Message ID | 20191018161033.261971-7-samitolvanen@google.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | add support for Clang's Shadow Call Stack | expand |
On Fri, 2019-10-18 at 09:10 -0700, Sami Tolvanen wrote: > This change adds generic support for Clang's Shadow Call Stack, which > uses a shadow stack to protect return addresses from being overwritten > by an attacker [] > .diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h [] > @@ -42,3 +42,5 @@ > * compilers, like ICC. > */ > #define barrier() __asm__ __volatile__("" : : : "memory") > + > +#define __noscs __attribute__((no_sanitize("shadow-call-stack"))) trivia: This should likely use the __ prefix and suffix form: #define __noscs __attribute__((__no_sanitize__("shadow-call-stack"))) as should the __no_sanitize_address above this > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h [] > @@ -202,6 +202,10 @@ struct ftrace_likely_data { > # define randomized_struct_fields_end > #endif > > +#ifndef __noscs > +# define __noscs > +#endif > + > #ifndef asm_volatile_goto > #define asm_volatile_goto(x...) asm goto(x) > #endif
On Fri, Oct 18, 2019 at 9:11 AM Sami Tolvanen <samitolvanen@google.com> wrote: > > This change adds generic support for Clang's Shadow Call Stack, which > uses a shadow stack to protect return addresses from being overwritten > by an attacker. Details are available here: > > https://clang.llvm.org/docs/ShadowCallStack.html > > Signed-off-by: Sami Tolvanen <samitolvanen@google.com> > --- > Makefile | 6 ++ > arch/Kconfig | 39 ++++++++ > include/linux/compiler-clang.h | 2 + > include/linux/compiler_types.h | 4 + > include/linux/scs.h | 88 ++++++++++++++++++ > init/init_task.c | 6 ++ > init/main.c | 3 + > kernel/Makefile | 1 + > kernel/fork.c | 9 ++ > kernel/sched/core.c | 2 + > kernel/sched/sched.h | 1 + > kernel/scs.c | 162 +++++++++++++++++++++++++++++++++ > 12 files changed, 323 insertions(+) > create mode 100644 include/linux/scs.h > create mode 100644 kernel/scs.c > > diff --git a/Makefile b/Makefile > index ffd7a912fc46..e401fa500f62 100644 > --- a/Makefile > +++ b/Makefile > @@ -846,6 +846,12 @@ ifdef CONFIG_LIVEPATCH > KBUILD_CFLAGS += $(call cc-option, -flive-patching=inline-clone) > endif > > +ifdef CONFIG_SHADOW_CALL_STACK > +KBUILD_CFLAGS += -fsanitize=shadow-call-stack > +DISABLE_SCS := -fno-sanitize=shadow-call-stack > +export DISABLE_SCS > +endif > + > # arch Makefile may override CC so keep this after arch Makefile is included > NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) -print-file-name=include) > > diff --git a/arch/Kconfig b/arch/Kconfig > index 5f8a5d84dbbe..a222adda8130 100644 > --- a/arch/Kconfig > +++ b/arch/Kconfig > @@ -521,6 +521,45 @@ config STACKPROTECTOR_STRONG > about 20% of all kernel functions, which increases the kernel code > size by about 2%. > > +config ARCH_SUPPORTS_SHADOW_CALL_STACK > + bool > + help > + An architecture should select this if it supports Clang's Shadow > + Call Stack, has asm/scs.h, and implements runtime support for shadow > + stack switching. > + > +config SHADOW_CALL_STACK_VMAP > + def_bool n > + depends on SHADOW_CALL_STACK > + help > + Use virtually mapped shadow call stacks. Selecting this option > + provides better stack exhaustion protection, but increases per-thread > + memory consumption as a full page is allocated for each shadow stack. > + > +choice > + prompt "Return-oriented programming (ROP) protection" > + default ROP_PROTECTION_NONE > + help > + This option controls kernel protections against return-oriented > + programming (ROP) attacks. > + > +config ROP_PROTECTION_NONE > + bool "None" > + > +config SHADOW_CALL_STACK > + bool "Clang Shadow Call Stack" > + depends on ARCH_SUPPORTS_SHADOW_CALL_STACK > + depends on CC_IS_CLANG && CLANG_VERSION >= 70000 Version check LGTM. > + help > + This option enables Clang's Shadow Call Stack, which uses a shadow > + stack to protect function return addresses from being overwritten by > + an attacker. More information can be found from Clang's > + documentation: > + > + https://clang.llvm.org/docs/ShadowCallStack.html > + > +endchoice > + > config HAVE_ARCH_WITHIN_STACK_FRAMES > bool > help > diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h > index 333a6695a918..9af08391f205 100644 > --- a/include/linux/compiler-clang.h > +++ b/include/linux/compiler-clang.h > @@ -42,3 +42,5 @@ > * compilers, like ICC. > */ > #define barrier() __asm__ __volatile__("" : : : "memory") > + > +#define __noscs __attribute__((no_sanitize("shadow-call-stack"))) It looks like this attribute, (and thus a requirement to use this feature), didn't exist until Clang 7.0: https://godbolt.org/z/p9u1we (as noted above) I think it's better to put __noscs behind a __has_attribute guard in include/linux/compiler_attributes.h. Otherwise, what will happen when Clang 6.0 sees __noscs, for example? (-Wunknown-sanitizers will happen). > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h > index 72393a8c1a6c..be5d5be4b1ae 100644 > --- a/include/linux/compiler_types.h > +++ b/include/linux/compiler_types.h > @@ -202,6 +202,10 @@ struct ftrace_likely_data { > # define randomized_struct_fields_end > #endif > > +#ifndef __noscs > +# define __noscs > +#endif > + and then this can be removed. > #ifndef asm_volatile_goto > #define asm_volatile_goto(x...) asm goto(x) > #endif > diff --git a/include/linux/scs.h b/include/linux/scs.h > new file mode 100644 > index 000000000000..dfbd80faa528 > --- /dev/null > +++ b/include/linux/scs.h > @@ -0,0 +1,88 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * Shadow Call Stack support. > + * > + * Copyright (C) 2018 Google LLC > + */ > + > +#ifndef _LINUX_SCS_H > +#define _LINUX_SCS_H > + > +#include <linux/gfp.h> > +#include <linux/sched.h> > +#include <asm/page.h> > + > +#ifdef CONFIG_SHADOW_CALL_STACK > + > +#ifdef CONFIG_SHADOW_CALL_STACK_VMAP > +# define SCS_SIZE PAGE_SIZE > +#else > +# define SCS_SIZE 1024 > +#endif > + > +#define SCS_GFP (GFP_KERNEL | __GFP_ZERO) > + > +extern unsigned long init_shadow_call_stack[]; > + > +static inline void *task_scs(struct task_struct *tsk) > +{ > + return task_thread_info(tsk)->shadow_call_stack; > +} > + > +static inline void task_set_scs(struct task_struct *tsk, void *s) > +{ > + task_thread_info(tsk)->shadow_call_stack = s; > +} > + > +extern void scs_init(void); > +extern void scs_set_init_magic(struct task_struct *tsk); > +extern void scs_task_init(struct task_struct *tsk); > +extern void scs_task_reset(struct task_struct *tsk); > +extern int scs_prepare(struct task_struct *tsk, int node); > +extern bool scs_corrupted(struct task_struct *tsk); > +extern void scs_release(struct task_struct *tsk); > + > +#else /* CONFIG_SHADOW_CALL_STACK */ > + > +static inline void *task_scs(struct task_struct *tsk) > +{ > + return 0; > +} > + > +static inline void task_set_scs(struct task_struct *tsk, void *s) > +{ > +} > + > +static inline void scs_init(void) > +{ > +} > + > +static inline void scs_set_init_magic(struct task_struct *tsk) > +{ > +} > + > +static inline void scs_task_init(struct task_struct *tsk) > +{ > +} > + > +static inline void scs_task_reset(struct task_struct *tsk) > +{ > +} > + > +static inline int scs_prepare(struct task_struct *tsk, int node) > +{ > + return 0; > +} > + > +static inline bool scs_corrupted(struct task_struct *tsk) > +{ > + return false; > +} > + > +static inline void scs_release(struct task_struct *tsk) > +{ > +} > + > +#endif /* CONFIG_SHADOW_CALL_STACK */ > + > +#endif /* _LINUX_SCS_H */ > diff --git a/init/init_task.c b/init/init_task.c > index 9e5cbe5eab7b..5e55ff45bbbf 100644 > --- a/init/init_task.c > +++ b/init/init_task.c > @@ -11,6 +11,7 @@ > #include <linux/mm.h> > #include <linux/audit.h> > #include <linux/numa.h> > +#include <linux/scs.h> > > #include <asm/pgtable.h> > #include <linux/uaccess.h> > @@ -184,6 +185,11 @@ struct task_struct init_task > }; > EXPORT_SYMBOL(init_task); > > +#ifdef CONFIG_SHADOW_CALL_STACK > +unsigned long init_shadow_call_stack[SCS_SIZE / sizeof(long)] > + __init_task_data __aligned(SCS_SIZE); > +#endif > + > /* > * Initial thread structure. Alignment of this is handled by a special > * linker map entry. > diff --git a/init/main.c b/init/main.c > index 91f6ebb30ef0..fb8bcdd729b9 100644 > --- a/init/main.c > +++ b/init/main.c > @@ -93,6 +93,7 @@ > #include <linux/rodata_test.h> > #include <linux/jump_label.h> > #include <linux/mem_encrypt.h> > +#include <linux/scs.h> > > #include <asm/io.h> > #include <asm/bugs.h> > @@ -578,6 +579,8 @@ asmlinkage __visible void __init start_kernel(void) > char *after_dashes; > > set_task_stack_end_magic(&init_task); > + scs_set_init_magic(&init_task); > + > smp_setup_processor_id(); > debug_objects_early_init(); > > diff --git a/kernel/Makefile b/kernel/Makefile > index daad787fb795..313dbd44d576 100644 > --- a/kernel/Makefile > +++ b/kernel/Makefile > @@ -102,6 +102,7 @@ obj-$(CONFIG_TRACEPOINTS) += trace/ > obj-$(CONFIG_IRQ_WORK) += irq_work.o > obj-$(CONFIG_CPU_PM) += cpu_pm.o > obj-$(CONFIG_BPF) += bpf/ > +obj-$(CONFIG_SHADOW_CALL_STACK) += scs.o > > obj-$(CONFIG_PERF_EVENTS) += events/ > > diff --git a/kernel/fork.c b/kernel/fork.c > index bcdf53125210..ae7ebe9f0586 100644 > --- a/kernel/fork.c > +++ b/kernel/fork.c > @@ -94,6 +94,7 @@ > #include <linux/livepatch.h> > #include <linux/thread_info.h> > #include <linux/stackleak.h> > +#include <linux/scs.h> > > #include <asm/pgtable.h> > #include <asm/pgalloc.h> > @@ -451,6 +452,8 @@ void put_task_stack(struct task_struct *tsk) > > void free_task(struct task_struct *tsk) > { > + scs_release(tsk); > + > #ifndef CONFIG_THREAD_INFO_IN_TASK > /* > * The task is finally done with both the stack and thread_info, > @@ -834,6 +837,8 @@ void __init fork_init(void) > NULL, free_vm_stack_cache); > #endif > > + scs_init(); > + > lockdep_init_task(&init_task); > uprobes_init(); > } > @@ -907,6 +912,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node) > clear_user_return_notifier(tsk); > clear_tsk_need_resched(tsk); > set_task_stack_end_magic(tsk); > + scs_task_init(tsk); > > #ifdef CONFIG_STACKPROTECTOR > tsk->stack_canary = get_random_canary(); > @@ -2022,6 +2028,9 @@ static __latent_entropy struct task_struct *copy_process( > args->tls); > if (retval) > goto bad_fork_cleanup_io; > + retval = scs_prepare(p, node); > + if (retval) > + goto bad_fork_cleanup_thread; > > stackleak_task_init(p); > > diff --git a/kernel/sched/core.c b/kernel/sched/core.c > index dd05a378631a..e7faeb383008 100644 > --- a/kernel/sched/core.c > +++ b/kernel/sched/core.c > @@ -6013,6 +6013,8 @@ void init_idle(struct task_struct *idle, int cpu) > raw_spin_lock_irqsave(&idle->pi_lock, flags); > raw_spin_lock(&rq->lock); > > + scs_task_reset(idle); > + > __sched_fork(0, idle); > idle->state = TASK_RUNNING; > idle->se.exec_start = sched_clock(); > diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h > index 0db2c1b3361e..c153003a011c 100644 > --- a/kernel/sched/sched.h > +++ b/kernel/sched/sched.h > @@ -58,6 +58,7 @@ > #include <linux/profile.h> > #include <linux/psi.h> > #include <linux/rcupdate_wait.h> > +#include <linux/scs.h> > #include <linux/security.h> > #include <linux/stop_machine.h> > #include <linux/suspend.h> > diff --git a/kernel/scs.c b/kernel/scs.c > new file mode 100644 > index 000000000000..47324e8d313b > --- /dev/null > +++ b/kernel/scs.c > @@ -0,0 +1,162 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Shadow Call Stack support. > + * > + * Copyright (C) 2019 Google LLC > + */ > + > +#include <linux/cpuhotplug.h> > +#include <linux/mm.h> > +#include <linux/slab.h> > +#include <linux/scs.h> > +#include <linux/vmalloc.h> > +#include <asm/scs.h> > + > +#define SCS_END_MAGIC 0xaf0194819b1635f6UL > + > +static inline void *__scs_base(struct task_struct *tsk) > +{ > + return (void *)((uintptr_t)task_scs(tsk) & ~(SCS_SIZE - 1)); > +} > + > +#ifdef CONFIG_SHADOW_CALL_STACK_VMAP > + > +/* Keep a cache of shadow stacks */ > +#define SCS_CACHE_SIZE 2 > +static DEFINE_PER_CPU(void *, scs_cache[SCS_CACHE_SIZE]); > + > +static void *scs_alloc(int node) > +{ > + int i; > + > + for (i = 0; i < SCS_CACHE_SIZE; i++) { > + void *s; > + > + s = this_cpu_xchg(scs_cache[i], NULL); > + if (s) { > + memset(s, 0, SCS_SIZE); > + return s; > + } > + } > + > + return __vmalloc_node_range(SCS_SIZE, SCS_SIZE, > + VMALLOC_START, VMALLOC_END, > + SCS_GFP, PAGE_KERNEL, 0, > + node, __builtin_return_address(0)); > +} > + > +static void scs_free(void *s) > +{ > + int i; > + > + for (i = 0; i < SCS_CACHE_SIZE; i++) { > + if (this_cpu_cmpxchg(scs_cache[i], 0, s) != 0) > + continue; > + > + return; > + } > + > + vfree_atomic(s); > +} > + > +static int scs_cleanup(unsigned int cpu) > +{ > + int i; > + void **cache = per_cpu_ptr(scs_cache, cpu); > + > + for (i = 0; i < SCS_CACHE_SIZE; i++) { > + vfree(cache[i]); > + cache[i] = NULL; > + } > + > + return 0; > +} > + > +void __init scs_init(void) > +{ > + cpuhp_setup_state(CPUHP_BP_PREPARE_DYN, "scs:scs_cache", NULL, > + scs_cleanup); > +} > + > +#else /* !CONFIG_SHADOW_CALL_STACK_VMAP */ > + > +static struct kmem_cache *scs_cache; > + > +static inline void *scs_alloc(int node) > +{ > + return kmem_cache_alloc_node(scs_cache, SCS_GFP, node); > +} > + > +static inline void scs_free(void *s) > +{ > + kmem_cache_free(scs_cache, s); > +} > + > +void __init scs_init(void) > +{ > + scs_cache = kmem_cache_create("scs_cache", SCS_SIZE, SCS_SIZE, > + 0, NULL); > + WARN_ON(!scs_cache); > +} > + > +#endif /* CONFIG_SHADOW_CALL_STACK_VMAP */ > + > +static inline unsigned long *scs_magic(struct task_struct *tsk) > +{ > + return (unsigned long *)(__scs_base(tsk) + SCS_SIZE - sizeof(long)); > +} > + > +static inline void scs_set_magic(struct task_struct *tsk) > +{ > + *scs_magic(tsk) = SCS_END_MAGIC; > +} > + > +void scs_task_init(struct task_struct *tsk) > +{ > + task_set_scs(tsk, NULL); > +} > + > +void scs_task_reset(struct task_struct *tsk) > +{ > + task_set_scs(tsk, __scs_base(tsk)); > +} > + > +void scs_set_init_magic(struct task_struct *tsk) > +{ > + scs_save(tsk); > + scs_set_magic(tsk); > + scs_load(tsk); > +} > + > +int scs_prepare(struct task_struct *tsk, int node) > +{ > + void *s; > + > + s = scs_alloc(node); > + if (!s) > + return -ENOMEM; > + > + task_set_scs(tsk, s); > + scs_set_magic(tsk); > + > + return 0; > +} > + > +bool scs_corrupted(struct task_struct *tsk) > +{ > + return *scs_magic(tsk) != SCS_END_MAGIC; > +} > + > +void scs_release(struct task_struct *tsk) > +{ > + void *s; > + > + s = __scs_base(tsk); > + if (!s) > + return; > + > + WARN_ON(scs_corrupted(tsk)); > + > + scs_task_init(tsk); > + scs_free(s); > +} > -- > 2.23.0.866.gb869b98d4c-goog >
On Fri, Oct 18, 2019 at 10:08 AM 'Nick Desaulniers' via Clang Built Linux <clang-built-linux@googlegroups.com> wrote: > > diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h > > index 333a6695a918..9af08391f205 100644 > > --- a/include/linux/compiler-clang.h > > +++ b/include/linux/compiler-clang.h > > @@ -42,3 +42,5 @@ > > * compilers, like ICC. > > */ > > #define barrier() __asm__ __volatile__("" : : : "memory") > > + > > +#define __noscs __attribute__((no_sanitize("shadow-call-stack"))) > > It looks like this attribute, (and thus a requirement to use this > feature), didn't exist until Clang 7.0: https://godbolt.org/z/p9u1we > (as noted above) > > I think it's better to put __noscs behind a __has_attribute guard in > include/linux/compiler_attributes.h. Otherwise, what will happen when > Clang 6.0 sees __noscs, for example? (-Wunknown-sanitizers will > happen). Good point, I'll fix this in v2. Thanks. Sami
On Fri, Oct 18, 2019 at 6:14 PM Sami Tolvanen <samitolvanen@google.com> wrote: > This change adds generic support for Clang's Shadow Call Stack, which > uses a shadow stack to protect return addresses from being overwritten > by an attacker. Details are available here: > > https://clang.llvm.org/docs/ShadowCallStack.html (As I mentioned in the other thread, the security documentation there doesn't fit the kernel usecase.) [...] > +config SHADOW_CALL_STACK_VMAP > + def_bool n > + depends on SHADOW_CALL_STACK > + help > + Use virtually mapped shadow call stacks. Selecting this option > + provides better stack exhaustion protection, but increases per-thread > + memory consumption as a full page is allocated for each shadow stack. Without CONFIG_SHADOW_CALL_STACK_VMAP, after 128 small stack frames, you overflow into random physmap memory even if the main stack is vmapped... I guess you can't get around that without making the SCS instrumentation more verbose. :/ Could you maybe change things so that independent of whether you have vmapped SCS or slab-allocated SCS, the scs_corrupted() check looks at offset 1024-8 (where it currently is for the slab-allocated case)? That way, code won't suddenly stop working when you disable CONFIG_SHADOW_CALL_STACK_VMAP; and especially if you use CONFIG_SHADOW_CALL_STACK_VMAP for development and testing but disable it in production, that would be annoying.
