From patchwork Wed Mar 31 20:54:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12176275 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-21.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62E1EC433ED for ; Wed, 31 Mar 2021 20:58:00 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D277060BBB for ; Wed, 31 Mar 2021 20:57:59 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D277060BBB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=LkgS3CY9Q4oEb/64XiSFlIzSgogvN/68nhTe8LDmGgM=; b=gEBcsKZvKPLdbP96boW15L3PZ swdtpjSfj1tP7NCji/oJfptXGDyRVwQEH7ej2yi0+9akr9b6AsAHWxG/GKQEZpNAJuGhQ1Z6B52oT yXs62lhWFaYixVC5B4Pb+E+pPQtmBnZYij7Kg44gwGnUFUDhBZ71rcUq+sLXFwgq4ujKukdiovBXC 5EcmoFQds2M4cdY+MP8kmbGHXmyNwVgiOlSMpy9XLNTQboD4ZLj+raA485VvCU4Tyv+QQPgUhTv6d g3CUy3SXeZYk+4V1J9dRLLsDkUo/X1pfPkbBt7wE46v9GcSpVjvIB1pb97wpJXv710PKBqzJirDqR cPptrX6oA==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lRhsc-007aOn-CD; Wed, 31 Mar 2021 20:55:58 +0000 Received: from mail-pf1-x432.google.com ([2607:f8b0:4864:20::432]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lRhrn-007aFf-Dh for linux-arm-kernel@lists.infradead.org; Wed, 31 Mar 2021 20:55:10 +0000 Received: by mail-pf1-x432.google.com with SMTP id c204so15439796pfc.4 for ; Wed, 31 Mar 2021 13:55:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=9ijlYcKqhmRnIjh3GfaZu6VzSGgGwccaBk76YZfh88U=; b=WPzOZI/7h/nIlJykeZPJIx0pP8kh07MzAyzEZatHRuIhHB97Us6jbJeY/UYOlmqOhI I0ecVNwtacYNG9lms+cBmhaFNl0rIzXFYDD0LRCOvReTo3zRWs7cC3oUH7692A+ZDVVi 2gGuQxNlOLAX8UFE9I1BxL/Nh/X2RmBxs4Bxw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9ijlYcKqhmRnIjh3GfaZu6VzSGgGwccaBk76YZfh88U=; b=S9BRgZeEED2ehECAiplvDsUJmXV6KvycAwEhUTsekg2sa0C9Vb9VHFjwJ2FQHyRDaN 8nUtnnYwp3CFeW9Jy5x5EKKySLzMWDNotdlDedTkFMmdxdjHhdoh5p+xua1rjshu15P9 L270nnqGeXv0DF9ihDtIxHrYevk8EDNf2yQK7ri/QSIX7I3Y9Ro7pp/fnQylDlV05zsp AHjKu38h8/CbkOwuzkMrdxhGlzNWIKKIsEI2f/4ozBc6BbdGEO8uJFYYHRv/jE4B3GG2 OMIZyq40tPDnQysmIgyXzREBkexsD8/uNqN7nMYlUKHf/E8mxBKg1bHCy4UV0LNlilSx QLvA== X-Gm-Message-State: AOAM533otyunA4BszmzHbzW8fw5hxZ0E1jq1xkpfgqfd6DkXNuLzp9MO 8nKLgns6M4Wd79DJNG+v7rE71Q== X-Google-Smtp-Source: ABdhPJwjc+yR/F1HFGbsO3JvcN74Eaz7ocQ4vidQqR9lLlweYVUpN1FMKcKww5c8xRtm5T99yzj42g== X-Received: by 2002:a63:4f56:: with SMTP id p22mr4811122pgl.224.1617224106052; Wed, 31 Mar 2021 13:55:06 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id cp22sm3040786pjb.15.2021.03.31.13.55.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Mar 2021 13:55:03 -0700 (PDT) From: Kees Cook To: Will Deacon Cc: Kees Cook , Peter Zijlstra , Catalin Marinas , Mark Rutland , Thomas Gleixner , Elena Reshetova , x86@kernel.org, Andy Lutomirski , Alexander Potapenko , Alexander Popov , Ard Biesheuvel , Jann Horn , Vlastimil Babka , David Hildenbrand , Mike Rapoport , Andrew Morton , Jonathan Corbet , Randy Dunlap , kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH v9 1/6] jump_label: Provide CONFIG-driven build state defaults Date: Wed, 31 Mar 2021 13:54:53 -0700 Message-Id: <20210331205458.1871746-2-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210331205458.1871746-1-keescook@chromium.org> References: <20210331205458.1871746-1-keescook@chromium.org> MIME-Version: 1.0 X-Patch-Hashes: v=1; h=sha256; g=aa54c44d1d71b9550d6015efc734f667917094a1; i=Vishx6UyAXwYzcnoSyP+eBB3iQyx+/i5smsbQfc0cnA=; m=vc4sSYlf+uaSlLSFP5TpbQv56VaSRpBLpRuMltXaB4Q=; p=mNH2Bo/K9vrGz9sBtTDV8UFO0eJ8yv8BbR/DeIaO1es= X-Patch-Sig: m=pgp; i=keescook@chromium.org; s=0x0x8972F4DFDC6DC026; b=iQIzBAABCgAdFiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmBk4aEACgkQiXL039xtwCaqhg/+KwH hAw/wsPS1SeVqGJmKPfdQr82hCM0Ml7SVm9J6WipR0nxoHNTRoTq5fJgQ/HAKX35mqAAL3tYGqBi0 2+4WfT2O7DCmcfB4kxHIAZPP1QJPHiUWqb+fNCgutJ9rorMb8tWzDisghAXGGA5mLJTb+e3za84Mg Tz11kRO6uL8orQe4PDGMbtu4ZCR98bQV+/s0SJ2edzBC6JEfXsZGQR+aVB8IXsP7SLf4m7cqs+xko 0HsCJcGnkdPob7OY3xJ5xX638TmezTLmrLymvZQF/3nSqc6H9sGuaiM3d+AM23zJ3MCY6ZlyJXvV8 GzbL/fy12rUa+H/CHYoxEjJJDyopHQQOf677UExOEVO+E4cujeCRzdKv5dGhmFIcpDsFb7FlVCloU ORxvUCgvTSBkWF3qpl9OVmYHU6SKzdG4TU/awDvK6NojCgqhZpoIKjFDsImZzpta59PWF0iJQY7XJ jEq3UVi32y1V10znVqFCRaTTsYnknmSRGohaJqK9aIN29Ua/iBZooygQSNVS0ae3NR3YEQRHRoEZV kgil7zpFlzwuBxrLHrYvvKq3r0q0H4hsoDpFHgHGDZaTXKU4EXWsZ66xrOPJi0r6R9a8pYf+QDjxC cqQfU25fy65WH6DRJBFFXm3eRu/MP8OcVb83DQXHPhdKGC0lf0O4/2ELWKbU5SbM= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210331_215507_800415_2D3916D8 X-CRM114-Status: GOOD ( 14.85 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org As shown in jump_label.h[1], choosing the initial state of static branches changes the assembly layout. If the condition is expected to be likely it's inline, and if unlikely it is out of line via a jump. A few places in the kernel use (or could be using) a CONFIG to choose the default state, which would give a small performance benefit to their compile-time declared default. Provide the infrastructure to do this. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/jump_label.h?h=v5.11#n398 Acked-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/lkml/20200324220641.GT2452@worktop.programming.kicks-ass.net/ Signed-off-by: Kees Cook --- include/linux/jump_label.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/include/linux/jump_label.h b/include/linux/jump_label.h index d92691262f51..05f5554d860f 100644 --- a/include/linux/jump_label.h +++ b/include/linux/jump_label.h @@ -382,6 +382,21 @@ struct static_key_false { [0 ... (count) - 1] = STATIC_KEY_FALSE_INIT, \ } +#define _DEFINE_STATIC_KEY_1(name) DEFINE_STATIC_KEY_TRUE(name) +#define _DEFINE_STATIC_KEY_0(name) DEFINE_STATIC_KEY_FALSE(name) +#define DEFINE_STATIC_KEY_MAYBE(cfg, name) \ + __PASTE(_DEFINE_STATIC_KEY_, IS_ENABLED(cfg))(name) + +#define _DEFINE_STATIC_KEY_RO_1(name) DEFINE_STATIC_KEY_TRUE_RO(name) +#define _DEFINE_STATIC_KEY_RO_0(name) DEFINE_STATIC_KEY_FALSE_RO(name) +#define DEFINE_STATIC_KEY_MAYBE_RO(cfg, name) \ + __PASTE(_DEFINE_STATIC_KEY_RO_, IS_ENABLED(cfg))(name) + +#define _DECLARE_STATIC_KEY_1(name) DECLARE_STATIC_KEY_TRUE(name) +#define _DECLARE_STATIC_KEY_0(name) DECLARE_STATIC_KEY_FALSE(name) +#define DECLARE_STATIC_KEY_MAYBE(cfg, name) \ + __PASTE(_DECLARE_STATIC_KEY_, IS_ENABLED(cfg))(name) + extern bool ____wrong_branch_error(void); #define static_key_enabled(x) \ @@ -482,6 +497,10 @@ extern bool ____wrong_branch_error(void); #endif /* CONFIG_JUMP_LABEL */ +#define static_branch_maybe(config, x) \ + (IS_ENABLED(config) ? static_branch_likely(x) \ + : static_branch_unlikely(x)) + /* * Advanced usage; refcount, branch is enabled when: count != 0 */ From patchwork Wed Mar 31 20:54:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12176267 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80D97C433ED for ; Wed, 31 Mar 2021 20:57:20 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7534661076 for ; Wed, 31 Mar 2021 