From patchwork Thu Nov 9 13:37:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Song Shuai X-Patchwork-Id: 163399 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b129:0:b0:403:3b70:6f57 with SMTP id q9csp437667vqs; Thu, 9 Nov 2023 05:39:30 -0800 (PST) X-Google-Smtp-Source: AGHT+IFzVgNmqsj79udxwyMr7Gi++60kz0v7PgbwYskavdBPakkjTtRHxxd7cVkj6M+o+gApZNFu X-Received: by 2002:a05:6870:ad93:b0:1ef:b8c2:5541 with SMTP id ut19-20020a056870ad9300b001efb8c25541mr5266494oab.47.1699537169765; Thu, 09 Nov 2023 05:39:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699537169; cv=none; d=google.com; s=arc-20160816; b=xhVChq+CRR5z50NWx0NukxKMd8R0D62jrfSrFYywjyWH7pyeKwxGSibpP8vqYpA0DU OVTY2EQpg7eLGN+vuTI3+CHBDMCvNcXydGFWM9H7RzBMf1KxznV+nyITm4fSybjx3gJo CEAwFUzNMqMiEh6PTZKhw4Aq1CSVBvgSQf9BwnrLwKK/FpdA3gbaXNj4zs30N1Azq7TB odgGKc3QMdzcN1yXRyGTBFX3jIrQYm8W/NcXhki8N0cpj7HbctC/CNGTQ+s7wyixD7F+ 784zh+kZCpaiWOqYu2qq2YaQQ3R7kNJj0THvXi0iP1DaAOdgralyFauZ4ckVqP65F54N daSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:feedback-id:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from; bh=pFSJUM+RhjUbwbwnmPyx9A1/EusUgV5YWbEOMS+kgDU=; fh=xwxSoKzMV5JGzISiler8dcjGmLI99xQArqMPRb2bDTM=; b=edXebH1hBf3pPrvnuO89d+3AOj6Edawc2QDYhUafj/hMcdIl4wBMdqlMr3HKU+H3Ut cQnJgmcKgRgmvY7fLFcVjaDgB7+oUCH1kyS1ZupLxoSiqnlmsMnmqOREx8vzmnyPWGaq CDCoxxx0oxkP//L+QzXpmc0frJmtbkHlICaPS/sRgxuhRXmOGXNJqGT1IxCx7s2Yv5yU UhpUSlr8doq+KyunzSV9IacUXOqq2/e2z6A4QkJAMTZ1Me/FYMthOQ3LxQtOM74O+9QY qLXo3ZOA94gUtSK6FAMy7xTszQhLSCdtBdZx0sSRVnw/sUBgbOdKed9JThmD0STVvpPr u/UQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id u33-20020a056a0009a100b006be322191dasi16820177pfg.140.2023.11.09.05.39.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Nov 2023 05:39:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 16C7F80ACFB0; Thu, 9 Nov 2023 05:39:27 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231882AbjKINjH (ORCPT + 32 others); Thu, 9 Nov 2023 08:39:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49674 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230055AbjKINjG (ORCPT ); Thu, 9 Nov 2023 08:39:06 -0500 Received: from bg4.exmail.qq.com (bg4.exmail.qq.com [43.155.65.254]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 860901AE for ; Thu, 9 Nov 2023 05:39:03 -0800 (PST) X-QQ-mid: bizesmtp69t1699537093txdqplh1 Received: from localhost.localdomain ( [123.113.186.121]) by bizesmtp.qq.com (ESMTP) with id ; Thu, 09 Nov 2023 21:37:59 +0800 (CST) X-QQ-SSF: 01200000000000B0B000000A0000000 X-QQ-FEAT: +ynUkgUhZJmSoLLIHIXW1BjoHW98x7fmJOzVL7zWM/NfqGYiLws58TvK3E7+G 1/6CyJLBqICXwA0l2mzvKP7MilohTEGMnnarDhPlIClAV40z6/1Pg8WWjcXybBeMeT88igY BASQJ/AhX3p7MRuVnPYsLQXYzyUtNmdFv6s6YtsE67ITjEgaF+lUir24yscyLeSt++1gz4X 58Q+dmmW+uKJHUAVsYNQsa5l8sbf1mguwwS1M7uEsQSc6rhpwc7lIBM/yLa9NQwxrgAR3+9 N065IZNppXZrQAU30J78v+VcIVMnuPVLbSvt6FMUBqXFZXdwq6TCvVG6fuRQKsKwZKVL+aC By0S4kZufciBEXhppBPK9usJTQ7Sxa4H4oQBlrk X-QQ-GoodBg: 0 X-BIZMAIL-ID: 5075732993716896576 From: Song Shuai To: paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, keescook@chromium.org, guoren@kernel.org, bjorn@rivosinc.com, jszhang@kernel.org, conor.dooley@microchip.com, andy.chiu@sifive.com, samitolvanen@google.com, songshuaishuai@tinylab.org, coelacanthushex@gmail.com, dlemoal@kernel.org Cc: linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, Palmer Dabbelt Subject: [PATCH V2] riscv: Support RANDOMIZE_KSTACK_OFFSET Date: Thu, 9 Nov 2023 21:37:51 +0800 Message-Id: <20231109133751.212079-1-songshuaishuai@tinylab.