From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 65244 invoked by alias); 31 May 2019 15:44:00 -0000 Mailing-List: contact gcc-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-owner@gcc.gnu.org Received: (qmail 65236 invoked by uid 89); 31 May 2019 15:43:59 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-9.9 required=5.0 tests=BAYES_00,ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_PASS,USER_IN_DEF_SPF_WL autolearn=ham version=3.3.1 spammy=attack, intending, corrupt, explain X-HELO: mail-it1-f170.google.com Received: from mail-it1-f170.google.com (HELO mail-it1-f170.google.com) (209.85.166.170) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 31 May 2019 15:43:58 +0000 Received: by mail-it1-f170.google.com with SMTP id g23so11215256iti.1 for ; Fri, 31 May 2019 08:43:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3lkngGqzSIgDlExHX4AZSo+kGXYHFi6F036CBRgdk7U=; b=JZKLwGUYhsmaZ0Otnj7siN/NJDUSOjv821FowMMz0GhgHmOtSFcFuVag+uNnChN1v8 UQ1dMr6m1A31L9WqkXOPYyZ3tVjtHWeNdom5ihU7TlP1vTzD3GKkNDNU1QRiefiCtrzK RC14oaFN3kYivPmj6JoQX2pGrETcTkpfrxjveuVEVC4iLcfbl5rBmzlsORQvr1eQDBgW id2baNS/QvDN2TFMKK3d4xxrKMlaFlftN/TGfcVm5iuzBNsnYJBw/A9WrFajAa9am7y0 9sh3d7n8JdnmoFfY+tlvFAEjcSXy7pir5U9HV0qkXAu8B+9Fv/NrcXCQBo6Ij5aRFQTx ro6g== MIME-Version: 1.0 References: <20190530170033.GA5739@cisco> <20190530192606.GB5739@cisco> In-Reply-To: <20190530192606.GB5739@cisco> From: "Mark Brand via gcc" Reply-To: Mark Brand Date: Fri, 31 May 2019 15:44:00 -0000 Message-ID: Subject: Re: unrecognizable insn generated in plugin? To: Tycho Andersen Cc: Andrew Pinski , GCC Mailing List , Kernel Hardening Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000ec0b28058a30e15a" X-SW-Source: 2019-05/txt/msg00281.txt.bz2 --000000000000ec0b28058a30e15a Content-Type: text/plain; charset="UTF-8" Content-length: 1664 On Thu, May 30, 2019 at 9:26 PM Tycho Andersen wrote: > > Hi Andrew, > > On Thu, May 30, 2019 at 10:09:44AM -0700, Andrew Pinski wrote: > > On Thu, May 30, 2019 at 10:01 AM Tycho Andersen wrote: > > > > > > Hi all, > > > > > > I've been trying to implement an idea Andy suggested recently for > > > preventing some kinds of ROP attacks. The discussion of the idea is > > > here: > > > https://lore.kernel.org/linux-mm/DFA69954-3F0F-4B79-A9B5-893D33D87E51@amacapital.net/ > > > Hi Tycho, I realise this is maybe not relevant to the topic of fixing the plugin; but I'm struggling to understand what this is intending to protect against. The idea seems to be to make sure that restored rbp, rsp values are "close" to the current rbp, rsp values? The only scenario I can see this providing any benefit is if an attacker can only corrupt a saved stack/frame pointer, which seems like such an unlikely situation that it's not really worth adding any complexity to defend against. An attacker who has control of rip can surely get a controlled value into rsp in various ways; a quick scan of the current Ubuntu 18.04 kernel image offers the following sequence (which shows up everywhere): lea rsp, qword ptr [r10 - 8] ret I'd assume that it's not tremendously difficult for an attacker to chain to this without needing to previously pivot out the stack pointer, assuming that at the point at which they gain control of rip they have control over some state somewhere. If you could explain the exact attack scenario that you have in mind then perhaps I could provide a better explanation of how one might bypass