20:57:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7534661076 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=LZEkEXMfB/Y8sKtYO68vHvaHZeKZFfscaamn1tgUX0E=; b=iNXgEZqAdkljNMx0dkTiQsxzI xxeuVGauQTDipS8JDk71KsEXlE828AmQ2scbBDtjBIwEocNUR2vf9xLkfprRSwZX8nOAcfbXwEKok WbjMDamEsVJnm1nX4ZuMGdKyPQTd4Zb1LfqGGwS6qQolS6N02GVZvK4+zBpfGxeMVvULTLsCQNsRr Tg7avosG6g6kyvnK1XRsfyzxHu2nBpRcWlyrxkVRt0wxcjeuhlmyhC7lo4E2veyeJK62zFxXjvhE/ t617lMskT6PB+gjB7jnMt3JpqAo5oVLD/z7bXcqgdrHdVvSn4ilX97s1tb/PEnZ1rjmm9YNUmJR+1 y73KQevaw==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lRhs2-007aIq-5m; Wed, 31 Mar 2021 20:55:23 +0000 Received: from mail-pl1-x631.google.com ([2607:f8b0:4864:20::631]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lRhrl-007aEy-FH for linux-arm-kernel@lists.infradead.org; Wed, 31 Mar 2021 20:55:08 +0000 Received: by mail-pl1-x631.google.com with SMTP id e14so8538785plj.2 for ; Wed, 31 Mar 2021 13:55:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=UG6lpZSAG8t+NfdJici9YkMGF34rxaYTMGPEmVDXXFs=; b=aJzm5fmcrJV95XWecmZx0aMFMPbB8/eMvLvoygv7WsN8sG+DKBU+yrMDpIaCcI0DyO TJPCxLVlsJD5X2BVQpERBmipuWyTXWjI80givkOpWhWowuPbaTDktfWh+5zRMs1C9It+ IYmEwmA2KAs39rl3sJI3Qr4K91d5lCwbDpK10= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UG6lpZSAG8t+NfdJici9YkMGF34rxaYTMGPEmVDXXFs=; b=QtjXvXOFUWn9IttYXQnd2aD5umH+0ILVv2L7o3zYBUgrl4DRiWMWSD8Dh85WSFmCiC QTd2RKWsh3ponCj/U/qFXpp7H9dSLzJprMPQthLHy8TvsexvMRVNTB5BuGg+JK92N5D/ 2KdXZJV1d8IJNujKM+pZpkzlGb4zs5yClvisWP45Oeedx0bWRsxr/+ZiOKR5Haz1mdWo R7U/9WBuF4perXhIxE9OK/s3AxB3zE1/Pu9GElpc1uC/uSjASVqoozOVKPgEIFjzFlB/ cbOdOJf9wDwnyBp9X4GPqpLN8kZmhH/kRCgeKoLSW0CFq8yGmgdNtNeTqYzPuVCA0u/j hedQ== X-Gm-Message-State: AOAM532+Clhf1LzMwZAT142ymVz0C/vhyKyhvGZCIpPs/gRWWpLoeQ4Q gCYPc/Dj4eDH0KmkRAHLSqD6Ig== X-Google-Smtp-Source: ABdhPJyai6ivznvyQwIH/6qhXxzdrf48me6WrQ8AJmSGz35aHeuFup7Z0tQChRzSQniPWTmzBIVJ+g== X-Received: by 2002:a17:90a:9281:: with SMTP id n1mr5262255pjo.146.1617224104097; Wed, 31 Mar 2021 13:55:04 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id g15sm3437621pfk.36.2021.03.31.13.55.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Mar 2021 13:55:03 -0700 (PDT) From: Kees Cook To: Will Deacon Cc: Kees Cook , Alexander Potapenko , Vlastimil Babka , Catalin Marinas , Mark Rutland , Thomas Gleixner , Elena Reshetova , x86@kernel.org, Andy Lutomirski , Peter Zijlstra , Alexander Popov , Ard Biesheuvel , Jann Horn , David Hildenbrand , Mike Rapoport , Andrew Morton , Jonathan Corbet , Randy Dunlap , kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH v9 2/6] init_on_alloc: Optimize static branches Date: Wed, 31 Mar 2021 13:54:54 -0700 Message-Id: <20210331205458.1871746-3-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210331205458.1871746-1-keescook@chromium.org> References: <20210331205458.1871746-1-keescook@chromium.org> MIME-Version: 1.0 X-Patch-Hashes: v=1; h=sha256; g=2f4b59272e09d0180c87e3d8378d95ea375990ec; i=7VrM8Pzr5MGi8vAaDOW4xeiDtVYbjHgJsdLlT/sxDXE=; m=OLLKLAHsfNT1d7+pflxMGJuAvSt8GZaetKIXzfk0ilc=; p=cKq4RSNZSRZ+ASTC07w37jURMQB1hxGsdgqU07adDH0= X-Patch-Sig: m=pgp; i=keescook@chromium.org; s=0x0x8972F4DFDC6DC026; b=iQIzBAABCgAdFiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmBk4aEACgkQiXL039xtwCZiNw//V2K WRu9en8BRhcfBhg7mfbT5rLF1PuOIkmx1/JfZ5IK9ehniUEY1eAHGzbl86gYSvwXXQKwYkunQiFpM 9a0wM6tuHC9Lo51OPvGPO3ZvwP/i8/tX40lgXPmHoaV/PCAl8T4A2JUevIfHXXEXhb9UWYkXF8lsO iOBvFSZddS9rsIGRZatDS7jNfRAhSplRLoH9M8kQ34TabEDijskSQOAFNl09MXg+lgvC8UJzBwZrL +VbimAx6SZysNUYpw7pHlFf8hk2NGa0ROuVMmlRaqlH++0m/V3Nx+3UuJdSbcqOw05T7XlM32ajmV ShGwnjuRjvV+jXhZVeDGSYyJttxrBS4YhN1Jn+EtyvR/fpP07JMUS+qQoDux/rYp66kVnz9knlFbp udRVFQzlzPE7sb1qCjOCLEiEu9hvhxYQgeVQxvS/AhBQOrq3wp4QMivwPvIxgQ4L2RY+IMiNuZkFW Y4eNHQGYT8gKrE9efMDQgJcnTQerF2cduSfud74On2vfdjEW8dQd6fZ3CfLroyBCeFp8optFeRfPX pvQzazrUDcdMBrJRB9Vl+eVUa2K9Ur7t9MSCf2g+kYBzK/znMquwZVgRqtW/TRAzoLbFNlvZ+Wswk vsPZjHWCQFZImbj5c4dfBRx6+jZ9/hVvGmaaE9KTpveb9iK/bJ+xPSFNWkUxSwNo= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210331_215505_652244_237355FB X-CRM114-Status: GOOD ( 16.47 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The state of CONFIG_INIT_ON_ALLOC_DEFAULT_ON (and ...ON_FREE...) did not change the assembly ordering of the static branches: they were always out of line. Use the new jump_label macros to check the CONFIG settings to default to the "expected" state, which slightly optimizes the resulting assembly code. Reviewed-by: Alexander Potapenko Link: https://lore.kernel.org/lkml/CAG_fn=X0DVwqLaHJTO6Jw7TGcMSm77GKHinrd0m_6y0SzWOrFA@mail.gmail.com/ Acked-by: Vlastimil Babka Link: https://lore.kernel.org/lkml/5d626b9b-5355-be94-e8e2-1be47f880f30@suse.cz Signed-off-by: Kees Cook --- include/linux/mm.h | 10 ++++++---- mm/page_alloc.c | 4 ++-- mm/slab.h | 6 ++++-- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 77e64e3eac80..2ccd856ac0d1 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -2871,18 +2871,20 @@ static inline void kernel_poison_pages(struct page *page, int numpages) { } static inline void kernel_unpoison_pages(struct page *page, int numpages) { } #endif -DECLARE_STATIC_KEY_FALSE(init_on_alloc); +DECLARE_STATIC_KEY_MAYBE(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, init_on_alloc); static inline bool want_init_on_alloc(gfp_t flags) { - if (static_branch_unlikely(&init_on_alloc)) + if (static_branch_maybe(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, + &init_on_alloc)) return true; return flags & __GFP_ZERO; } -DECLARE_STATIC_KEY_FALSE(init_on_free); +DECLARE_STATIC_KEY_MAYBE(CONFIG_INIT_ON_FREE_DEFAULT_ON, init_on_free); static inline bool want_init_on_free(void) { - return static_branch_unlikely(&init_on_free); + return static_branch_maybe(CONFIG_INIT_ON_FREE_DEFAULT_ON, + &init_on_free); } extern bool _debug_pagealloc_enabled_early; diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 3e4b29ee2b1e..267c04b8911d 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -167,10 +167,10 @@ unsigned long totalcma_pages __read_mostly; int percpu_pagelist_fraction; gfp_t gfp_allowed_mask __read_mostly = GFP_BOOT_MASK; -DEFINE_STATIC_KEY_FALSE(init_on_alloc); +DEFINE_STATIC_KEY_MAYBE(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, init_on_alloc); EXPORT_SYMBOL(init_on_alloc); -DEFINE_STATIC_KEY_FALSE(init_on_free); +DEFINE_STATIC_KEY_MAYBE(CONFIG_INIT_ON_FREE_DEFAULT_ON, init_on_free); EXPORT_SYMBOL(init_on_free); static bool _init_on_alloc_enabled_early __read_mostly diff --git a/mm/slab.h b/mm/slab.h index 076582f58f68..774c7221efdc 100644 --- a/mm/slab.h +++ b/mm/slab.h @@ -601,7 +601,8 @@ static inline void cache_random_seq_destroy(struct kmem_cache *cachep) { } static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) { - if (static_branch_unlikely(&init_on_alloc)) { + if (static_branch_maybe(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, + &init_on_alloc)) { if (c->ctor) return false; if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) @@ -613,7 +614,8 @@ static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) static inline bool slab_want_init_on_free(struct kmem_cache *c) { - if (static_branch_unlikely(&init_on_free)) + if (static_branch_maybe(CONFIG_INIT_ON_FREE_DEFAULT_ON, + &init_on_free)) return !