| Message ID | 20211028112703.1120709-1-ardb@kernel.org |
|---|---|
| Headers |
Return-Path: <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 063123857C60 for <patchwork@sourceware.org>; Thu, 28 Oct 2021 11:28:15 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 063123857C60 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1635420495; bh=Lfbj1h2DCBaZrT0ZvEoB3UVEFdVxsKXJ1QHmZHAxGCo=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=mEUrswrGlnYTqWCTpuahMOFazVFSsgK8TPoYq5CEhYisyrgf4r9FU6vZkyAvYh742 uZfYsEsKaAPm+g0rBoXIifls90dgpkh8oj0o1dNS57j2hXJ1EFG00QoO6YLVDyc2nf gewNbzOc+hV4EnfAKH8D7hOkfU2c8sUP4xMW8wAg= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by sourceware.org (Postfix) with ESMTPS id 6AE023857C74 for <gcc-patches@gcc.gnu.org>; Thu, 28 Oct 2021 11:27:16 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 6AE023857C74 Received: by mail.kernel.org (Postfix) with ESMTPSA id 51EFA60FF2; Thu, 28 Oct 2021 11:27:13 +0000 (UTC) To: linux-hardening@vger.kernel.org Subject: [PATCH v4 0/1] implement TLS register based stack canary for ARM Date: Thu, 28 Oct 2021 13:27:02 +0200 Message-Id: <20211028112703.1120709-1-ardb@kernel.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, KAM_SHORT, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org> List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe> List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/> List-Post: <mailto:gcc-patches@gcc.gnu.org> List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help> List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe> From: Ard Biesheuvel via Gcc-patches <gcc-patches@gcc.gnu.org> Reply-To: Ard Biesheuvel <ardb@kernel.org> Cc: keescook@chromium.org, Richard Sandiford <richard.sandiford@arm.com>, thomas.preudhomme@celest.fr, Keith Packard <keithpac@amazon.com>, gcc-patches@gcc.gnu.org, Ard Biesheuvel <ardb@kernel.org> Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> |
| Series |
implement TLS register based stack canary for ARM
|
|
Message
Ard Biesheuvel
Oct. 28, 2021, 11:27 a.m. UTC
Bugzilla: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102352 In the Linux kernel, user processes calling into the kernel are essentially threads running in the same address space, of a program that never terminates. This means that using a global variable for the stack protector canary value is problematic on SMP systems, as we can never change it unless we reboot the system. (Processes that sleep for any reason will do so on a call into the kernel, which means that there will always be live kernel stack frames carrying copies of the canary taken when the function was entered) AArch64 implements -mstack-protector-guard=sysreg for this purpose, as this permits the kernel to use different memory addresses for the stack canary for each CPU, and context switch the chosen system register with the rest of the process, allowing each process to use its own unique value for the stack canary. This patch implements something similar, but for the 32-bit ARM kernel, which will start using the user space TLS register TPIDRURO to index per-process metadata while running in the kernel. This means we can just add an offset to TPIDRURO to obtain the address from which to load the canary value. Changes since v3: - force a reload of the TLS register before performing the stack protector check, so that we never rely on the stack for the address of the canary Changes since v2: - fix the template for stack_protect_test_tls so it correctly conveys the fact that it sets the Z flag Comments/suggestions welcome. Cc: Keith Packard <keithpac@amazon.com> Cc: thomas.preudhomme@celest.fr Cc: adhemerval.zanella@linaro.org Cc: Qing Zhao <qing.zhao@oracle.com> Cc: Richard Sandiford <richard.sandiford@arm.com> Cc: gcc-patches@gcc.gnu.org Ard Biesheuvel (1): [ARM] Add support for TLS register based stack protector canary access gcc/config/arm/arm-opts.h | 6 ++ gcc/config/arm/arm-protos.h | 2 + gcc/config/arm/arm.c | 55 +++++++++++++++ gcc/config/arm/arm.md | 71 +++++++++++++++++++- gcc/config/arm/arm.opt | 22 ++++++ gcc/doc/invoke.texi | 9 +++ 6 files changed, 163 insertions(+), 2 deletions(-)
Comments
On Thu, 28 Oct 2021 at 13:27, Ard Biesheuvel <ardb@kernel.org> wrote: > > Bugzilla: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102352 > > In the Linux kernel, user processes calling into the kernel are > essentially threads running in the same address space, of a program that > never terminates. This means that using a global variable for the stack > protector canary value is problematic on SMP systems, as we can never > change it unless we reboot the system. (Processes that sleep for any > reason will do so on a call into the kernel, which means that there will > always be live kernel stack frames carrying copies of the canary taken > when the function was entered) > > AArch64 implements -mstack-protector-guard=sysreg for this purpose, as > this permits the kernel to use different memory addresses for the stack > canary for each CPU, and context switch the chosen system register with > the rest of the process, allowing each process to use its own unique > value for the stack canary. > > This patch implements something similar, but for the 32-bit ARM kernel, > which will start using the user space TLS register TPIDRURO to index > per-process metadata while running in the kernel. This means we can just > add an offset to TPIDRURO to obtain the address from which to load the > canary value. > > Changes since v3: > - force a reload of the TLS register before performing the stack > protector check, so that we never rely on the stack for the address of > the canary > Changes since v2: > - fix the template for stack_protect_test_tls so it correctly conveys > the fact that it sets the Z flag > > Comments/suggestions welcome. > > Cc: Keith Packard <keithpac@amazon.com> > Cc: thomas.preudhomme@celest.fr > Cc: adhemerval.zanella@linaro.org > Cc: Qing Zhao <qing.zhao@oracle.com> > Cc: Richard Sandiford <richard.sandiford@arm.com> > Cc: gcc-patches@gcc.gnu.org > Note to reviewers: this feature has been accepted in LLVM/Clang, and so the exact command line options introduced by this patch to enable this feature can no longer be changed easily. I don't expect this to be an issue, given that they are the same as x86, but I thought I should note it nonetheless.