[-enrico, who is bouncing] On Tue, Mar 24, 2020 at 10:28:35PM +0100, Jann Horn wrote: > On Tue, Mar 24, 2020 at 9:32 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > This is a continuation and refactoring of Elena's earlier effort to add > > kernel stack base offset randomization. In the time since the previous > > discussions, two attacks[1][2] were made public that depended on stack > > determinism, so we're no longer in the position of "this is a good idea > > but we have no examples of attacks". :) > [...] > > [1] https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html > > This one only starts using the stack's location after having parsed > it out of dmesg (which in any environment that wants to provide a > reasonable level of security really ought to be restricted to root), > right? If you give people read access to dmesg, they can leak all > sorts of pointers; not just the stack pointer, but also whatever else > happens to be in the registers at that point - which is likely to give > the attacker more ways to place controlled data at a known location. > See e.g. <https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html>, > which leaks the pointer to a BPF map out of dmesg. It was mentioned that it would re-use the base across syscalls, so this defense would have frustrated it. More to my point was that there still are attacks using a deterministic stack as part of the exploit chain. We have a low-cost way to make that go away. > Also, are you sure that it isn't possible to make the syscall that > leaked its stack pointer never return to userspace (via ptrace or > SIGSTOP or something like that), and therefore never realign its > stack, while keeping some controlled data present on the syscall's > stack? > > > [2] https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf > > That's a moderately large document; which specific part are you referencing? IIRC, section 3.3 discusses using the stack for CFI bypass, though thinking about it again, it may have been targeting pt_regs. I'll double check and remove this reference if that's the case. But, as I mention, this is proactive and I'd like to stop yet more things from being able to depend on the stack location. -- Kees Cook