it. Regards, Mark --000000000000ec0b28058a30e15a Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature Content-length: 6576 MIIS7QYJKoZIhvcNAQcCoIIS3jCCEtoCAQExDzANBglghkgBZQMEAgEFADAL BgkqhkiG9w0BBwGgghBTMIIEXDCCA0SgAwIBAgIOSBtqDm4P/739RPqw/wcw DQYJKoZIhvcNAQELBQAwZDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2Jh bFNpZ24gbnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24gUGVyc29uYWxTaWdu IFBhcnRuZXJzIENBIC0gU0hBMjU2IC0gRzIwHhcNMTYwNjE1MDAwMDAwWhcN MjEwNjE1MDAwMDAwWjBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFs U2lnbiBudi1zYTEiMCAGA1UEAxMZR2xvYmFsU2lnbiBIViBTL01JTUUgQ0Eg MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALR23lKtjlZW/17k thzYcMHHKFgywfc4vLIjfq42NmMWbXkNUabIgS8KX4PnIFsTlD6FGO2fqnsT ygvYPFBSMX4OCFtJXoikP2CQlEvO7WooyE94tqmqD+w0YtyP2IB5j4KvOIeN v1GbnnesBIUWLFxs1ERvYDhmk+OrvW7Vd8ZfpRJj71Rb+QQsUpkyTySaqALX nyztTDp1L5d1bABJN/bJbEU3Hf5FLrANmognIu+Npty6GrA6p3yKELzTsilO FmYNWg7L838NS2JbFOndl+ce89gM36CW7vyhszi66LqqzJL8MsmkP53GGhf1 1YMP9EkmawYouMDP/PwQYhIiUO0CAwEAAaOCASIwggEeMA4GA1UdDwEB/wQE AwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/ BAgwBgEB/wIBADAdBgNVHQ4EFgQUyzgSsMeZwHiSjLMhleb0JmLA4D8wHwYD VR0jBBgwFoAUJiSSix/TRK+xsBttr+500ox4AAMwSwYDVR0fBEQwQjBAoD6g PIY6aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc3BlcnNvbmFsc2ln bnB0bnJzc2hhMmcyLmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0 b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEACskdySGYIOi63wgeTmljjA5BHHN9 uLuAMHotXgbYeGVrz7+DkFNgWRQ/dNseQa4e+FeHWq2fu73SamhAQyLigNKZ F7ZzHPUkSpSTjQqVzbyDaFHtRBAwuACuymaOWOWPePZXOH9xt4HPwRQuur57 RKiEm1F6/YJVQ5UTkzAyPoeND/y1GzXS4kjhVuoOQX3GfXDZdwoN8jMYBZTO 0H5hisymlIl6aot0E5KIKqosW6mhupdkS1ZZPp4WXR4frybSkLejjmkTYCTU mh9DuvKEQ1Ge7siwsWgANS1Ln+uvIuObpbNaeAyMZY0U5R/OyIDaq+m9KXPY vrCZ0TCLbcKuRzCCBB4wggMGoAMCAQICCwQAAAAAATGJxkCyMA0GCSqGSIb3 DQEBCwUAMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMw EQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTEx MDgwMjEwMDAwMFoXDTI5MDMyOTEwMDAwMFowZDELMAkGA1UEBhMCQkUxGTAX BgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24g UGVyc29uYWxTaWduIFBhcnRuZXJzIENBIC0gU0hBMjU2IC0gRzIwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg/hRKosYAGP+P7mIdq5NBKr3J 0tg+8lPATlgp+F6W9CeIvnXRGUvdniO+BQnKxnX6RsC3AnE0hUUKRaM9/RDD WldYw35K+sgeC8fWXvIbcYLXxWkXz+Hbxh0GXG61Evqux6i2sKeKvMr4s9Ba N09cqJ/wF6KuP9jSyWcyY+IgL6u252my5UzYhnbf7D7IcC372bfhwM92n6r5 hJx3r++rQEMHXlp/G9J3fftgsD1bzS7J/uHMFpr4MXuaeoiMLV5gdmo0sQg2 3j4pihyFlAkkHHn4usPJ3EePw7ewQT6BUTFyvmEB+KDoi7T4RCAZDstgfpzD rR/TNwrK8/FXoqnFAgMBAAGjgegwgeUwDgYDVR0PAQH/BAQDAgEGMBIGA1Ud EwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFCYkkosf00SvsbAbba/udNKMeAAD MEcGA1UdIARAMD4wPAYEVR0gADA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3 dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzA2BgNVHR8ELzAtMCugKaAn hiVodHRwOi8vY3JsLmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjMuY3JsMB8GA1Ud IwQYMBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IB AQACAFVjHihZCV/IqJYt7Nig/xek+9g0dmv1oQNGYI1WWeqHcMAV1h7cheKN r4EOANNvJWtAkoQz+076Sqnq0Puxwymj0/+eoQJ8GRODG9pxlSn3kysh7f+k otX7pYX5moUa0xq3TCjjYsF3G17E27qvn8SJwDsgEImnhXVT5vb7qBYKadFi zPzKPmwsJQDPKX58XmPxMcZ1tG77xCQEXrtABhYC3NBhu8+c5UoinLpBQC1i BnNpNwXTLmd4nQdf9HCijG1e8myt78VP+QSwsaDT7LVcLT2oDPVggjhVcwlj w3ePDwfGP9kNrR+lc8XrfClkWbrdhC2o4Ui28dtIVHd3MIIDXzCCAkegAwIB AgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xv YmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzAR BgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4MTAw MDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2 EcWtiHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X 17YUhhB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYO gxXG71uL0gRgykmmKPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9 AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKf d/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPa bumDk3F2xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB /wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqG SIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvm dLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMpjjM5RcOO5LlXbKr8Epbs U8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBdRoyV3XpYKBov Hd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQit Chws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXS hkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpHWD9f MIIEajCCA1KgAwIBAgIMXWHyBA9I9vBnpY6lMA0GCSqGSIb3DQEBCwUAMEwx CzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYD VQQDExlHbG9iYWxTaWduIEhWIFMvTUlNRSBDQSAxMB4XDTE5MDUxMTE4NDI1 M1oXDTE5MTEwNzE4NDI1M1owJTEjMCEGCSqGSIb3DQEJAQwUbWFya2JyYW5k QGdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr hCcUYsJA9sfh77hXK5507cj5xsXqYld6X+WCY6n9g673chnNTUYnMT2oo9ZI w8RtsLfR9FSGOYEyFTIVTnc2xipRNc2jNA43W+LBBuOQt5yx3WTAauc5KaVw GViMsQ6/JthKsnFgB2Ueks64ZiOWdrMKGGKrB2Y8jcpMdluY8fIH6Dl3OScV bI/VMzX4/apjNFL4SjgAq8QYqd/H8aqRB4FhP4VTvKgmhdTKmlA76I9flEyn AM0ipAhzBCqNDY7BCsbxnDUFZOzKoN+1bbSoZ2wgzCeNcxfu9GxQvV6NcdIi le79GcfjMBe7q4OagY7HCUrpubmu4ADHjJdTB2ybAgMBAAGjggFxMIIBbTAf BgNVHREEGDAWgRRtYXJrYnJhbmRAZ29vZ2xlLmNvbTBQBggrBgEFBQcBAQRE MEIwQAYIKwYBBQUHMAKGNGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20v Y2FjZXJ0L2dzaHZzbWltZWNhMS5jcnQwHQYDVR0OBBYEFMmmNA8o+g7Z9mSp lZ2ZlZ3ktjVIMB8GA1UdIwQYMBaAFMs4ErDHmcB4koyzIZXm9CZiwOA/MEwG A1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v d3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDsGA1UdHwQ0MDIwMKAu oCyGKmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NodnNtaW1lY2ExLmNy bDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF BwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBC86z9ZdOi9uWAJJX6Ncjgl09HCPQy zL68RZUZFrBjg3DumxeZJexGUN9Ig/N1efcVulDPemWAwbMNAU2AtU85IWC1 syrCf/ghM7V9s5Up5+qC4GNayOy5ssU3nb5MCoUDfGdFxqHsIeevqqiWm+VY HBcd3r4FAmGSNrSiRTmzbk4WGCrnfx82zrVJVXZogoMl2t++57cfXFEO90Oa 2fkTxVpkBKgU02kHISGl3oYywljsavEUGS9CQZ7ltEPlOChc61Ku3Z2CcSAe rY7OBI51l4U322J9JfpOSObzG8CgZPeZPYrG1/tXEwwm32LcmdRJWawUb9np agmgYymmS1CYMYICXjCCAloCAQEwXDBMMQswCQYDVQQGEwJCRTEZMBcGA1UE ChMQR2xvYmFsU2lnbiBudi1zYTEiMCAGA1UEAxMZR2xvYmFsU2lnbiBIViBT L01JTUUgQ0EgMQIMXWHyBA9I9vBnpY6lMA0GCWCGSAFlAwQCAQUAoIHUMC8G CSqGSIb3DQEJBDEiBCDkb2+2//OO7l9t/PzZlCQdVqqjCl0G+5cZCQbSwg3s CzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0x OTA1MzExNTQzNTZaMGkGCSqGSIb3DQEJDzFcMFowCwYJYIZIAWUDBAEqMAsG CWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwCwYJKoZIhvcN AQEKMAsGCSqGSIb3DQEBBzALBglghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAE ggEAQLqDPcITt8Tw1HSv7VGcsLhs5IOLPOLPQv8XGgREYxyaVFGSxiKVT4OL qvyzUmyqjkYYeiBl4VlCNr0Ec4PTYYheKAKSYt7jA6Q6z/tNi4EoD3nMQXOy Igo88RMpbMbARMdabQqCxVsUwstMHKhMbebgUapxJ6LA834EeX73UspC/Tdz syWJJwy839/FsLonfFMnD0ZWrk+7N33wxVkeeNRc1/1+UpywXwDvoipfugBn xz+jWI+DY9URHief/W+gJgtb3MK+Rg3o6tCmFEGy01OVSsVcOEsXLEnGkPfa hvgYVsQuQNtIjNAeIWxy2jHLYvxR5Dk6PWcDHjYiJcpYtQ== --000000000000ec0b28058a30e15a--