On Fri, Oct 18, 2019 at 10:42 AM Jann Horn <jannh@google.com> wrote: > (As I mentioned in the other thread, the security documentation there > doesn't fit the kernel usecase.) True. I'll add a note about it here too. > Without CONFIG_SHADOW_CALL_STACK_VMAP, after 128 small stack frames, > you overflow into random physmap memory even if the main stack is > vmapped... I guess you can't get around that without making the SCS > instrumentation more verbose. :/ That's correct. In our testing, 128 stack frames is nearly twice the maximum amount that's been used (on an arm64 device), and for many use cases, allocating a full page is simply too costly despite the advantages. > Could you maybe change things so that independent of whether you have > vmapped SCS or slab-allocated SCS, the scs_corrupted() check looks at > offset 1024-8 (where it currently is for the slab-allocated case)? > That way, code won't suddenly stop working when you disable > CONFIG_SHADOW_CALL_STACK_VMAP; and especially if you use > CONFIG_SHADOW_CALL_STACK_VMAP for development and testing but disable > it in production, that would be annoying. Yes, that's a great idea. I'll change this in v2. Sami
On Fri, Oct 18, 2019 at 7:11 PM Sami Tolvanen <samitolvanen@google.com> wrote: > > On Fri, Oct 18, 2019 at 10:08 AM 'Nick Desaulniers' via Clang Built > Linux <clang-built-linux@googlegroups.com> wrote: > > > diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h > > > index 333a6695a918..9af08391f205 100644 > > > --- a/include/linux/compiler-clang.h > > > +++ b/include/linux/compiler-clang.h > > > @@ -42,3 +42,5 @@ > > > * compilers, like ICC. > > > */ > > > #define barrier() __asm__ __volatile__("" : : : "memory") > > > + > > > +#define __noscs __attribute__((no_sanitize("shadow-call-stack"))) > > > > It looks like this attribute, (and thus a requirement to use this > > feature), didn't exist until Clang 7.0: https://godbolt.org/z/p9u1we > > (as noted above) > > > > I think it's better to put __noscs behind a __has_attribute guard in > > include/linux/compiler_attributes.h. Otherwise, what will happen when > > Clang 6.0 sees __noscs, for example? (-Wunknown-sanitizers will > > happen). > > Good point, I'll fix this in v2. Thanks. +1, please CC whenever you send it! Cheers, Miguel
On Fri, Oct 18, 2019 at 11:33 AM Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> wrote: > > On Fri, Oct 18, 2019 at 7:11 PM Sami Tolvanen <samitolvanen@google.com> wrote: > > > > On Fri, Oct 18, 2019 at 10:08 AM 'Nick Desaulniers' via Clang Built > > Linux <clang-built-linux@googlegroups.com> wrote: > > > > diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h > > > > index 333a6695a918..9af08391f205 100644 > > > > --- a/include/linux/compiler-clang.h > > > > +++ b/include/linux/compiler-clang.h > > > > @@ -42,3 +42,5 @@ > > > > * compilers, like ICC. > > > > */ > > > > #define barrier() __asm__ __volatile__("" : : : "memory") > > > > + > > > > +#define __noscs __attribute__((no_sanitize("shadow-call-stack"))) > > > > > > It looks like this attribute, (and thus a requirement to use this > > > feature), didn't exist until Clang 7.0: https://godbolt.org/z/p9u1we > > > (as noted above) > > > > > > I think it's better to put __noscs behind a __has_attribute guard in > > > include/linux/compiler_attributes.h. Otherwise, what will happen when > > > Clang 6.0 sees __noscs, for example? (-Wunknown-sanitizers will > > > happen). > > > > Good point, I'll fix this in v2. Thanks. > > +1, please CC whenever you send it! Sami pointed out to me off thread that __has_attribute would only check `no_sanitize`, not `shadow-call-stack`. So maybe best to keep the definition here (include/linux/compiler-clang.h), but wrapped in a `__has_feature` check so that Clang 6.0 doesn't start complaining.
On Fri, Oct 18, 2019 at 10:33 PM Nick Desaulniers <ndesaulniers@google.com> wrote: > > Sami pointed out to me off thread that __has_attribute would only > check `no_sanitize`, not `shadow-call-stack`. So maybe best to keep > the definition here (include/linux/compiler-clang.h), but wrapped in a > `__has_feature` check so that Clang 6.0 doesn't start complaining. Ah, good point -- agreed! Cheers, Miguel
On Fri, Oct 18, 2019 at 09:10:21AM -0700, Sami Tolvanen wrote: > This change adds generic support for Clang's Shadow Call Stack, which > uses a shadow stack to protect return addresses from being overwritten > by an attacker. Details are available here: > > https://clang.llvm.org/docs/ShadowCallStack.html > > Signed-off-by: Sami Tolvanen <samitolvanen@google.com> > --- > Makefile | 6 ++ > arch/Kconfig | 39 ++++++++ > include/linux/compiler-clang.h | 2 + > include/linux/compiler_types.h | 4 + > include/linux/scs.h | 88 ++++++++++++++++++ > init/init_task.c | 6 ++ > init/main.c | 3 + > kernel/Makefile | 1 + > kernel/fork.c | 9 ++ > kernel/sched/core.c | 2 + > kernel/sched/sched.h | 1 + > kernel/scs.c | 162 +++++++++++++++++++++++++++++++++ > 12 files changed, 323 insertions(+) > create mode 100644 include/linux/scs.h > create mode 100644 kernel/scs.c > > diff --git a/Makefile b/Makefile > index ffd7a912fc46..e401fa500f62 100644 > --- a/Makefile > +++ b/Makefile > @@ -846,6 +846,12 @@ ifdef CONFIG_LIVEPATCH > KBUILD_CFLAGS += $(call cc-option, -flive-patching=inline-clone) > endif > > +ifdef CONFIG_SHADOW_CALL_STACK > +KBUILD_CFLAGS += -fsanitize=shadow-call-stack > +DISABLE_SCS := -fno-sanitize=shadow-call-stack > +export DISABLE_SCS > +endif I think it would be preferable to follow the example of CC_FLAGS_FTRACE so that this can be filtered out, e.g. ifdef CONFIG_SHADOW_CALL_STACK CFLAGS_SCS := -fsanitize=shadow-call-stack KBUILD_CFLAGS += $(CFLAGS_SCS) export CC_FLAGS_SCS endif ... with removal being: CFLAGS_REMOVE := $(CC_FLAGS_SCS) ... or: CFLAGS_REMOVE_obj.o := $(CC_FLAGS_SCS) That way you only need to define the flags once, so the enable and disable falgs remain in sync by construction. [...] > +config ARCH_SUPPORTS_SHADOW_CALL_STACK > + bool > + help > + An architecture should select this if it supports Clang's Shadow > + Call Stack, has asm/scs.h, and implements runtime support for shadow > + stack switching. > + > +config SHADOW_CALL_STACK_VMAP > + def_bool n A bool is default n, so you can just say bool here. > + depends on SHADOW_CALL_STACK > + help > + Use virtually mapped shadow call stacks. Selecting this option > + provides better stack exhaustion protection, but increases per-thread > + memory consumption as a full page is allocated for each shadow stack. > + > +choice > + prompt "Return-oriented programming (ROP) protection" > + default ROP_PROTECTION_NONE > + help > + This option controls kernel protections against return-oriented > + programming (ROP) attacks. Are we expecting more options here in future? > +config ROP_PROTECTION_NONE > + bool "None" IIUC this is for the benefit of the kretprobes Kconfig. I think it would be better to make that depend on !SHADOW_CALL_STACK, as it's plausible that we can add a different ROP protection mechanism that is compatible with kretprobes. > +config SHADOW_CALL_STACK > + bool "Clang Shadow Call Stack" > + depends on ARCH_SUPPORTS_SHADOW_CALL_STACK > + depends on CC_IS_CLANG && CLANG_VERSION >= 70000 Is there a reason for an explicit version check rather than a CC_HAS_<feature> check? e.g. was this available but broken in prior versions of clang? [...] > +#define SCS_GFP (GFP_KERNEL | __GFP_ZERO) Normally GFP_ is a prefix. For consistency, GFP_SCS would be preferable. > +extern unsigned long init_shadow_call_stack[]; Do we need this exposed here? IIUC this is only assigned by assembly in arch code. [...] > +void scs_set_init_magic(struct task_struct *tsk) > +{ > + scs_save(tsk); > + scs_set_magic(tsk); > + scs_load(tsk); > +} Can we initialize this at compile time instead? Thanks, Mark.