(c->ctor || (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON))); return false; From patchwork Wed Mar 31 20:54:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12176273 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DCB8C433B4 for ; Wed, 31 Mar 2021 20:57:57 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D279660BBB for ; Wed, 31 Mar 2021 20:57:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D279660BBB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Rrva2+tO7Q3iAqfifs1L4+2+GPWx2Zn/GZpKYzNFeUA=; b=CpJjiyo1BMoRRStXKg2c6bFZ9 SjTGaX6S5GciDzUgw2fTmkF9ZcmoPfgdwT45AP7sZ5SeejSr1am4yob0kJW1C1WIZhldO1FnJLVq4 b9thyIK5pbfMB7m5RDXitLe2GZx3sobWy9UryQRUL05pDnSGg2WC1j5LZlrjh7g/4E0Zhnbb+kyph nN4er4LEAw8WqvUNHrV9OKF68EAkAcFbwZfi/+XfQhaqRQH11+drtN9h0bHqWX+X1ITpn5MCRG9Z4 5mtJq32dH8pIf259fH6JCg0OFt/U+W6r5bQtIb0Ny5Cenqy8Cy7d3MRO/0I8yA/n/jwrDvGSIV9CU K99vK9iXQ==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lRhsu-007aSp-06; Wed, 31 Mar 2021 20:56:16 +0000 Received: from mail-pf1-x42a.google.com ([2607:f8b0:4864:20::42a]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lRhrn-007aFg-I5 for linux-arm-kernel@lists.infradead.org; Wed, 31 Mar 2021 20:55:11 +0000 Received: by mail-pf1-x42a.google.com with SMTP id s11so9361448pfm.1 for ; Wed, 31 Mar 2021 13:55:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RutUqpOitWCdbZalzYnzDPosoYLJFQ6+Y5v6HtBDvu0=; b=B0icO6/yr0dDynv9hwYddqBiGLIt4DcoWjQPT9PN9IVNWo5+YrUFU1WeIzvM6tjMWl xI9/tLr3SJTxoGy0LoVkSx4GmBCK9dEYvjO/4GFsV24/s+BQ8a3fuzACDbxJ0ysuR1iS dONWvqlOfOKYo301gzM1pl4xw5AEnhi9BQYmk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RutUqpOitWCdbZalzYnzDPosoYLJFQ6+Y5v6HtBDvu0=; b=oAeAw6vuCZ2GTmrbjZkxot7IPNfrxte7MnmD/u7/J1KYvEkEKC66Pnlc/2uwCxpbjO R9xo7lQgm1ykiHqgtcrj1LQong2KmX1GW/Ys8W49g9/bJqHNRhSFrty5hrCmjxA5exbC Uyf8/0kuU/RdzyWMaPGVrbCq5lypM5to2IG7iLK8KAsEWLgBlQjgObs8c6ZTtQ8PTWIL C6d5KSbJ+g3mbD+hKFF4TfPURkDPk65PBt+vKbrFqVPNCbQEydguB9miGW4WqcH8fvlz 2y7ihChenXHhIvzGJQTvSMVQjwjr1iv+681A1FWvOtOJOXpxtpGBz/gY5bMsfo4ZE9dD Naqw== X-Gm-Message-State: AOAM532cvp0AWRXibBUYVzzjYWSDinn4A5fAd5pekU/W5cHQM44KFaMX 5Z9mgQ4C1M26ZyshDUS9Qz7AcQ== X-Google-Smtp-Source: ABdhPJx2woNfGLMLPxFC9P5ASMxdM3TYjhsPyIqCnjNnW6a+mvqs/KcpVAasrY1wtmZzYnEhSm4lMg== X-Received: by 2002:aa7:8f04:0:b029:1f7:d71b:6a51 with SMTP id x4-20020aa78f040000b02901f7d71b6a51mr4688718pfr.4.1617224105749; Wed, 31 Mar 2021 13:55:05 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id h19sm3225596pfc.172.2021.03.31.13.55.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Mar 2021 13:55:03 -0700 (PDT) From: Kees Cook To: Will Deacon Cc: Kees Cook , Elena Reshetova , Thomas Gleixner , Catalin Marinas , Mark Rutland , x86@kernel.org, Andy Lutomirski , Peter Zijlstra , Alexander Potapenko , Alexander Popov , Ard Biesheuvel , Jann Horn , Vlastimil Babka , David Hildenbrand , Mike Rapoport , Andrew Morton , Jonathan Corbet , Randy Dunlap , kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH v9 3/6] stack: Optionally randomize kernel stack offset each syscall Date: Wed, 31 Mar 2021 13:54:55 -0700 Message-Id: <20210331205458.1871746-4-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210331205458.1871746-1-keescook@chromium.org> References: <20210331205458.1871746-1-keescook@chromium.org> MIME-Version: 1.0 X-Patch-Hashes: v=1; h=sha256; g=7dee8e580dc00790294e5ee00f7f28b6b5fbea41; i=R0fcIKmEUh8zot7Dpk8JcJdIeXVfXkVsg5oQI7Df8iY=; m=DpAISBt1P8rBqdsbU5gorkSdKBigCKStgTSYV1Mo6JQ=; p=mhC0jrFn+HYXfvIhHIo/0WcmsabsohrY2touYM9hldY= X-Patch-Sig: m=pgp; i=keescook@chromium.org; s=0x0x8972F4DFDC6DC026; b=iQIzBAABCgAdFiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmBk4aEACgkQiXL039xtwCYboA/9GIw UcynNMpQH11h3wtw3gx/xsdWpppdig69XDHDbn3JrQ8ZSAaVigwqEjUox/blySdc7pfLt79bza00U EWvwdisSblgOzT9qppKwfA7nIaU+9TJX2Mv0juKKlg3Xbx4AcVtnmfoMw+lsH0JGC1z5OAdkfisMT S9DdCs7HxkSA5Gbs3jgj+0QK3FzfSgAJqLC4yG4nYaOkeSusbCyrSJBL7oLPfUC0uVv9lDK4az6mH hYf7C5IUvr1dx4JisR+cYDuvBucn+kFhCv3nNs7reCe4SVwxb/3IAx8PiCNED5yRhF37mzQ43SR5J KM0gYvTwvBXWgo/qv1dlxd3aZ+CvL9y4BrUgvVWWuv6nN72uKJ3xl6Axzug27Iz9500NuZAD1DaXH JYp9n9V+j7uIZLQvKA6du4Vu15bVr57USm2UdfcZhjcE9e+f9x5NSLXBhNPridK+ymOltpbJPXcyJ eq4H8FrDXqjSiyzELpDxrXqfHLnS9z0QfAWSxbjanIbAzSbhNe1JnJANXXmQlNmDqMBXnYmPRm3p4 zZNeaWDKssrIvlT3Tl+V/I2s6L9fj2SRw+HC6aNYkS14iui65RCDhKYrrwxa2dbPCqIucwuOo85py d5IkdYfp5Sh9aYq4M0fZvi8UbAKao9YpIXTrvu3UK9zcdFBJUdLYkQv/L4fpo20w= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210331_215507_814445_E1FFAE70 X-CRM114-Status: GOOD ( 38.90 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org This provides the ability for architectures to enable kernel stack base address offset randomization. This feature is controlled by the boot param "randomize_kstack_offset=on/off", with its default value set by CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT. This feature is based on the original idea from the last public release of PaX's RANDKSTACK feature: https://pax.grsecurity.net/docs/randkstack.txt All the credit for the original idea goes to the PaX team. Note that the design and implementation of this upstream randomize_kstack_offset feature differs greatly from the RANDKSTACK feature (see below). Reasoning for the feature: This feature aims to make harder the various stack-based attacks that rely on deterministic stack structure. We have had many such attacks in past (just to name few): https://jon.oberheide.org/files/infiltrate12-thestackisback.pdf https://jon.oberheide.org/files/stackjacking-infiltrate11.pdf https://googleprojectzero.blogspot.com/2016/06/exploiting-recursion-in-linux-kernel_20.html As Linux kernel stack protections have been constantly improving (vmap-based stack allocation with guard pages, removal of thread_info, STACKLEAK), attackers have had to find new ways for their exploits to work. They have done so, continuing to rely on the kernel's stack determinism, in situations where VMAP_STACK and THREAD_INFO_IN_TASK_STRUCT were not relevant. For example, the following recent attacks would have been hampered if the stack offset was non-deterministic between syscalls: https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf (page 70: targeting the pt_regs copy with linear stack overflow) https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html (leaked stack address from one syscall as a target during next syscall) The main idea is that since the stack offset is randomized on each system call, it is harder for an attack to reliably land in any particular place on the thread