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:tinylab.org:qybglogicsvrsz:qybglogicsvrsz4a-0 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Thu, 09 Nov 2023 05:39:27 -0800 (PST) X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1782093886957556954 X-GMAIL-MSGID: 1782093886957556954 Inspired from arm64's implement -- commit 70918779aec9 ("arm64: entry: Enable random_kstack_offset support") Add support of kernel stack offset randomization while handling syscall, the offset is defaultly limited by KSTACK_OFFSET_MAX() (i.e. 10 bits). In order to avoid trigger stack canaries (due to __builtin_alloca) and slowing down the entry path, use __no_stack_protector attribute to disable stack protector for do_trap_ecall_u() at the function level. Acked-by: Palmer Dabbelt Reviewed-by: Kees Cook Signed-off-by: Song Shuai --- Changes since V1: https://lore.kernel.org/linux-riscv/20231101064423.1906122-1-songshuaishuai@tinylab.org/ - fix whitespace errors Damien pointed out - add Acked-by and Reviewed-by tags --- arch/riscv/Kconfig | 1 + arch/riscv/kernel/traps.c | 17 ++++++++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index d607ab0f7c6d..0e843de33f0c 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -100,6 +100,7 @@ config RISCV select HAVE_ARCH_KGDB_QXFER_PKT select HAVE_ARCH_MMAP_RND_BITS if MMU select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT + select HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET select HAVE_ARCH_SECCOMP_FILTER select HAVE_ARCH_THREAD_STRUCT_WHITELIST select HAVE_ARCH_TRACEHOOK diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 19807c4d3805..a1a75163fb81 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -6,6 +6,7 @@ #include #include #include +#include #include #include #include @@ -296,7 +297,8 @@ asmlinkage __visible __trap_section void do_trap_break(struct pt_regs *regs) } } -asmlinkage __visible __trap_section void do_trap_ecall_u(struct pt_regs *regs) +asmlinkage __visible __trap_section __no_stack_protector +void do_trap_ecall_u(struct pt_regs *regs) { if (user_mode(regs)) { long syscall = regs->a7; @@ -308,10 +310,23 @@ asmlinkage __visible __trap_section void do_trap_ecall_u(struct pt_regs *regs) syscall = syscall_enter_from_user_mode(regs, syscall); + add_random_kstack_offset(); + if (syscall >= 0 && syscall < NR_syscalls) syscall_handler(regs, syscall); else if (syscall != -1) regs->a0 = -ENOSYS; + /* + * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), + * so the maximum stack offset is 1k bytes (10 bits). + * + * The actual entropy will be further reduced by the compiler when + * applying stack alignment constraints: 16-byte (i.e. 4-bit) aligned + * for RV32I or RV64I. + * + * The resulting 6 bits of entropy is seen in SP[9:4]. + */ + choose_random_kstack_offset(get_random_u16()); syscall_exit_to_user_mode(regs); } else {