From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C78D4C43331 for ; Thu, 26 Mar 2020 17:18:56 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 8087320737 for ; Thu, 26 Mar 2020 17:18:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="bOPaTx6G" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8087320737 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 2C3B56B000A; Thu, 26 Mar 2020 13:18:56 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2745B6B000C; Thu, 26 Mar 2020 13:18:56 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 165266B000D; Thu, 26 Mar 2020 13:18:56 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0153.hostedemail.com [216.40.44.153]) by kanga.kvack.org (Postfix) with ESMTP id F05836B000A for ; Thu, 26 Mar 2020 13:18:55 -0400 (EDT) Received: from smtpin26.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 246BA40C0 for ; Thu, 26 Mar 2020 17:18:56 +0000 (UTC) X-FDA: 76638173472.26.boot11_13c0213b1ba2b X-HE-Tag: boot11_13c0213b1ba2b X-Filterd-Recvd-Size: 8222 Received: from mail-pl1-f196.google.com (mail-pl1-f196.google.com [209.85.214.196]) by imf10.hostedemail.com (Postfix) with ESMTP for ; Thu, 26 Mar 2020 17:18:55 +0000 (UTC) Received: by mail-pl1-f196.google.com with SMTP id x1so2387967plm.4 for ; Thu, 26 Mar 2020 10:18:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=FuNH3TvottBd6Vom+HjZUn38bx12HjWSuxT5PFFp2NM=; b=bOPaTx6GdaN/kw3TDtNtl7YJvpKCdLmNpmXwiUaOV/H2Dyt1eisLQis+PnTqW9A+cy EpkaDdfA5uo4DCk1ebTh4faj0FTdvUrGM01MpAbv2nSbK+gGglpLa6jzzOF6TUBcNS18 J+EdB85pXrJ9G1gjVsQGSBY1SA1XxTOvVWnGc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=FuNH3TvottBd6Vom+HjZUn38bx12HjWSuxT5PFFp2NM=; b=qtlT67zEUAyUJoIZe3UPEhRPpBo0BmTILQ8yVTsK1HZLeI1eHp7tvZMStT2cgjZRj7 VwFjsYoq1A+dc3yxo3RUlUpvp4oFAVlMy1Tx9b0d+obODkQY79fCdOZzElHPKmz3629a 4gFBkYG536BjvVCnh5BUy1yJkL4mAnMF/0B9LYCfqgGO/DGFbqZwNai7IFPiKu7NFCZd QITZcb1OYtDd0s1acvFpfpicYGK4yEq6UjRZ7FVbRhyZR5/WD2xhDG76zql291Sou5mv 8vbLmD+hGj91ts03GT1CBxfUgEFuyp7yRVakbJ7N6msFS3C2w/C/Djy6diZkhLRTjAQn WwPQ== X-Gm-Message-State: ANhLgQ0RCVYM2009i58c8vucB/d/XRuDipLRN3lLWZMo8FQvz6oOB09t xnvOqG5hN801/LJh3J6NnsU1Ng== X-Google-Smtp-Source: ADFU+vuKz5FLrd/n++22UcE/kf4ftn3gYQmH2FDL1/qqMttDY074nJOuzLStkZh5VaZoPZM9xVSjkg== X-Received: by 2002:a17:90a:3783:: with SMTP id v3mr1135572pjb.31.1585243134014; Thu, 26 Mar 2020 10:18:54 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id m68sm6263454pjb.0.2020.03.26.10.18.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Mar 2020 10:18:53 -0700 (PDT) Date: Thu, 26 Mar 2020 10:18:51 -0700 From: Kees Cook To: Jann Horn Cc: "Reshetova, Elena" , Thomas Gleixner , the arch/x86 maintainers , Andy Lutomirski , Peter Zijlstra , Catalin Marinas , Will Deacon , Mark Rutland , Alexander Potapenko , Ard Biesheuvel , Kernel Hardening , "linux-arm-kernel@lists.infradead.org" , Linux-MM , kernel list Subject: Re: [PATCH v2 0/5] Optionally randomize kernel stack offset each syscall Message-ID: <202003260932.510967DD@keescook> References: <20200324203231.64324-1-keescook@chromium.org> <202003241604.7269C810B@keescook> <202003251322.180F2536E@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Mar 26, 2020 at 12:20:19AM +0100, Jann Horn wrote: > On Wed, Mar 25, 2020 at 9:27 PM Kees Cook wrote: > > On Wed, Mar 25, 2020 at 12:15:12PM +0000, Reshetova, Elena wrote: > > > > > Also, are you sure that it isn't possible to make the syscall that > > > > > leaked its stack pointer never return to userspace (via ptrace or > > > > > SIGSTOP or something like that), and therefore never realign its > > > > > stack, while keeping some controlled data present on the syscall's > > > > > stack? > > > > > > How would you reliably detect that a stack pointer has been leaked > > > to userspace while it has been in a syscall? Does not seem to