stack, even with address exposures, as the stack base will change on the next syscall. Also, since randomization is performed after placing pt_regs, the ptrace-based approach[1] to discover the randomized offset during a long-running syscall should not be possible. Design description: During most of the kernel's execution, it runs on the "thread stack", which is pretty deterministic in its structure: it is fixed in size, and on every entry from userspace to kernel on a syscall the thread stack starts construction from an address fetched from the per-cpu cpu_current_top_of_stack variable. The first element to be pushed to the thread stack is the pt_regs struct that stores all required CPU registers and syscall parameters. Finally the specific syscall function is called, with the stack being used as the kernel executes the resulting request. The goal of randomize_kstack_offset feature is to add a random offset after the pt_regs has been pushed to the stack and before the rest of the thread stack is used during the syscall processing, and to change it every time a process issues a syscall. The source of randomness is currently architecture-defined (but x86 is using the low byte of rdtsc()). Future improvements for different entropy sources is possible, but out of scope for this patch. Further more, to add more unpredictability, new offsets are chosen at the end of syscalls (the timing of which should be less easy to measure from userspace than at syscall entry time), and stored in a per-CPU variable, so that the life of the value does not stay explicitly tied to a single task. As suggested by Andy Lutomirski, the offset is added using alloca() and an empty asm() statement with an output constraint, since it avoids changes to assembly syscall entry code, to the unwinder, and provides correct stack alignment as defined by the compiler. In order to make this available by default with zero performance impact for those that don't want it, it is boot-time selectable with static branches. This way, if the overhead is not wanted, it can just be left turned off with no performance impact. The generated assembly for x86_64 with GCC looks like this: ... ffffffff81003977: 65 8b 05 02 ea 00 7f mov %gs:0x7f00ea02(%rip),%eax # 12380 ffffffff8100397e: 25 ff 03 00 00 and $0x3ff,%eax ffffffff81003983: 48 83 c0 0f add $0xf,%rax ffffffff81003987: 25 f8 07 00 00 and $0x7f8,%eax ffffffff8100398c: 48 29 c4 sub %rax,%rsp ffffffff8100398f: 48 8d 44 24 0f lea 0xf(%rsp),%rax ffffffff81003994: 48 83 e0 f0 and $0xfffffffffffffff0,%rax ... As a result of the above stack alignment, this patch introduces about 5 bits of randomness after pt_regs is spilled to the thread stack on x86_64, and 6 bits on x86_32 (since its has 1 fewer bit required for stack alignment). The amount of entropy could be adjusted based on how much of the stack space we wish to trade for security. My measure of syscall performance overhead (on x86_64): lmbench: /usr/lib/lmbench/bin/x86_64-linux-gnu/lat_syscall -N 10000 null randomize_kstack_offset=y Simple syscall: 0.7082 microseconds randomize_kstack_offset=n Simple syscall: 0.7016 microseconds So, roughly 0.9% overhead growth for a no-op syscall, which is very manageable. And for people that don't want this, it's off by default. There are two gotchas with using the alloca() trick. First, compilers that have Stack Clash protection (-fstack-clash-protection) enabled by default (e.g. Ubuntu[3]) add pagesize stack probes to any dynamic stack allocations. While the randomization offset is always less than a page, the resulting assembly would still contain (unreachable!) probing routines, bloating the resulting assembly. To avoid this, -fno-stack-clash-protection is unconditionally added to the kernel Makefile since this is the only dynamic stack allocation in the kernel (now that VLAs have been removed) and it is provably safe from Stack Clash style attacks. The second gotcha with alloca() is a negative interaction with -fstack-protector*, in that it sees the alloca() as an array allocation, which triggers the unconditional addition of the stack canary function pre/post-amble which slows down syscalls regardless of the static branch. In order to avoid adding this unneeded check and its associated performance impact, architectures need to carefully remove uses of -fstack-protector-strong (or -fstack-protector) in the compilation units that use the add_random_kstack() macro and to audit the resulting stack mitigation coverage (to make sure no desired coverage disappears). No change is visible for this on x86 because the stack protector is already unconditionally disabled for the compilation unit, but the change is required on arm64. There is, unfortunately, no attribute that can be used to disable stack protector for specific functions. Comparison to PaX RANDKSTACK feature: The RANDKSTACK feature randomizes the location of the stack start (cpu_current_top_of_stack), i.e. including the location of pt_regs structure itself on the stack. Initially this patch followed the same approach, but during the recent discussions[2], it has been determined to be of a little value since, if ptrace functionality is available for an attacker, they can use PTRACE_PEEKUSR/PTRACE_POKEUSR to read/write different offsets in the pt_regs struct, observe the cache behavior of the pt_regs accesses, and figure out the random stack offset. Another difference is that the random offset is stored in a per-cpu variable, rather than having it be per-thread. As a result, these implementations differ a fair bit in their implementation details and results, though obviously the intent is similar. [1] https://lore.kernel.org/kernel-hardening/2236FBA76BA1254E88B949DDB74E612BA4BC57C1@IRSMSX102.ger.corp.intel.com/ [2] https://lore.kernel.org/kernel-hardening/20190329081358.30497-1-elena.reshetova@intel.com/ [3] https://lists.ubuntu.com/archives/ubuntu-devel/2019-June/040741.html Co-developed-by: Elena Reshetova Signed-off-by: Elena Reshetova Link: https://lore.kernel.org/r/20190415060918.3766-1-elena.reshetova@intel.com Reviewed-by: Thomas Gleixner Link: https://lore.kernel.org/lkml/87im5769op.ffs@nanos.tec.linutronix.de/ Signed-off-by: Kees Cook --- .../admin-guide/kernel-parameters.txt | 11 ++++ Makefile | 4 ++ arch/Kconfig | 23 ++++++++ include/linux/randomize_kstack.h | 54 +++++++++++++++++++ init/main.c | 23 ++++++++ 5 files changed, 115 insertions(+) create mode 100644 include/linux/randomize_kstack.h diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 04545725f187..bee8644a192e 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4061,6 +4061,17 @@ fully seed the kernel's CRNG. Default is controlled by CONFIG_RANDOM_TRUST_CPU. + randomize_kstack_offset= + [KNL] Enable or disable kernel stack offset + randomization, which provides