On Tue, Oct 22, 2019 at 05:28:27PM +0100, Mark Rutland wrote: > On Fri, Oct 18, 2019 at 09:10:21AM -0700, Sami Tolvanen wrote: > > This change adds generic support for Clang's Shadow Call Stack, which > > uses a shadow stack to protect return addresses from being overwritten > > by an attacker. Details are available here: > > > > https://clang.llvm.org/docs/ShadowCallStack.html > > > > Signed-off-by: Sami Tolvanen <samitolvanen@google.com> > > --- > > Makefile | 6 ++ > > arch/Kconfig | 39 ++++++++ > > include/linux/compiler-clang.h | 2 + > > include/linux/compiler_types.h | 4 + > > include/linux/scs.h | 88 ++++++++++++++++++ > > init/init_task.c | 6 ++ > > init/main.c | 3 + > > kernel/Makefile | 1 + > > kernel/fork.c | 9 ++ > > kernel/sched/core.c | 2 + > > kernel/sched/sched.h | 1 + > > kernel/scs.c | 162 +++++++++++++++++++++++++++++++++ > > 12 files changed, 323 insertions(+) > > create mode 100644 include/linux/scs.h > > create mode 100644 kernel/scs.c > > > > diff --git a/Makefile b/Makefile > > index ffd7a912fc46..e401fa500f62 100644 > > --- a/Makefile > > +++ b/Makefile > > @@ -846,6 +846,12 @@ ifdef CONFIG_LIVEPATCH > > KBUILD_CFLAGS += $(call cc-option, -flive-patching=inline-clone) > > endif > > > > +ifdef CONFIG_SHADOW_CALL_STACK > > +KBUILD_CFLAGS += -fsanitize=shadow-call-stack > > +DISABLE_SCS := -fno-sanitize=shadow-call-stack > > +export DISABLE_SCS > > +endif > > I think it would be preferable to follow the example of CC_FLAGS_FTRACE > so that this can be filtered out, e.g. > > ifdef CONFIG_SHADOW_CALL_STACK > CFLAGS_SCS := -fsanitize=shadow-call-stack ^^^ was this meant to be CC_FLAGS_SCS here > KBUILD_CFLAGS += $(CFLAGS_SCS) ^^^ and here? > export CC_FLAGS_SCS > endif > > ... with removal being: > > CFLAGS_REMOVE := $(CC_FLAGS_SCS) > > ... or: > > CFLAGS_REMOVE_obj.o := $(CC_FLAGS_SCS) > > That way you only need to define the flags once, so the enable and > disable falgs remain in sync by construction. > > [...]
On Tue, Oct 22, 2019 at 09:30:53AM -0700, Kees Cook wrote: > On Tue, Oct 22, 2019 at 05:28:27PM +0100, Mark Rutland wrote: > > On Fri, Oct 18, 2019 at 09:10:21AM -0700, Sami Tolvanen wrote: > > > +ifdef CONFIG_SHADOW_CALL_STACK > > > +KBUILD_CFLAGS += -fsanitize=shadow-call-stack > > > +DISABLE_SCS := -fno-sanitize=shadow-call-stack > > > +export DISABLE_SCS > > > +endif > > > > I think it would be preferable to follow the example of CC_FLAGS_FTRACE > > so that this can be filtered out, e.g. > > > > ifdef CONFIG_SHADOW_CALL_STACK > > CFLAGS_SCS := -fsanitize=shadow-call-stack > ^^^ was this meant to be CC_FLAGS_SCS here > > > KBUILD_CFLAGS += $(CFLAGS_SCS) > ^^^ and here? Whoops; yes in both cases... > > export CC_FLAGS_SCS > > endif > > > > ... with removal being: > > > > CFLAGS_REMOVE := $(CC_FLAGS_SCS) > > > > ... or: > > > > CFLAGS_REMOVE_obj.o := $(CC_FLAGS_SCS) > > > > That way you only need to define the flags once, so the enable and > > disable falgs remain in sync by construction. ^^^^^ "flags" here, too. Mark.
On Tue, Oct 22, 2019 at 9:28 AM Mark Rutland <mark.rutland@arm.com> wrote: > I think it would be preferable to follow the example of CC_FLAGS_FTRACE > so that this can be filtered out, e.g. > > ifdef CONFIG_SHADOW_CALL_STACK > CFLAGS_SCS := -fsanitize=shadow-call-stack > KBUILD_CFLAGS += $(CFLAGS_SCS) > export CC_FLAGS_SCS > endif Sure, SGTM. > > +choice > > + prompt "Return-oriented programming (ROP) protection" > > + default ROP_PROTECTION_NONE > > + help > > + This option controls kernel protections against return-oriented > > + programming (ROP) attacks. > > Are we expecting more options here in future? Yes, I believe we'd be interested in seeing PAC support too once hardware is more readily available. > I think it would be better to ./make that depend on !SHADOW_CALL_STACK, as > it's plausible that we can add a different ROP protection mechanism that > is compatible with kretprobes. OK, I can change that and remove the choice. We can always add it back when other alternatives are added. > > +config SHADOW_CALL_STACK > > + bool "Clang Shadow Call Stack" > > + depends on ARCH_SUPPORTS_SHADOW_CALL_STACK > > + depends on CC_IS_CLANG && CLANG_VERSION >= 70000 > > Is there a reason for an explicit version check rather than a > CC_HAS_<feature> check? e.g. was this available but broken in prior > versions of clang? No, this feature was added in Clang 7. However, -fsanitize=shadow-call-stack might require architecture-specific flags, so a simple $(cc-option, -fsanitize=shadow-call-stack) in arch/Kconfig is not going to work. I could add something like this to arch/arm64/Kconfig though: select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK ... config CC_HAVE_SHADOW_CALL_STACK def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18) And then drop CC_IS_CLANG and version check entirely. Thoughts? > > +#define SCS_GFP (GFP_KERNEL | __GFP_ZERO) > > Normally GFP_ is a prefix. For consistency, GFP_SCS would be preferable. Ack. > > +extern unsigned long init_shadow_call_stack[]; > > Do we need this exposed here? IIUC this is only assigned by assembly in > arch code. True, it's not needed. > [...] > > > +void scs_set_init_magic(struct task_struct *tsk) > > +{ > > + scs_save(tsk); > > + scs_set_magic(tsk); > > + scs_load(tsk); > > +} > > Can we initialize this at compile time instead? We can. I'll change this and drop the function. Sami
On Tue, Oct 22, 2019 at 9:28 AM Mark Rutland <mark.rutland@arm.com> wrote: > I think it would be preferable to follow the example of CC_FLAGS_FTRACE > so that this can be filtered out, e.g. > > ifdef CONFIG_SHADOW_CALL_STACK > CFLAGS_SCS := -fsanitize=shadow-call-stack > KBUILD_CFLAGS += $(CFLAGS_SCS) > export CC_FLAGS_SCS > endif > > ... with removal being: > > CFLAGS_REMOVE := $(CC_FLAGS_SCS) > > ... or: > > CFLAGS_REMOVE_obj.o := $(CC_FLAGS_SCS) > > That way you only need to define the flags once, so the enable and > disable falgs remain in sync by construction. CFLAGS_REMOVE appears to be only implemented for objects, which means there's no convenient way to filter out flags for everything in arch/arm64/kvm/hyp, for example. I could add a CFLAGS_REMOVE separately for each object file, or we could add something like ccflags-remove-y to complement ccflags-y, which should be relatively simple. Masahiro, do you have any suggestions? Sami
On Thu, Oct 24, 2019 at 1:59 AM Sami Tolvanen <samitolvanen@google.com> wrote: > > On Tue, Oct 22, 2019 at 9:28 AM Mark Rutland <mark.rutland@arm.com> wrote: > > I think it would be preferable to follow the example of CC_FLAGS_FTRACE > > so that this can be filtered out, e.g. > > > > ifdef CONFIG_SHADOW_CALL_STACK > > CFLAGS_SCS := -fsanitize=shadow-call-stack > > KBUILD_CFLAGS += $(CFLAGS_SCS) > > export CC_FLAGS_SCS > > endif > > > > ... with removal being: > > > > CFLAGS_REMOVE := $(CC_FLAGS_SCS) > > > > ... or: > > > > CFLAGS_REMOVE_obj.o := $(CC_FLAGS_SCS) > > > > That way you only need to define the flags once, so the enable and > > disable falgs remain in sync by construction. > > CFLAGS_REMOVE appears to be only implemented for objects, which means > there's no convenient way to filter out flags for everything in > arch/arm64/kvm/hyp, for example. I could add a CFLAGS_REMOVE > separately for each object file, or we could add something like > ccflags-remove-y to complement ccflags-y, which should be relatively > simple. Masahiro, do you have any suggestions? I am fine with 'ccflags-remove-y'. Thanks.
