.com (Postfix) with ESMTP id 248B1A11C759
	for <linux-mm@kvack.org>; Mon, 15 Mar 2021 18:02:42 +0000 (UTC)
Received: by mail-pj1-f42.google.com with SMTP id
 a22-20020a17090aa516b02900c1215e9b33so14828916pjq.5
        for <linux-mm@kvack.org>; Mon, 15 Mar 2021 11:02:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=D9ES74tRjQPkQDGloZkJ7JzGqh/Rg5vOjLPTTzfWrnU=;
        b=nkyWI5GSq3VOZgbrSe5HgKjUqcwdRVsFgjMiU8cCOXgYni5mOUx2JpvpUeGfEIzjVc
         /EApzc0zoetCk9N/rKUGLhHwqdDHx/41U8LrjrtmFadM02lCoJ/nZFJdX85vtFgWgnHI
         h+0okdA6lvkzr6gdZBtYETfjATYKmdov+9h6Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=D9ES74tRjQPkQDGloZkJ7JzGqh/Rg5vOjLPTTzfWrnU=;
        b=jh5/TQRkovmMrdk8ovRi2HDgBaDph+FE4g96ZnMQVmHF5+y/EDtKt5hktQ22dI4dU2
         5T0gMlFfmwsWbYSrP6qjcxS6BS+g22vHjlblYPtZJUgaDIUfVDOs7WNGYvBVyM7SS8ZZ
         fpl2TURm2IdFZ5II7hm3KutWPFE3bQSVPsWNkT0KbhvoEEdKCgd68vQW8b3ESp+B8AhA
         UxgEFCRodiIUHkPoSoQEJp0wH49XAEhx9diRpd9Wvd5NILGhVsfGHHJWxkU/VR5PCU8k
         sV7cYdUxu5xcnJP3FLnTjVH6G7C347oJjUv+a3tK4eDwnsGpBVpZ6cK6XCeL22/YR/Dp
         h/7A==
X-Gm-Message-State: AOAM533N+xhyVWMGvfR54/oqh90G80MRZ+2c+QMfz+WoUsteTpch6qEh
	gELeAu1SDT1pYziiL2tDOmyZwQ==
X-Google-Smtp-Source: 
 ABdhPJwdcjtS5Z2P+DmTf0KAvanjziv2viUkjFPb2OQot1M+A70P++yEN5oAbiQpcrSGAjwehcCvpA==
X-Received: by 2002:a17:90a:2c09:: with SMTP id m9mr300524pjd.3.1615831356695;
        Mon, 15 Mar 2021 11:02:36 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id
 l4sm13890800pgi.19.2021.03.15.11.02.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 15 Mar 2021 11:02:35 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Kees Cook <keescook@chromium.org>,
	Elena Reshetova <elena.reshetova@intel.com>,
	x86@kernel.org,
	Andy Lutomirski <luto@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Alexander Potapenko <glider@google.com>,
	Alexander Popov <alex.popov@linux.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Jann Horn <jannh@google.com>,
	Vlastimil Babka <vbabka@suse.cz>,
	David Hildenbrand <david@redhat.com>,
	Mike Rapoport <rppt@linux.ibm.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Randy Dunlap <rdunlap@infradead.org>,
	kernel-hardening@lists.openwall.com,
	linux-hardening@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH v6 0/6] Optionally randomize kernel stack offset each syscall
Date: Mon, 15 Mar 2021 11:02:23 -0700
Message-Id: <20210315180229.1224655-1-keescook@chromium.org>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Stat-Signature: nu6pwhct7ujhbt4j6yxqok45qsaeymws
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: 248B1A11C759
Received-SPF: none (chromium.org>: No applicable sender policy available)
 receiver=imf07; identity=mailfrom; envelope-from="<keescook@chromium.org>";
 helo=mail-pj1-f42.google.com; client-ip=209.85.216.42
X-HE-DKIM-Result: pass/pass
X-HE-Tag: 1615831362-376571
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

v6:
- rearrange jump_label and init_on_* changes (akpm)
- add slab init_on_* static branches (andreyknvl)
v5: https://lore.kernel.org/lkml/20210309214301.678739-1-keescook@chromium.org/
v4: https://lore.kernel.org/lkml/20200622193146.2985288-1-keescook@chromium.org/
v3: https://lore.kernel.org/lkml/20200406231606.37619-1-keescook@chromium.org/
v2: https://lore.kernel.org/lkml/20200324203231.64324-1-keescook@chromium.org/
rfc: https://lore.kernel.org/kernel-hardening/20190329081358.30497-1-elena.reshetova@intel.com/

Hi,

This is a continuation and refactoring of Elena's earlier effort to add
kernel stack base offset randomization. In the time since the earlier
discussions, two attacks[1][2] were made public that depended on stack
determinism, so we're no longer in the position of "this is a good idea
but we have no examples of attacks". :)

Earlier discussions also devolved into debates on entropy sources, which
is mostly a red herring, given the already low entropy available due
to stack size. Regardless, entropy can be changed/improved separately
from this series as needed.

Earlier discussions also got stuck debating how much syscall overhead
was too much, but this is also a red herring since the feature itself
needs to be selectable at boot with no cost for those that don't want it:
this is solved here with static branches.

So, here is the latest improved version, made as arch-agnostic as
possible, with usage added for x86 and arm64. It also includes some small
static branch clean ups, and addresses some surprise performance issues
due to the stack canary[3].

At the very least, the first two patches can land separately (already
Acked and Reviewed), since they're kind of "separate", but introduce
macros that are used in the core stack changes.

If I can get an Ack from an arm64 maintainer, I think this could all
land via -tip to make merging easiest.

Thanks!

-Kees

[1] https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
[2] https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf
[3] https://lore.kernel.org/lkml/202003281520.A9BFF461@keescook/

Kees Cook (6):
  jump_label: Provide CONFIG-driven build state defaults
  init_on_alloc: Optimize static branches
  stack: Optionally randomize kernel stack offset each syscall
  x86/entry: Enable random_kstack_offset support
  arm64: entry: Enable random_kstack_offset support
  lkdtm: Add REPORT_STACK for checking stack offsets

 .../admin-guide/kernel-parameters.txt         | 11 +++++
 Makefile                                      |  4 ++
 arch/Kconfig                                  | 23 ++++++++++
 arch/arm64/Kconfig                            |  1 +
 arch/arm64/kernel/Makefile                    |  5 +++
 arch/arm64/kernel/syscall.c                   | 10 +++++
 arch/x86/Kconfig                              |  1 +
 arch/x86/entry/common.c                       |  3 ++
 arch/x86/include/asm/entry-common.h           |  8 ++++
 drivers/misc/lkdtm/bugs.c                     | 17 ++++++++
 drivers/misc/lkdtm/core.c                     |  1 +
 drivers/misc/lkdtm/lkdtm.h                    |  1 +
 include/linux/jump_label.h                    | 19 +++++++++
 include/linux/mm.h                            | 10 +++--
 include/linux/randomize_kstack.h              | 42 +++++++++++++++++++
 init/main.c                                   | 23 ++++++++++
 mm/page_alloc.c                               |  4 +-
 mm/slab.h                                     |  6 ++-
 18 files changed, 181 insertions(+), 8 deletions(-)
 create mode 100644 include/linux/randomize_kstack.h