roughly 5 bits of + entropy, frustrating memory corruption attacks + that depend on stack address determinism or + cross-syscall address exposures. This is only + available on architectures that have defined + CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET. + Format: (1/Y/y=enable, 0/N/n=disable) + Default is CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT. + ras=option[,option,...] [KNL] RAS-specific options cec_disable [X86] diff --git a/Makefile b/Makefile index 31dcdb3d61fa..8a959a264588 100644 --- a/Makefile +++ b/Makefile @@ -811,6 +811,10 @@ KBUILD_CFLAGS += -ftrivial-auto-var-init=zero KBUILD_CFLAGS += -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang endif +# While VLAs have been removed, GCC produces unreachable stack probes +# for the randomize_kstack_offset feature. Disable it for all compilers. +KBUILD_CFLAGS += $(call cc-option, -fno-stack-clash-protection) + DEBUG_CFLAGS := # Workaround for GCC versions < 5.0 diff --git a/arch/Kconfig b/arch/Kconfig index 2bb30673d8e6..4fe6b047fcbc 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -1055,6 +1055,29 @@ config VMAP_STACK backing virtual mappings with real shadow memory, and KASAN_VMALLOC must be enabled. +config HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET + def_bool n + help + An arch should select this symbol if it can support kernel stack + offset randomization with calls to add_random_kstack_offset() + during syscall entry and choose_random_kstack_offset() during + syscall exit. Careful removal of -fstack-protector-strong and + -fstack-protector should also be applied to the entry code and + closely examined, as the artificial stack bump looks like an array + to the compiler, so it will attempt to add canary checks regardless + of the static branch state. + +config RANDOMIZE_KSTACK_OFFSET_DEFAULT + bool "Randomize kernel stack offset on syscall entry" + depends on HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET + help + The kernel stack offset can be randomized (after pt_regs) by + roughly 5 bits of entropy, frustrating memory corruption + attacks that depend on stack address determinism or + cross-syscall address exposures. This feature is controlled + by kernel boot param "randomize_kstack_offset=on/off", and this + config chooses the default boot state. + config ARCH_OPTIONAL_KERNEL_RWX def_bool n diff --git a/include/linux/randomize_kstack.h b/include/linux/randomize_kstack.h new file mode 100644 index 000000000000..0452e0063cb1 --- /dev/null +++ b/include/linux/randomize_kstack.h @@ -0,0 +1,54 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef _LINUX_RANDOMIZE_KSTACK_H +#define _LINUX_RANDOMIZE_KSTACK_H + +#include +#include +#include + +DECLARE_STATIC_KEY_MAYBE(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, + randomize_kstack_offset); +DECLARE_PER_CPU(u32, kstack_offset); + +/* + * Do not use this anywhere else in the kernel. This is used here because + * it provides an arch-agnostic way to grow the stack with correct + * alignment. Also, since this use is being explicitly masked to a max of + * 10 bits, stack-clash style attacks are unlikely. For more details see + * "VLAs" in Documentation/process/deprecated.rst + */ +void *__builtin_alloca(size_t size); +/* + * Use, at most, 10 bits of entropy. We explicitly cap this to keep the + * "VLA" from being unbounded (see above). 10 bits leaves enough room for + * per-arch offset masks to reduce entropy (by removing higher bits, since + * high entropy may overly constrain usable stack space), and for + * compiler/arch-specific stack alignment to remove the lower bits. + */ +#define KSTACK_OFFSET_MAX(x) ((x) & 0x3FF) + +/* + * These macros must be used during syscall entry when interrupts and + * preempt are disabled, and after user registers have been stored to + * the stack. + */ +#define add_random_kstack_offset() do { \ + if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ + &randomize_kstack_offset)) { \ + u32 offset = __this_cpu_read(kstack_offset); \ + u8 *ptr = __builtin_alloca(KSTACK_OFFSET_MAX(offset)); \ + /* Keep allocation even after "ptr" loses scope. */ \ + asm volatile("" : "=m"(*ptr) :: "memory"); \ + } \ +} while (0) + +#define choose_random_kstack_offset(rand) do { \ + if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ + &randomize_kstack_offset)) { \ + u32 offset = __this_cpu_read(kstack_offset); \ + offset ^= (rand); \ + __this_cpu_write(kstack_offset, offset); \ + } \ +} while (0) + +#endif diff --git a/init/main.c b/init/main.c index 53b278845b88..f498aac26e8c 100644 --- a/init/main.c +++ b/init/main.c @@ -844,6 +844,29 @@ static void __init mm_init(void) pti_init(); } +#ifdef CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET +DEFINE_STATIC_KEY_MAYBE_RO(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, + randomize_kstack_offset); +DEFINE_PER_CPU(u32, kstack_offset); + +static int __init early_randomize_kstack_offset(char *buf) +{ + int ret; + bool bool_result; + + ret = kstrtobool(buf, &bool_result); + if (ret) + return ret; + + if (bool_result) + static_branch_enable(&randomize_kstack_offset); + else + static_branch_disable(&randomize_kstack_offset); + return 0; +} +early_param("randomize_kstack_offset", early_randomize_kstack_offset); +#endif + void __init __weak arch_call_rest_init(void) { rest_init(); From patchwork Wed Mar 31 20:54:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12176271 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28BC6C433ED for ; Wed, 31 Mar 2021 20:57:55 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B5A3E61073 for ; Wed, 31 Mar 2021 20:57:54 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B5A3E61073 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=RyEvf3SkY1LPBADhleEG8PWA2xFXP16i/TeFexol/H8=; b=NcCtuZmueApP13+pDkT6CUGkd DNF/OwNpfYnQ7m4oFbvPwiiy8YrwfpLmICLR3dVO0eUs6ixGkWGt5wdyEDgZesN2tuBf3X9RB8JE+ jXcppQ3igZQw/AZOWGTAPNeyICuFLW+DA5dTwIXQWswS9fqx5sf8a0Hn6BL55CSTHNmEERn5VUdFq DFURcyf2p/iZoiKuNvdmbf3GuSM+woUS59TnASPkUHsHCg98trNLKRdd/VAnbjEoE7puYx2fsPGrB TX9HF8vqcjWo2wWXYo0E/kCTBbYn301Tc1ZucXgjnyfDF6yl5NbjXdxTO0VbK5G5RxD6JgHpvnZwR bpssN+XyQ==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lRhsO-007aMH-Ff; Wed, 31 Mar 2021 20:55:44 +0000 Received: from mail-pg1-x532.google.com ([2607:f8b0:4864:20::532]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lRhrl-007aF1-QV for linux-arm-kernel@lists.infradead.org; Wed, 31 Mar 2021 20:55:10 +0000 Received: by mail-pg1-x532.google.com with SMTP id q10so174506pgj.2 for ; Wed, 31 Mar 2021 13:55:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=0iK0aKBdGLAGxgJdxBWHAkXtURWP8RQAHBQ4WEZMvwk=; b=O80I1qRYFis0QEP2XfUi5QmuwGvSB90DuMFYs9l/lstne+luBWTsr65uJ62iLDCgv2 slT5RMDoy14coCsVm1pHTpe+LvkqhM8T5sK8yGxUIM5tCxXx5gKEqrkRknY6Ui9TtY6D 6ZCgKdoapWBzd5Qw1n0MUItuc+10q7uZ3o07E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=0iK0aKBdGLAGxgJdxBWHAkXtURWP8RQAHBQ4WEZMvwk=; b=e84WyDOro2eOIIV8ygo5iWthKELWh9ClPldNx/1v99imhy4Xwh8ezRXswK48l/b1cx fSy2jm1+ypDmJNpAa8s+NOY06TNrk1YJeqcojWvJKF/qgIUdG6tQ0zcUWluTOQ3GHtKj LUUxGc149hn1d0RdJZPaiyIydEF4JqvVtg/Xbuys1GAdlCps8Eo78UJ9xUYGoTljMOfj 7Ekc7rO5tKR7CNet4f2RH+qZjyVspWvhxCcKVmwmHGzqJexs6epu6M19UIhjuu+Vlaww NjnN+22HmzMRNXJuIb6PX4EUtrjGnUOdGME+KjjisfvbhDGc+Hi7yruLXm0YWrKq3W/2 fJmg== X-Gm-Message-State: AOAM532NHVJ7A+lAlSdFWfyPOoHgEFdgfmV6YzPRhzhK9VjIrsEvT+tV Sx6azdQDGMYBb73b3goNhdT+hA== X-Google-Smtp-Source: ABdhPJy8vrry5ttMzKtGDoFD4UGzGkIgQ46HazQu3/ypW9VQBUTkwCwIZh5vDLTDD+4pzAECjftiKQ== X-Received: by 2002:a63:3189:: with SMTP id x131mr4749147pgx.430.1617224104389; Wed, 31 Mar 2021 13:55:04 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u2sm2931157pfn.79.2021.03.31.13.55.