On Wed, 23 Oct 2019 09:59:09 -0700 Sami Tolvanen <samitolvanen@google.com> wrote: > On Tue, Oct 22, 2019 at 9:28 AM Mark Rutland <mark.rutland@arm.com> wrote: > > I think it would be preferable to follow the example of CC_FLAGS_FTRACE > > so that this can be filtered out, e.g. > > > > ifdef CONFIG_SHADOW_CALL_STACK > > CFLAGS_SCS := -fsanitize=shadow-call-stack > > KBUILD_CFLAGS += $(CFLAGS_SCS) > > export CC_FLAGS_SCS > > endif > > > > ... with removal being: > > > > CFLAGS_REMOVE := $(CC_FLAGS_SCS) > > > > ... or: > > > > CFLAGS_REMOVE_obj.o := $(CC_FLAGS_SCS) > > > > That way you only need to define the flags once, so the enable and > > disable falgs remain in sync by construction. > > CFLAGS_REMOVE appears to be only implemented for objects, which means > there's no convenient way to filter out flags for everything in > arch/arm64/kvm/hyp, for example. I could add a CFLAGS_REMOVE > separately for each object file, or we could add something like > ccflags-remove-y to complement ccflags-y, which should be relatively > simple. Masahiro, do you have any suggestions? > You can remove a CFLAGS for a whole directory. lib, kernel/trace and others do this. Look at kernel/trace/Makefile, we have: ORIG_CFLAGS := $(KBUILD_CFLAGS) KBUILD_CFLAGS = $(subst $(CC_FLAGS_FTRACE),,$(ORIG_CFLAGS)) Where it removes CC_FLAGS_FTRACE from CFLAGS for all objects in the directory. -- Steve
On Tue, Oct 22, 2019 at 12:26:02PM -0700, Sami Tolvanen wrote: > On Tue, Oct 22, 2019 at 9:28 AM Mark Rutland <mark.rutland@arm.com> wrote: > > > +config SHADOW_CALL_STACK > > > + bool "Clang Shadow Call Stack" > > > + depends on ARCH_SUPPORTS_SHADOW_CALL_STACK > > > + depends on CC_IS_CLANG && CLANG_VERSION >= 70000 > > > > Is there a reason for an explicit version check rather than a > > CC_HAS_<feature> check? e.g. was this available but broken in prior > > versions of clang? > > No, this feature was added in Clang 7. However, > -fsanitize=shadow-call-stack might require architecture-specific > flags, so a simple $(cc-option, -fsanitize=shadow-call-stack) in > arch/Kconfig is not going to work. I could add something like this to > arch/arm64/Kconfig though: > > select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK > ... > config CC_HAVE_SHADOW_CALL_STACK > def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18) > > And then drop CC_IS_CLANG and version check entirely. Thoughts? That sounds good to me, yes! Thanks, Mark.
On Thu, Oct 24, 2019 at 10:28 PM Mark Rutland <mark.rutland@arm.com> wrote: > > On Tue, Oct 22, 2019 at 12:26:02PM -0700, Sami Tolvanen wrote: > > On Tue, Oct 22, 2019 at 9:28 AM Mark Rutland <mark.rutland@arm.com> wrote: > > > > > +config SHADOW_CALL_STACK > > > > + bool "Clang Shadow Call Stack" > > > > + depends on ARCH_SUPPORTS_SHADOW_CALL_STACK > > > > + depends on CC_IS_CLANG && CLANG_VERSION >= 70000 > > > > > > Is there a reason for an explicit version check rather than a > > > CC_HAS_<feature> check? e.g. was this available but broken in prior > > > versions of clang? > > > > No, this feature was added in Clang 7. However, > > -fsanitize=shadow-call-stack might require architecture-specific > > flags, so a simple $(cc-option, -fsanitize=shadow-call-stack) in > > arch/Kconfig is not going to work. I could add something like this to > > arch/arm64/Kconfig though: > > > > select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK > > ... > > config CC_HAVE_SHADOW_CALL_STACK > > def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18) > > > > And then drop CC_IS_CLANG and version check entirely. Thoughts? > > That sounds good to me, yes! > > Thanks, > Mark. If you use cc-option, please add a comment like # supported by Clang 7 or later. I do not know the minimal supported clang version. When we bump the minimal version to clang 7, we can drop the cc-option test entirely. -- Best Regards Masahiro Yamada
On Thu, Oct 24, 2019 at 5:04 AM Steven Rostedt <rostedt@goodmis.org> wrote: > You can remove a CFLAGS for a whole directory. lib, kernel/trace and > others do this. Look at kernel/trace/Makefile, we have: > > ORIG_CFLAGS := $(KBUILD_CFLAGS) > KBUILD_CFLAGS = $(subst $(CC_FLAGS_FTRACE),,$(ORIG_CFLAGS)) That definitely looks less invasive in this case than adding ccflags-remove-y, since we only really need this for one directory. I'll use this in v2. Thanks, Steven. Sami
diff --git a/Makefile b/Makefile index ffd7a912fc46..e401fa500f62 100644 --- a/Makefile +++ b/Makefile @@ -846,6 +846,12 @@ ifdef CONFIG_LIVEPATCH KBUILD_CFLAGS += $(call cc-option, -flive-patching=inline-clone) endif +ifdef CONFIG_SHADOW_CALL_STACK +KBUILD_CFLAGS += -fsanitize=shadow-call-stack +DISABLE_SCS := -fno-sanitize=shadow-call-stack +export DISABLE_SCS +endif + # arch Makefile may override CC so keep this after arch Makefile is included NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) -print-file-name=include) diff --git a/arch/Kconfig b/arch/Kconfig index 5f8a5d84dbbe..a222adda8130 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -521,6 +521,45 @@ config STACKPROTECTOR_STRONG about 20% of all kernel functions, which increases the kernel code size by about 2%. +config ARCH_SUPPORTS_SHADOW_CALL_STACK + bool + help + An architecture should select this if it supports Clang's Shadow + Call Stack, has asm/scs.h, and implements runtime support for shadow + stack switching. + +config SHADOW_CALL_STACK_VMAP + def_bool n + depends on SHADOW_CALL_STACK + help + Use virtually mapped shadow call stacks. Selecting this option + provides better stack exhaustion protection, but increases per-thread + memory consumption as a full page is allocated for each shadow stack. + +choice + prompt "Return-oriented programming (ROP) protection" + default ROP_PROTECTION_NONE + help + This option controls kernel protections against return-oriented + programming (ROP) attacks. + +config ROP_PROTECTION_NONE + bool "None" + +config SHADOW_CALL_STACK + bool "Clang Shadow Call Stack" + depends on ARCH_SUPPORTS_SHADOW_CALL_STACK + depends on CC_IS_CLANG && CLANG_VERSION >= 70000 + help + This option enables Clang's Shadow Call Stack, which uses a shadow + stack to protect function return addresses from being overwritten by + an attacker. More information can be found from Clang's + documentation: + + https://clang.llvm.org/docs/ShadowCallStack.html + +endchoice + config HAVE_ARCH_WITHIN_STACK_FRAMES bool help diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h index 333a6695a918..9af08391f205 100644 --- a/include/linux/compiler-clang.h +++ b/include/linux/compiler-clang.h @@ -42,3 +42,5 @@ * compilers, like ICC. */ #define barrier() __asm__ __volatile__("" : : : "memory") + +#define __noscs __attribute__((no_sanitize("shadow-call-stack"))) diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index 72393a8c1a6c..be5d5be4b1ae 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -202,6 +202,10 @@ struct ftrace_likely_data { # define randomized_struct_fields_end #endif +#ifndef __noscs +# define __noscs +#endif + #ifndef asm_volatile_goto #define asm_volatile_goto(x...) asm goto(x) #endif diff --git a/include/linux/scs.h b/include/linux/scs.h new file mode 100644 index 000000000000..dfbd80faa528 --- /dev/null +++ b/include/linux/scs.h @@ -0,0 +1,88 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Shadow Call Stack support. + * + * Copyright (C) 2018 Google LLC + */ + +#ifndef _LINUX_SCS_H +#define _LINUX_SCS_H + +#include <linux/gfp.h> +#include <linux/sched.h> +#include <asm/page.h> + +#ifdef CONFIG_SHADOW_CALL_STACK + +#ifdef CONFIG_SHADOW_CALL_STACK_VMAP +# define SCS_SIZE PAGE_SIZE +#else +# define SCS_SIZE 1024 +#endif + +#define SCS_GFP (GFP_KERNEL | __GFP_ZERO) + +extern unsigned long init_shadow_call_stack[]; + +static inline void *task_scs(struct task_struct *tsk) +{ + return task_thread_info(tsk)->shadow_call_stack; +} + +static inline void task_set_scs(struct task_struct *tsk, void *s) +{ + task_thread_info(tsk)->shadow_call_stack = s; +} + +extern void scs_init(void); +extern void scs_set_init_magic(struct task_struct *tsk); +extern void scs_task_init(struct task_struct *tsk); +extern void scs_task_reset(struct task_struct *tsk); +extern int scs_prepare(struct task_struct *tsk, int node); +extern bool scs_corrupted(struct task_struct *tsk); +extern void scs_release(struct task_struct *tsk); + +#else /* CONFIG_SHADOW_CALL_STACK */ + +static inline void *task_scs(struct task_struct *tsk) +{ + return 0; +} + +static inline void task_set_scs(struct task_struct *tsk, void *s) +{ +} + +static inline void scs_init(void) +{ +} + +static inline void scs_set_init_magic(struct task_struct *tsk) +{ +} + +static inline void scs_task_init(struct task_struct *tsk) +{ +} + +static inline void scs_task_reset(struct task_struct *tsk) +{ +} + +static inline int scs_prepare(struct task_struct *tsk, int node) +{ + return 0; +} + +static inline bool scs_corrupted(struct task_struct *tsk) +{ + return false; +} + +static inline void scs_release(struct task_struct *tsk) +{ +} + +#endif /* CONFIG_SHADOW_CALL_STACK */ + +#endif /* _LINUX_SCS_H */ diff --git a/init/init_task.c b/init/init_task.c index 9e5cbe5eab7b..5e55ff45bbbf 100644 --- a/init/init_task.c +++ b/init/init_task.c @@ -11,6 +11,7 @@ #include <linux/mm.h> #include <linux/audit.h> #include <linux/numa.h> +#include <linux/scs.h> #include <asm/pgtable.h> #include <linux/uaccess.h> @@ -184,6 +185,11 @@ struct task_struct init_task }; EXPORT_SYMBOL(init_task); +#ifdef CONFIG_SHADOW_CALL_STACK +unsigned long init_shadow_call_stack[SCS_SIZE / sizeof(long)] + __init_task_data __aligned(SCS_SIZE); +#endif + /* * Initial thread structure. Alignment of this is handled by a special * linker map entry. diff --git a/init/main.c b/init/main.c index 91f6ebb30ef0..fb8bcdd729b9 100644 --- a/init/main.c +++ b/init/main.c @@ -93,6 +93,7 @@ #include <linux/rodata_test.h> #include <linux/jump_label.h> #include <linux/mem_encrypt.h> +#include <linux/scs.h> #include <asm/io.h> #include <asm/bugs.h> @@ -578,6 +579,8 @@ asmlinkage __visible void __init start_kernel(void) char *after_dashes; set_task_stack_end_magic(&init_task); + scs_set_init_magic(&init_task); + smp_setup_processor_id(); debug_objects_early_init(); diff --git a/kernel/Makefile b/kernel/Makefile index daad787fb795..313dbd44d576 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -102,6 +102,7 @@ obj-$(CONFIG_TRACEPOINTS) += trace/ obj-$(CONFIG_IRQ_WORK) += irq_work.o obj-$(CONFIG_CPU_PM) += cpu_pm.o obj-$(CONFIG_BPF) += bpf/ +obj-$(CONFIG_SHADOW_CALL_STACK) += scs.o obj-$(CONFIG_PERF_EVENTS) += events/ diff --git a/kernel/fork.c b/kernel/fork.c index bcdf53125210..ae7ebe9f0586 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -94,6 +94,7 @@ #include <linux/livepatch.h> #include <linux/thread_info.h> #include <linux/stackleak.h> +#include <linux/scs.h> #include <asm/pgtable.h> #include <asm/pgalloc.h> @@ -451,6 +452,8 @@ void put_task_stack(struct task_struct *tsk) void free_task(struct task_struct *tsk) { + scs_release(tsk); + #ifndef CONFIG_THREAD_INFO_IN_TASK /* * The task is finally done with both the stack and thread_info, @@ -834,6 +837,8 @@ void __init fork_init(void) NULL, free_vm_stack_cache); #endif + scs_init(); + lockdep_init_task(&init_task); uprobes_init(); } @@ -907,6 +912,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node) clear_user_return_notifier(tsk); clear_tsk_need_resched(tsk); set_task_stack_end_magic(tsk); + scs_task_init(tsk); #ifdef CONFIG_STACKPROTECTOR tsk->stack_canary = get_random_canary(); @@ -2022,6 +2028,9 @@ static __latent_entropy struct task_struct *copy_process( args->tls); if (retval) goto bad_fork_cleanup_io; + retval = scs_prepare(p, node); + if (retval) + goto bad_fork_cleanup_thread; stackleak_task_init(p); diff --git a/kernel/sched/core.c b/kernel/sched/core.c index dd05a378631a..e7faeb383008 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -6013,6 +6013,8 @@ void init_idle(struct task_struct *idle, int cpu) raw_spin_lock_irqsave(&idle->pi_lock, flags); raw_spin_lock(&rq->lock); + scs_task_reset(idle); + __sched_fork(0, idle); idle->state = TASK_RUNNING; idle->se.exec_start = sched_clock(); diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h index 0db2c1b3361e..c153003a011c 100644 --- a/kernel/sched/sched.h +++ b/kernel/sched/sched.h @@ -58,6 +58,7 @@ #include <linux/profile.h> #include <linux/psi.h> #include <linux/rcupdate_wait.h> +#include <linux/scs.h> #include <linux/security.h> #include <linux/stop_machine.h> #include <linux/suspend.h> diff --git a/kernel/scs.c b/kernel/scs.c new file mode 100644 index 000000000000..47324e8d313b --- /dev/null +++ b/kernel/scs.c @@ -0,0 +1,162 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Shadow Call Stack support. + * + * Copyright (C) 2019 Google LLC + */ + +#include <linux/cpuhotplug.h> +#include <linux/mm.h> +#include <linux/slab.h> +#include <linux/scs.h> +#include <linux/vmalloc.h> +#include <asm/scs.h> + +#define SCS_END_MAGIC 0xaf0194819b1635f6UL + +static inline void *__scs_base(struct task_struct *tsk) +{ + return (void *)((uintptr_t)task_scs(tsk) & ~(SCS_SIZE - 1)); +} + +#ifdef CONFIG_SHADOW_CALL_STACK_VMAP + +/* Keep a cache of shadow stacks */ +#define SCS_CACHE_SIZE 2 +static DEFINE_PER_CPU(void *, scs_cache[SCS_CACHE_SIZE]); + +static void *scs_alloc(int node) +{ + int i; + + for (i = 0; i < SCS_CACHE_SIZE; i++) { + void *s; + + s = this_cpu_xchg(scs_cache[i], NULL); + if (s) { + memset(s, 0, SCS_SIZE); + return s; + } + } + + return __vmalloc_node_range(SCS_SIZE, SCS_SIZE, + VMALLOC_START, VMALLOC_END, + SCS_GFP, PAGE_KERNEL, 0, + node, __builtin_return_address(0)); +} + +static void scs_free(void *s) +{ + int i; + + for (i = 0; i < SCS_CACHE_SIZE; i++) { + if (this_cpu_cmpxchg(scs_cache[i], 0, s) != 0) + continue; + + return; + } + + vfree_atomic(s); +} + +static int scs_cleanup(unsigned int cpu) +{ + int i; + void **cache = per_cpu_ptr(scs_cache, cpu); + + for (i = 0; i < SCS_CACHE_SIZE; i++) { + vfree(cache[i]); + cache[i] = NULL; + } + + return 0; +} + +void __init scs_init(void) +{ + cpuhp_setup_state(CPUHP_BP_PREPARE_DYN, "scs:scs_cache", NULL, + scs_cleanup); +} + +#else /* !CONFIG_SHADOW_CALL_STACK_VMAP */ + +static struct kmem_cache *scs_cache; + +static inline void *scs_alloc(int node) +{ + return kmem_cache_alloc_node(scs_cache, SCS_GFP, node); +} + +static inline void scs_free(void *s) +{ + kmem_cache_free(scs_cache, s); +} + +void __init scs_init(void) +{ + scs_cache = kmem_cache_create("scs_cache", SCS_SIZE, SCS_SIZE, + 0, NULL); + WARN_ON(!scs_cache); +} + +#endif /* CONFIG_SHADOW_CALL_STACK_VMAP */ + +static inline unsigned long *scs_magic(struct task_struct *tsk) +{ + return (unsigned long *)(__scs_base(tsk) + SCS_SIZE - sizeof(long)); +} + +static inline void scs_set_magic(struct task_struct *tsk) +{ + *scs_magic(tsk) = SCS_END_MAGIC; +} + +void scs_task_init(struct task_struct *tsk) +{ + task_set_scs(tsk, NULL); +} + +void scs_task_reset(struct task_struct *tsk) +{ + task_set_scs(tsk, __scs_base(tsk)); +} + +void scs_set_init_magic(struct task_struct *tsk) +{ + scs_save(tsk); + scs_set_magic(tsk); + scs_load(tsk); +} + +int scs_prepare(struct task_struct *tsk, int node) +{ + void *s; + + s = scs_alloc(node); + if (!s) + return -ENOMEM; + + task_set_scs(tsk, s); + scs_set_magic(tsk); + + return 0; +} + +bool scs_corrupted(struct task_struct *tsk) +{ + return *scs_magic(tsk) != SCS_END_MAGIC; +} + +void scs_release(struct task_struct *tsk) +{ + void *s; + + s = __scs_base(tsk); + if (!s) + return; + + WARN_ON(scs_corrupted(tsk)); + + scs_task_init(tsk); + scs_free(s); +}
This change adds generic support for Clang's Shadow Call Stack, which uses a shadow stack to protect return addresses from being overwritten by an attacker. Details are available here: https://clang.llvm.org/docs/ShadowCallStack.html Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- Makefile | 6 ++ arch/Kconfig | 39 ++++++++ include/linux/compiler-clang.h | 2 + include/linux/compiler_types.h | 4 + include/linux/scs.h | 88 ++++++++++++++++++ init/init_task.c | 6 ++ init/main.c | 3 + kernel/Makefile | 1 + kernel/fork.c | 9 ++ kernel/sched/core.c | 2 + kernel/sched/sched.h | 1 + kernel/scs.c | 162 +++++++++++++++++++++++++++++++++ 12 files changed, 323 insertions(+) create mode 100644 include/linux/scs.h create mode 100644 kernel/scs.c