be a trivial > > > task to me. > > > > Well, my expectation is that folks using this defense are also using > > panic_on_warn sysctl, etc, so attackers don't get a chance to actually > > _use_ register values spilled to dmesg. > > Uh... I thought that thing was exclusively for stuff like syzkaller, > because nuking the entire system because of a WARN is far too > excessive? WARNs should be safe to add almost anywhere in the kernel, > so that developers can put their assumptions about system behavior > into code without having to worry about bringing down the entire > system if that assumption turns out to have been false in some > harmless edgecase. So, I'm caught in a tight spot between Linus's deprecation of BUG()[1], and the desire for high-sensitivity security-oriented system builders to have a "completely stop running that kernel thread" option. Linus's entirely reasonable observation that BUG() destabilizes the kernel more often than it doesn't means there isn't actually a safe "stop that kernel thread" option, especially since many mitigations that detect badness span a spectrum of "stops the badness before it happens" (e.g. NX memory) to "I see badness has already happened" (e.g. stack protector). As a result, the only way to provide a way for the security-prioritized users is to downgrade corruptions to DoSes via panic(). I wish there was a magic way to have a perfect kernel state unwinder to get us the BUG() we wanted it to be, but given the kernel's complexity, it doesn't exist (and is unlikely to be worth developing). Right now, we either get "WARN() and keep going as best we can" or we get "WARN() and panic". And with regard to "WARNs should be safe to add", yes, that's generally true, but the goal is to not make them reachable from userspace because of this need to be able to "upgrade" them to panic(). I have tried to document[1] this: Note that the WARN()-family should only be used for "expected to be unreachable" situations. If you want to warn about "reachable but undesirable" situations, please use the pr_warn()-family of functions. System owners may have set the *panic_on_warn* sysctl, to make sure their systems do not continue running in the face of "unreachable" conditions. (For example, see commits like `this one `_.) [1] https://lore.kernel.org/lkml/202003141524.59C619B51A@keescook/ > Also, there are other places that dump register state. In particular > the soft lockup detection, which you can IIRC easily trip even > accidentally if you play around with stuff like FUSE filesystems, or > if a disk becomes unresponsive. Sure, *theoretically* you can also set > the "panic on soft lockup" flag, but that seems like a really terrible > idea to me. I understand your general objection to non-deterministic defenses, as there will always be ways to weaken them, but I don't think that's reason enough to not have them. I prefer to look at mitigations as a spectrum, and to recognize that some are more effective with certain system configurations. They become tools to choose from when building defense in depth. > As far as I can tell, the only clean way to fix this is to tell > distros that give non-root users access to dmesg (Ubuntu in > particular) that they have to stop doing that. E.g. Debian seems to > get by just fine with root-restricted dmesg. Totally agreed about that. Ubuntu may be hard to convince as one of their design principles has been to make the first user able to use the system completely with as little interruption as possible. (e.g. pop-up confirmation dialogs are strongly discouraged, etc.) So, for this series, I think the benefit-to-complexity value is high. It's a simple solution even if it's not perfect (most things can't be given the existing kernel design trade-offs). -Kees -- Kees Cook