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Mar 2021 13:55:03 -0700 (PDT) From: Kees Cook To: Will Deacon Cc: Kees Cook , Thomas Gleixner , Catalin Marinas , Mark Rutland , Elena Reshetova , x86@kernel.org, Andy Lutomirski , Peter Zijlstra , Alexander Potapenko , Alexander Popov , Ard Biesheuvel , Jann Horn , Vlastimil Babka , David Hildenbrand , Mike Rapoport , Andrew Morton , Jonathan Corbet , Randy Dunlap , kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH v9 4/6] x86/entry: Enable random_kstack_offset support Date: Wed, 31 Mar 2021 13:54:56 -0700 Message-Id: <20210331205458.1871746-5-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210331205458.1871746-1-keescook@chromium.org> References: <20210331205458.1871746-1-keescook@chromium.org> MIME-Version: 1.0 X-Patch-Hashes: v=1; h=sha256; g=5ebd0a02df09ef237ee07421c9f73e94deeaf170; i=np7yed3mY+gWIWkexmB7CyDLgwsIh0xV2RGaksJc7tI=; m=bWJ56lJBn9Ma2AQu8aultasTTfx/BX5M5azaoQbfD3I=; p=EuIQlileJ2PUD6W0Q1r2arSRAFiVT/zqDgDnM3BVsdE= X-Patch-Sig: m=pgp; i=keescook@chromium.org; s=0x0x8972F4DFDC6DC026; b=iQIzBAABCgAdFiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmBk4aEACgkQiXL039xtwCZkNw//ZTC fulpMgUjuNgWy175nCejv7Wc89iNO7mwv3oe49PsJk3vxYrWhFCzNOqf8ugoiiSnKu9xRfG055szr UXVKBUlLHqnL0THQdqUL0ddQfXlt9q+qB68ymd9qG4ozNFG+yVPz5th3h7aSW0hgyCacAMpXUvYKL budGVJ8v+36mCTXk3+dvvge1jnAgXjE7koaMPJkT3FxUguHBgTDk0n60AJRpx4ueCx2agaQHrAigc w/E85CFRqmIoi34OyugPauXjPC9DgZqF3shzlNMc99j/6U/oqbiobU+u28MxNfMp92jo4Z9PoTuQM KeGS1zD6W40vE23+559E33uXQJyxe0594UmI9IhCcZlfSr+GJZYZ3aomxbLzoE8PWnetURa/qcQqQ igXIreq2mYRANLWPzBngbej6MeeLuwZ7AhMH+Xm49u3BkfJ/FKCVJkt5wDVQdBxu7PKENX7PxqmpQ FYA/x6zEIqHLrpGmScdyMqQXNO3roTcfGVxuFDS0Jds966MFfHZVkMmdcVk6YW81QK3QbrG+sNmDe fWHwhj0lHritR6K8xFwdp4VSgaxu0/ZOJGkiy8Ub4MhvPPBSE1admRVA7qfTlp4qu+39FgZGXNn8/ fHFWWBa6bbCIPGOj20ah77DM3+KXW+tWp0OpwhIpaRpAyinptUfyu7artSSMI3RQ= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210331_215506_990470_3B2C9E2D X-CRM114-Status: GOOD ( 18.06 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Allow for a randomized stack offset on a per-syscall basis, with roughly 5-6 bits of entropy, depending on compiler and word size. Since the method of offsetting uses macros, this cannot live in the common entry code (the stack offset needs to be retained for the life of the syscall, which means it needs to happen at the actual entry point). Reviewed-by: Thomas Gleixner Link: https://lore.kernel.org/lkml/87lfa369tv.ffs@nanos.tec.linutronix.de/ Signed-off-by: Kees Cook --- arch/x86/Kconfig | 1 + arch/x86/entry/common.c | 3 +++ arch/x86/include/asm/entry-common.h | 16 ++++++++++++++++ 3 files changed, 20 insertions(+) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 2792879d398e..4b4ad8ec10d2 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -165,6 +165,7 @@ config X86 select HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD if X86_64 select HAVE_ARCH_USERFAULTFD_WP if X86_64 && USERFAULTFD select HAVE_ARCH_VMAP_STACK if X86_64 + select HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET select HAVE_ARCH_WITHIN_STACK_FRAMES select HAVE_ASM_MODVERSIONS select HAVE_CMPXCHG_DOUBLE diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index a2433ae8a65e..810983d7c26f 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -38,6 +38,7 @@ #ifdef CONFIG_X86_64 __visible noinstr void do_syscall_64(unsigned long nr, struct pt_regs *regs) { + add_random_kstack_offset(); nr = syscall_enter_from_user_mode(regs, nr); instrumentation_begin(); @@ -83,6 +84,7 @@ __visible noinstr void do_int80_syscall_32(struct pt_regs *regs) { unsigned int nr = syscall_32_enter(regs); + add_random_kstack_offset(); /* * Subtlety here: if ptrace pokes something larger than 2^32-1 into * orig_ax, the unsigned int return value truncates it. This may @@ -102,6 +104,7 @@ static noinstr bool __do_fast_syscall_32(struct pt_regs *regs) unsigned int nr = syscall_32_enter(regs); int res; + add_random_kstack_offset(); /* * This cannot use syscall_enter_from_user_mode() as it has to * fetch EBP before invoking any of the syscall entry work diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/entry-common.h index 2b87b191b3b8..14ebd2196569 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -2,6 +2,7 @@ #ifndef _ASM_X86_ENTRY_COMMON_H #define _ASM_X86_ENTRY_COMMON_H +#include #include #include @@ -70,6 +71,21 @@ static inline void arch_exit_to_user_mode_prepare(struct pt_regs *regs, */ current_thread_info()->status &= ~(TS_COMPAT | TS_I386_REGS_POKED); #endif + + /* + * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), + * but not enough for x86 stack utilization comfort. To keep + * reasonable stack head room, reduce the maximum offset to 8 bits. + * + * The actual entropy will be further reduced by the compiler when + * applying stack alignment constraints (see cc_stack_align4/8 in + * arch/x86/Makefile), which will remove the 3 (x86_64) or 2 (ia32) + * low bits from any entropy chosen here. + * + * Therefore, final stack offset entropy will be 5 (x86_64) or + * 6 (ia32) bits. + */ + choose_random_kstack_offset(rdtsc() & 0xFF); } #define arch_exit_to_user_mode_prepare arch_exit_to_user_mode_prepare From patchwork Wed Mar 31 20:54:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12176305 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB1BBC433ED for ; Wed, 31 Mar 2021 20:58:24 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 25B0C60FF3 for ; Wed, 31 Mar 2021 20:58:24 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 25B0C60FF3 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=NgOf3MljYkU3dCVV3030DKNRI5l7vxPIbjWZQc9TU1c=; b=ZMjGflrrem9b+8KjgLMIsMSO+ bS9PB4dZbRLBzlcPx/5iC7sDXJQ2ZmgKbjOz5RK1LEh2NlblcvMNxTw80ggWqbpbkzKX0bXBj/Caw a88kOBOr/fMa6S2w8VKfK4fr39Ljm2tQVrFWj8c2A8Onfi8McdyLAyewQMIplO36Emd/PctMWVWjN R0omOb3DQT2PkTPivpdj/fXYz9z5+HTRkWwOSk0kBepljh2wUyBVO3+2JsvIvz5+nu5fe6amcsbPn P71cdJvqlV9yHtxK4BWhmiCa9WRrBZ0fert4UFMlOz7PGB+1hXIVUsaAeMrsZx6WcChyOIe/5dpIy