Hi Kees,
Sven Schnelle <svens@xxxxxxxxxxxxx> writes:
> Kees Cook <keescook@xxxxxxxxxxxx> writes:
>
>> On Thu, Apr 29, 2021 at 11:14:51AM +0200, Sven Schnelle wrote:
>>> enough and has much less performance penalty compared to using
>>> get_random_int(). The patch also adds randomization in pgm_check_handler()
>>> as the sigreturn/rt_sigreturn system calls might be called from there.
>>
>> Ah, interesting. Is this path to syscalls unique to s390? (As in, should
>> x86 and arm64 gain coverage over a path that got missed?)
>
> Yes, it's unique to s390. So there should be no need to do anything
> similar on other architectures.
I was a bit short with my reponse, so let me explain this a bit
further. On s390, when a signal handler needs to be called, we put a
'svc (system call) instruction on the Stack and set the address in the
register holding the return address (r14) to that address. That worked
fine until non-executable stacks where introduced. With non-executable
stacks, we get a program check instead when trying to execute the svc.
The kernel than checks whether the instruction that caused the fault
is the svc instruction, and if yes, it will redirect to the systemm call
code to execute the {rt_}sigreturn syscall. So we need to do the stack
offset randomization also in the program check handler to cover that path.
>
>>> +static inline void arch_exit_to_user_mode_prepare(struct pt_regs *regs,
>>> + unsigned long ti_work)
>>> +{
>>> + choose_random_kstack_offset(get_tod_clock_fast() & 0xff);
>>
>> What's the stack alignment on s390? Or, better question, what's the
>> expected number of entropy bits?
>
>
> The stack alignement on s390 is 8 bytes, so this should give us 5 bits
> of entropy.
