From patchwork Wed Jun 19 21:47:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13704617 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 19269C2BA1A for ; Wed, 19 Jun 2024 21:47:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=1Vj/g6zfiSPNDgW+N1VCo3HuRqYiU5+104qZ3WEsaHk=; b=ogddSGG40fU+GJ IyvyktA31CrMmvjafY5xufIjE+t3IremGHllendceriVJvh1uP89XNBAzNq7CboaumUJ/StidjrcO aJJsovpNyN6eoDR7m2IESE1Sahqi6vDDBYrEd1qU5/pWe/wtqzY9D5vwXI0rQhZd4iBXcWKjHC/wP ziN/sKRohfw/uANK0DCYOz6AjdM21//JMr1xn3TOJQMD6F681xz/faqxb7hqCKNE7L9qYqcr/pJXB h1DtMg7xt6z3H3y+/2rVfaRPBeRFyzzfy2JxxS/1dVZqOjeOp0RlkPdhp17WpuqWMGKd/gcLL72rJ +loOUZ32Fn+TPlob89Qg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1sK39I-00000002o8C-0AZ2; Wed, 19 Jun 2024 21:47:24 +0000 Received: from dfw.source.kernel.org ([139.178.84.217]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1sK39E-00000002o6c-1Dv2; Wed, 19 Jun 2024 21:47:21 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 56C3C61FFF; Wed, 19 Jun 2024 21:47:19 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id ECD0BC2BBFC; Wed, 19 Jun 2024 21:47:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1718833639; bh=3fzkEaKVOM0rPfJQM/UHilxDpBmn0DVx7ju0tzyEiz8=; h=From:To:Cc:Subject:Date:From; b=LXuPV0mIsBj2qUfpSxvieqd06Fz6R5VdBEik7h7WormVirKGrCPB2ZUVJZNgKOXZA WTcfhM3u2a3vjFG6BmIZTXy9j7E25BAIAvkt80G6FC+wu7cAhi8ltsLTAl1Bmi0NJt CQ9NNWHxXODJsY9JrLmUmdJSpPHPgiLPMB42YvNFrzGVS8cHVSGAoIhfGwMlO4tf4a YO3aKsG5EFsGmqB4QVPVdD09eSEErHDASmB2N1CtgIO3JhDBgy+M/gWrLmA3q6rv0N eByLm+/iLxS6CsbuPHP0NcCRlAc4avSe05qczj4RiEOYtG/YNEd7WVJZ1A+quYOUTx yYoPy/jOLBfMw== From: Kees Cook To: Arnd Bergmann Cc: Kees Cook , Yuntao Liu , Mark Rutland , Catalin Marinas , Will Deacon , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , "Gustavo A. R. Silva" , Paul Walmsley , Palmer Dabbelt , Albert Ou , Leonardo Bras , Claudio Imbrenda , Pawan Gupta , linux-kernel@vger.kernel.org, x86@kernel.org, linux-arm-kernel@lists.infradead.org, linux-s390@vger.kernel.org, linux-hardening@vger.kernel.org, linux-riscv@lists.infradead.org Subject: [PATCH] randomize_kstack: Remove non-functional per-arch entropy filtering Date: Wed, 19 Jun 2024 14:47:15 -0700 Message-Id: <20240619214711.work.953-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5074; i=kees@kernel.org; h=from:subject:message-id; bh=3fzkEaKVOM0rPfJQM/UHilxDpBmn0DVx7ju0tzyEiz8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBmc1HjQzLtUraLFY0fw8Lpwy7N4xRnsdRhxQd/8 4zvmodGt6aJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZnNR4wAKCRCJcvTf3G3A JqdID/4gaYRTL6XxwSJgN0Ke28oaRPsAsFVq9Qopz5AkOGog7U02ED6us24dYtFeDM1Jd3D2YRG Xm5Mw6A+GTYv9xIie6yTzBrhFPaDd2iTQlo7LUmvfBBHbWtHZwg+3+aVFuGkzl+y6FXeyPhrEuL VJt8i+n5Jik8P6oDknx/GvrASYcgFi4oQbocJz4GeLwU5r1nykAzm0HNLnOIoW6cFDYXDYDqZYN OA99ZSEo37ZzyDVXRJM8T3AK5gzROfH+iLIu4S9EzmRTGZURfexwO8l+tPmLpUOqDs34c3NswTC NsHeJeZkWxGjZ8YCQXczZvgpQNOfCX7WSGWGqu9u0g5RiSKc14TMWVwa1eE3LATdIpTQqaLWXvu v6XKuf4EIxC81nbImXRM9AasBVWbSnOEGTz2MOgSukBvnwZSw1PNL0+wz7iT8vm8Qn8uwVkGtIc E1UNMIZYfmTdEe1oy58MUbpsl/kt2LoMw/zRX4iPgAwrdCIXBHWeutPbGyomypJAglLjv8hezmR 9sfkf+C4MrIqKpPYoEK82uhMsMZvT9jrL9UaUMgTQgC1hMKcs5xe5g0av7lc9Bnrs6eB0GWCAaL kEiDuXB19XmIj6NHXMaPErMRZFetU9cbFWU0qvguvN3e7xJ3nqM8DUBXqIGb4q5IxLMnUZjFbAP YBeQwwWVgzlfJ +A== X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240619_144720_690515_7950B89C X-CRM114-Status: GOOD ( 16.40 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org An unintended consequence of commit 9c573cd31343 ("randomize_kstack: Improve entropy diffusion") was that the per-architecture entropy size filtering reduced how many bits were being added to the mix, rather than how many bits were being used during the offsetting. All architectures fell back to the existing default of 0x3FF (10 bits), which will consume at most 1KiB of stack space. It seems that this is working just fine, so let's avoid the confusion and update everything to use the default. The prior intent of the per-architecture limits were: arm64: capped at 0x1FF (9 bits), 5 bits effective powerpc: uncapped (10 bits), 6 or 7 bits effective riscv: uncapped (10 bits), 6 bits effective x86: capped at 0xFF (8 bits), 5 (x86_64) or 6 (ia32) bits effective s390: capped at 0xFF (8 bits), undocumented effective entropy Current discussion has led to just dropping the original per-architecture filters. The additional entropy appears to be safe for arm64, x86, and s390. Quoting Arnd, "There is no point pretending that 15.75KB is somehow safe to use while 15.00KB is not." Co-developed-by: Yuntao Liu Signed-off-by: Yuntao Liu Fixes: 9c573cd31343 ("randomize_kstack: Improve entropy diffusion") Link: https://lore.kernel.org/r/20240617133721.377540-1-liuyuntao12@huawei.com Signed-off-by: Kees Cook Acked-by: Heiko Carstens # s390 Acked-by: Mark Rutland Reviewed-by: Arnd Bergmann --- Cc: Arnd Bergmann Cc: Mark Rutland --- arch/arm64/kernel/syscall.c | 16 +++++++--------- arch/s390/include/asm/entry-common.h | 2 +- arch/x86/include/asm/entry-common.h | 15 ++++++--------- 3 files changed, 14 insertions(+), 19 deletions(-) diff --git a/arch/arm64/kernel/syscall.c b/arch/arm64/kernel/syscall.c index ad198262b981..7230f6e20ab8 100644 --- a/arch/arm64/kernel/syscall.c +++ b/arch/arm64/kernel/syscall.c @@ -53,17 +53,15 @@ static void invoke_syscall(struct pt_regs *regs, unsigned int scno, syscall_set_return_value(current, regs, 0, ret); /* - * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), - * but not enough for arm64 stack utilization comfort. To keep - * reasonable stack head room, reduce the maximum offset to 9 bits. + * This value will get limited by KSTACK_OFFSET_MAX(), which is 10 + * bits. The actual entropy will be further reduced by the compiler + * when applying stack alignment constraints: the AAPCS mandates a + * 16-byte aligned SP at function boundaries, which will remove the + * 4 low bits from any entropy chosen here. * - * The actual entropy will be further reduced by the compiler when - * applying stack alignment constraints: the AAPCS mandates a - * 16-byte (i.e. 4-bit) aligned SP at function boundaries. - * - * The resulting 5 bits of entropy is seen in SP[8:4]. + * The resulting 6 bits of entropy is seen in SP[9:4]. */ - choose_random_kstack_offset(get_random_u16() & 0x1FF); + choose_random_kstack_offset(get_random_u16()); } static inline bool has_syscall_work(unsigned long flags) diff --git a/arch/s390/include/asm/entry-common.h b/arch/s390/include/asm/entry-common.h index 7f5004065e8a..35555c944630 100644 --- a/arch/s390/include/asm/entry-common.h +++ b/arch/s390/include/asm/entry-common.h @@ -54,7 +54,7 @@ static __always_inline void arch_exit_to_user_mode(void) static inline void arch_exit_to_user_mode_prepare(struct pt_regs *regs, unsigned long ti_work) { - choose_random_kstack_offset(get_tod_clock_fast() & 0xff); + choose_random_kstack_offset(get_tod_clock_fast()); } #define arch_exit_to_user_mode_prepare arch_exit_to_user_mode_prepare diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/entry-common.h index 7e523bb3d2d3..fb2809b20b0a 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -73,19 +73,16 @@ static inline void arch_exit_to_user_mode_prepare(struct pt_regs *regs, #endif /* - * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), - * but not enough for x86 stack utilization comfort. To keep - * reasonable stack head room, reduce the maximum offset to 8 bits. - * - * The actual entropy will be further reduced by the compiler when - * applying stack alignment constraints (see cc_stack_align4/8 in + * This value will get limited by KSTACK_OFFSET_MAX(), which is 10 + * bits. The actual entropy will be further reduced by the compiler + * when applying stack alignment constraints (see cc_stack_align4/8 in * arch/x86/Makefile), which will remove the 3 (x86_64) or 2 (ia32) * low bits from any entropy chosen here. * - * Therefore, final stack offset entropy will be 5 (x86_64) or - * 6 (ia32) bits. + * Therefore, final stack offset entropy will be 7 (x86_64) or + * 8 (ia32) bits. */ - choose_random_kstack_offset(rdtsc() & 0xFF); + choose_random_kstack_offset(rdtsc()); } #define arch_exit_to_user_mode_prepare arch_exit_to_user_mode_prepare