rikrvyVSg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lRhtE-007aYN-8W; Wed, 31 Mar 2021 20:56:36 +0000 Received: from mail-pj1-x1031.google.com ([2607:f8b0:4864:20::1031]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lRhrp-007aGu-EG for linux-arm-kernel@lists.infradead.org; Wed, 31 Mar 2021 20:55:13 +0000 Received: by mail-pj1-x1031.google.com with SMTP id s21so10172302pjq.1 for ; Wed, 31 Mar 2021 13:55:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dHwr6OVFfk7s7Yw8a90FyZmnLv02IEGSs6EhbG8UN8M=; b=gB9GGvNMPcPCjkKE6OWQgvLC37uUT4Z7LoJrr3lFosvD/AiGL7SG40QJN9QweDNYhs JJDRszWl5pu8J6qeT4zOqWIUIgxw890IJtSF0gAlvXAY/PKHr2fuIV4GAiM2BkHWXK+w fofEGeEHSH8JfszSnSky7cV9zxSCI1nmFtsAg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dHwr6OVFfk7s7Yw8a90FyZmnLv02IEGSs6EhbG8UN8M=; b=a3ufLV2ue+ASElpkh0uxXJc/etk52bqwoKl81bHwP/8+ziuL7+ZfFzlO7/g1oSGZ7b ql8ReZEJ6LmNJ5cBkO4m8XS82NLH90G+/O37GFBqA8Z8e+J1LrC6SosQHa4DPigEZJbY obQQJmN+LFx1Fw/OdCw1IVUI1UzkyPN62FsSWUGQXablKCipsdqBgXfHMeVd2Q7XacQt S/t5noY4CHRCAIZ115sCipL/urKohffxMh/zk3UtVhysnqIIk42PssWvFrvfx4Nm5rNp 4BrajYObjR9Ys6KH5e0POpoWXq2f4S2p84VTISuNJUhiVj9sb+2NhnsEGVktlzIWsRUk 8kFQ== X-Gm-Message-State: AOAM5317nPHJ+sl+Eo10Y8ZM7VMOucDdK4XxieOM9u2sTd6GlcXHJuPu Fd7hqfFqSN5MVca8MnSK7CJk+w== X-Google-Smtp-Source: ABdhPJxQBkc1cS4++h7xQKjJpQz0b/qfsdGLu2VaFaj0TWROyDXRT34yURtIu2bG8Gko7MEMrVIMtg== X-Received: by 2002:a17:90a:c7d5:: with SMTP id gf21mr5105027pjb.165.1617224108053; Wed, 31 Mar 2021 13:55:08 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id r22sm3668971pgu.81.2021.03.31.13.55.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Mar 2021 13:55:06 -0700 (PDT) From: Kees Cook To: Will Deacon Cc: Kees Cook , Catalin Marinas , Mark Rutland , Thomas Gleixner , Elena Reshetova , x86@kernel.org, Andy Lutomirski , Peter Zijlstra , Alexander Potapenko , Alexander Popov , Ard Biesheuvel , Jann Horn , Vlastimil Babka , David Hildenbrand , Mike Rapoport , Andrew Morton , Jonathan Corbet , Randy Dunlap , kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH v9 5/6] arm64: entry: Enable random_kstack_offset support Date: Wed, 31 Mar 2021 13:54:57 -0700 Message-Id: <20210331205458.1871746-6-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210331205458.1871746-1-keescook@chromium.org> References: <20210331205458.1871746-1-keescook@chromium.org> MIME-Version: 1.0 X-Patch-Hashes: v=1; h=sha256; g=248270d6e87ad6ffcee20e448a3bbf6614f92c8d; i=6FjHrMJQ1a03WxuPiMt8aIK5MW/T0bayLG0SuUm7Wt4=; m=DW/OKOjAEidoxl6ODEV6zN0c7U/uCvK1t/uZsIkKPaM=; p=nb+ZCQAESoMtgqRKEEjn/wowCv7zZGeRTSUAEFbjSEQ= X-Patch-Sig: m=pgp; i=keescook@chromium.org; s=0x0x8972F4DFDC6DC026; b=iQIzBAABCgAdFiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmBk4aIACgkQiXL039xtwCbuGA//cnl or0wGJsp9zuuu7RUVPT168DY9SeI2dBagE9tma2ABm5wKRMiTBRSF+AthahdmPBTMkwV5LCbGamCr rws3ZQI16Npw5X61hBS2x7rPhnOrdoYfZPQiAg9izOOE0sgBjJ/959nkYC3vZ6mRH0Tv+iYDnKS6U 9qZlwGAFYgvRnpxFvMNrW9eyg2GWw1ApC0Tm34B2Y0BaWM3qGcNe3b7Y0CfUMONpBbIZsonheV89x 1Ls1vPQ9eNMw5ZQQKaLQtn4gNi+TYn3m7qQqplCS0eBN1L7HGIWNCXt9HRlGx9JKTd1GEPejgVkIp PQ1xKhgZtalvCJOl2fU6fST4AONY1R8psbP7GXXPxA9KbakgES0a/gylA6oVJSROb4Rc1rvaprQuz gyoCFsXyEWwoc5JQaORNm0lcFK6W9LLTCYTCkrgVXLd9PXDS6GDdt93Ut2ElKxuXvIpN65GD9dQKH gOnXVftWsBKautWUwzhjzS9mAzPi/4U24IePUs4ceOJCUASTg6767peFoQZzDHnnIu5tXeNzoEuBR GGcRHeGlNeoFZ0h8wc+hZZ1V0fwyHSPIu/GhO2TMmCyawkZ1mh67DRon3XLHts17uBS/1+5gEulCY mHH0WI/FkNXh8RbbBzxVQU6kehaG10ehhKLOSC0oH+vTq1kLpE+9paBMT6slvyRg= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210331_215510_903783_13D84FAB X-CRM114-Status: GOOD ( 19.66 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Allow for a randomized stack offset on a per-syscall basis, with roughly 5 bits of entropy. (And include AAPCS rationale AAPCS thanks to Mark Rutland.) In order to avoid unconditional stack canaries on syscall entry (due to the use of alloca()), also disable stack protector to avoid triggering needless checks and slowing down the entry path. As there is no general way to control stack protector coverage with a function attribute[1], this must be disabled at the compilation unit level. This isn't a problem here, though, since stack protector was not triggered before: examining the resulting syscall.o, there are no changes in canary coverage (none before, none now). [1] a working __attribute__((no_stack_protector)) has been added to GCC and Clang but has not been released in any version yet: https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=346b302d09c1e6db56d9fe69048acb32fbb97845 https://reviews.llvm.org/rG4fbf84c1732fca596ad1d6e96015e19760eb8a9b Signed-off-by: Kees Cook --- arch/arm64/Kconfig | 1 + arch/arm64/kernel/Makefile | 5 +++++ arch/arm64/kernel/syscall.c | 16 ++++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 1f212b47a48a..2d0e5f544429 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -146,6 +146,7 @@ config ARM64 select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT select HAVE_ARCH_PFN_VALID select HAVE_ARCH_PREL32_RELOCATIONS + select HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET select HAVE_ARCH_SECCOMP_FILTER select HAVE_ARCH_STACKLEAK select HAVE_ARCH_THREAD_STRUCT_WHITELIST diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile index ed65576ce710..6cc97730790e 100644 --- a/arch/arm64/kernel/Makefile +++ b/arch/arm64/kernel/Makefile @@ -9,6 +9,11 @@ CFLAGS_REMOVE_ftrace.o = $(CC_FLAGS_FTRACE) CFLAGS_REMOVE_insn.o = $(CC_FLAGS_FTRACE) CFLAGS_REMOVE_return_address.o = $(CC_FLAGS_FTRACE) +# Remove stack protector to avoid triggering unneeded stack canary +# checks due to randomize_kstack_offset. +CFLAGS_REMOVE_syscall.o = -fstack-protector -fstack-protector-strong +CFLAGS_syscall.o += -fno-stack-protector + # Object file lists. obj-y := debug-monitors.o entry.o irq.o fpsimd.o \ entry-common.o entry-fpsimd.o process.o ptrace.o \ diff --git a/arch/arm64/kernel/syscall.c b/arch/arm64/kernel/syscall.c index b9cf12b271d7..263d6c1a525f 100644 --- a/arch/arm64/kernel/syscall.c +++ b/arch/arm64/kernel/syscall.c @@ -5,6 +5,7 @@ #include #include #include +#include #include #include @@ -43,6 +44,8 @@ static void invoke_syscall(struct pt_regs *regs, unsigned int scno, { long ret; + add_random_kstack_offset(); + if (scno < sc_nr) { syscall_fn_t syscall_fn; syscall_fn = syscall_table[array_index_nospec(scno, sc_nr)]; @@ -55,6 +58,19 @@ static void invoke_syscall(struct pt_regs *regs, unsigned int scno, ret = lower_32_bits(ret); regs->regs[0] = ret; + + /* + * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), + * but not enough for arm64 stack utilization comfort. To keep + * reasonable stack head room, reduce the maximum offset to 9 bits. + * + * The actual entropy will be further reduced by the compiler when + * applying stack alignment constraints: the AAPCS mandates a + * 16-byte (i.e. 4-bit) aligned SP at function boundaries. + * + * The resulting 5 bits of entropy is seen in SP[8:4]. + */ + choose_random_kstack_offset(get_random_int() & 0x1FF); } static inline bool has_syscall_work(unsigned long flags) From patchwork Wed Mar 31 20:54:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12176269 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D274FC433ED for ; Wed, 31 Mar 2021 20:57:34 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 69BEA60BBB for ; Wed, 31 Mar 2021 20:57:34 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 69BEA60BBB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=/WanJRRO8OqtRhLSUCFjqjBWG5B+K2n3VxFvDWm09Vc=; b=RHFklKrB+mwMWRcTUCAwpCX5s EWm72Pmk+PNgb121tDs2rOLjQKESNdRG8jGiznMEA3q5ZCBRJs9Tlh/ZBnmQnuhbaWsx6eKXmv46I wqkiFACKFSWLAqurZ5NgWX4XmvToTKcGZ4+ahiejKF7PzjmVHGHAYJPbCM0gDGP7g45r9cYL88jcN tLGVzxpis8bkgMUqOBjW0LIIqnFNhVdteujzdJ7sV8gseek1/Lu9ZkrgwUCr0tybU5Puq2WjbKHb1 QroLWDiB9cJxiFEEL3q1lJM0Ua6abBCoZvLrVJshUrG/D1IMp9GJeUaiypH8LoyBGNkicGqNdvUZB t3Bgxe6Pg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lRhsD-007aK6-06; Wed, 31 Mar 2021 20:55:33 +0000 Received: from mail-pf1-x433.google.com ([2607:f8b0:4864:20::433]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lRhro-007aFs-3K for linux-arm-kernel@lists.infradead.org; Wed, 31 Mar 2021 20:55:10 +0000 Received: by mail-pf1-x433.google.com with SMTP id x126so15385562pfc.13 for ; Wed, 31 Mar 2021 13:55:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=uk0/1LocoDticB91SF6FsgWpOKPsEr1Pb6N+E6L28KI=; b=nMBirdlJwaYEBDE8wICv0IcZbYumBG5x88i0jDmsPtEGCWerkbUkn/zXjtlou+AAnB CdCWfgp1k4EvjGaJ2pw+8HaBQeHDD+DkwHQbkP6CfxrFShjNk6a9uKNXN3ySmAr3ly/v g28hvtAPNP3f2K6+JoZ04rIfIXHvlInu+TnD0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=uk0/1LocoDticB91SF6FsgWpOKPsEr1Pb6N+E6L28KI=; b=XMqAIaKQqUvTw3pq1vGIIwOwhOtlMRftp4SrWsQ6QgodBd3ljSekC11WOCykmv3cam ikTUolymUCvWSqo4jl/EZwcWFGKknJ5tRPC3m+DbJpNUmXwGePPHklthrLgUr/9uGyB5 lmsDNFrgfDdmBBGZBLw9bSjjW10ytw60BeL6r4iR4vy96u5guTrviRx3WJlnqsomsWNM yxNxjzVW6FkAap7990ZWMDtnod86rASjCK6FwEfamIYcq3oMoFmBxCc5bz6QSr7r4u3c 2zHCsJ9zfVrxzq9ieHAiPoL45QrR8BpisNOK3Z19RdPVHwSmgeIi7yMnCYVqGQRj7h02 NTGA== X-Gm-Message-State: AOAM5326ZytBC78eKWo35uWhCUWXuLYgr9jcYn6rgMrR806/laKlI83q LzdL3YR9yPCn/GhFP+djy1ooOQ== X-Google-Smtp-Source: ABdhPJxuZ4BQCPoxOylqJ3K76DbwLF1JG4WceF9FhoFaFhbPpIbgQh3MG6jfYpIbOhAacKq366q+2w== X-Received: by 2002:a63:4d0:: with SMTP id 199mr4929010pge.304.1617224106706; Wed, 31 Mar 2021 13:55:06 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k3sm3300550pgq.21.2021.03.31.13.55.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Mar 2021 13:55:06 -0700 (PDT) From: Kees Cook To: Will Deacon Cc: Kees Cook , Catalin Marinas , Mark Rutland , Thomas Gleixner , Elena Reshetova , x86@kernel.org, Andy Lutomirski , Peter Zijlstra , Alexander Potapenko , Alexander Popov , Ard Biesheuvel , Jann Horn , Vlastimil Babka , David Hildenbrand , Mike Rapoport , Andrew Morton , Jonathan Corbet , Randy Dunlap , kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH v9 6/6] lkdtm: Add REPORT_STACK for checking stack offsets Date: Wed, 31 Mar 2021 13:54:58 -0700 Message-Id: <20210331205458.1871746-7-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210331205458.1871746-1-keescook@chromium.org> References: <20210331205458.1871746-1-keescook@chromium.org> MIME-Version: 1.0 X-Patch-Hashes: v=1; h=sha256; g=fb815901a1ccc1d9c4ca5c3e3cd3729b7f382fe2; i=b69wRsxT78r/3tM1mGa7N6ME6+rlXyFg15giRWRwPAQ=; m=aFqgiEE+nAZdug79A1F+fVTg9ZceUb0WPE8cbHqssVg=; p=ZQ32/kILkW5AD3nBZHO0VMTp4prIPkm7+DdhCHX8KdA= X-Patch-Sig: m=pgp; i=keescook@chromium.org; s=0x0x8972F4DFDC6DC026; b=iQIzBAABCgAdFiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmBk4aIACgkQiXL039xtwCbSHQ/9GzS gwvyLm8xntGCfjZejzEAhSquCH/XGhwif40B/hY9NAzXrbKiOwzU378qbpWgxBePgTlGb3sKLB76C BHzMBpf5qbdOAWFHSbdkoLA6VoZ1Kc3Dv9lcZSpDekbhvjLhR4V2Up7yRhqEThy93+6AVcwGzBeac 6QWH01G3TAAqKsFLpV9ZjQOFxfS/obFaV/xK3RDHbKoY2jf6sGJnK2Y9hxRZMfyEnp2BFg0kdKSUr 0z5xDyHM3Xb+7TwBGwqGzP+TwPUBrXWtXKAjslca0S4ZQE/HBo8zsilyPvfhCl2T+esWB9qNJZbtx F6wRFNO6xcNLkF9VMP+8KyI2ikBpFMuEDmouAY3QkyENQiacPe4k9q5vDMvoe3EU/3NbOlJaO/0pw zbKdqFzN5b1HaJ3rgpeElBRbDH+CwqFTApO1mqZoi7KDqHaTym70Phz2P6Sovw36ctUn239DBf3Oi pEGi7NduC0vXBzrKcsFkivSl3imbBCo8t+qK+Ah4Nauc16qTQzMXY/twnQTuci/QVKWeq2BFnxBRK aOqgMXU7IVl7fXQL3QqIPaOez0kfnckLCHLNHqYEqVW1Zzgv+3gmrg12l5NAMYP2S2yWkU60izEcP dZeEdUXsNKOPqT0E3QzWksz9tPpec3mAH42JwcVawRfuRleF4XoNyiqWIrkXk9is= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210331_215508_222361_B364A87A X-CRM114-Status: GOOD ( 15.33 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org For validating the stack offset behavior, report the offset from a given process's first seen stack address. A quick way to measure the entropy: for i in $(seq 1 1000); do echo "REPORT_STACK" >/sys/kernel/debug/provoke-crash/DIRECT done offsets=$(dmesg | grep 'Stack offset' | cut -d: -f3 | sort | uniq -c | sort -n | wc -l) echo "$(uname -m) bits of stack entropy: $(echo "obase=2; $offsets" | bc | wc -L)" Signed-off-by: Kees Cook --- drivers/misc/lkdtm/bugs.c | 17 +++++++++++++++++ drivers/misc/lkdtm/core.c | 1 + drivers/misc/lkdtm/lkdtm.h | 1 + 3 files changed, 19 insertions(+) diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c index 110f5a8538e9..0e8254d0cf0b 100644 --- a/drivers/misc/lkdtm/bugs.c +++ b/drivers/misc/lkdtm/bugs.c @@ -134,6 +134,23 @@ noinline void lkdtm_CORRUPT_STACK_STRONG(void) __lkdtm_CORRUPT_STACK((void *)&data); } +static pid_t stack_pid; +static unsigned long stack_addr; + +void lkdtm_REPORT_STACK(void) +{ + volatile uintptr_t magic; + pid_t pid = task_pid_nr(current); + + if (pid != stack_pid) { + pr_info("Starting stack offset tracking for pid %d\n", pid); + stack_pid = pid; + stack_addr = (uintptr_t)&magic; + } + + pr_info("Stack offset: %d\n", (int)(stack_addr - (uintptr_t)&magic)); +} + void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void) { static u8 data[5] __attribute__((aligned(4))) = {1, 2, 3, 4, 5}; diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c index b2aff4d87c01..8024b6a5cc7f 100644 --- a/drivers/misc/lkdtm/core.c +++ b/drivers/misc/lkdtm/core.c @@ -110,6 +110,7 @@ static const struct crashtype crashtypes[] = { CRASHTYPE(EXHAUST_STACK), CRASHTYPE(CORRUPT_STACK), CRASHTYPE(CORRUPT_STACK_STRONG), + CRASHTYPE(REPORT_STACK), CRASHTYPE(CORRUPT_LIST_ADD), CRASHTYPE(CORRUPT_LIST_DEL), CRASHTYPE(STACK_GUARD_PAGE_LEADING), diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h index 5ae48c64df24..99f90d3e5e9c 100644 --- a/drivers/misc/lkdtm/lkdtm.h +++ b/drivers/misc/lkdtm/lkdtm.h @@ -17,6 +17,7 @@ void lkdtm_LOOP(void); void lkdtm_EXHAUST_STACK(void); void lkdtm_CORRUPT_STACK(void); void lkdtm_CORRUPT_STACK_STRONG(void); +void lkdtm_REPORT_STACK(void); void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void); void lkdtm_SOFTLOCKUP(void); void lkdtm_HARDLOCKUP(void);