x86: fix stackprotector canary updates during context switches

fix a bug noticed and fixed by pageexec@freemail.hu.

if built with -fstack-protector-all then we'll have canary checks built
into the __switch_to() function. That does not work well with the
canary-switching code there: while we already use the %rsp of the
new task, we still call __switch_to() whith the previous task's canary
value in the PDA, hence the __switch_to() ssp prologue instructions
will store the previous canary. Then we update the PDA and upon return
from __switch_to() the canary check triggers and we panic.

so update the canary after we have called __switch_to(), where we are
at the same stackframe level as the last stackframe of the next
(and now freshly current) task.

Note: this means that we call __switch_to() [and its sub-functions]
still with the old canary, but that is not a problem, both the previous
and the next task has a high-quality canary. The only (mostly academic)
disadvantage is that the canary of one task may leak onto the stack of
another task, increasing the risk of information leaks, were an attacker
able to read the stack of specific tasks (but not that of others).

To solve this we'll have to reorganize the way we switch tasks, and move
the PDA setting into the switch_to() assembly code. That will happen in
another patch.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index e2319f39988b042f364a73174a0d2ac254a5b60d..d8640388039e4ff280ab00d6092b22a3b587e2f5 100644 (file)
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -640,7 +640,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
        write_pda(kernelstack,
        (unsigned long)task_stack_page(next_p) + THREAD_SIZE - PDA_STACKOFFSET);
 #ifdef CONFIG_CC_STACKPROTECTOR
-       write_pda(stack_canary, next_p->stack_canary);
        /*
         * Build time only check to make sure the stack_canary is at
         * offset 40 in the pda; this is a gcc ABI requirement

diff --git a/include/asm-x86/pda.h b/include/asm-x86/pda.h
index 101fb9e11954e8bd45c21a4524c5c8c8f9019132..62b734986a44a03ed3958b2d272d2124bec968e7 100644 (file)
--- a/include/asm-x86/pda.h
+++ b/include/asm-x86/pda.h
@@ -16,11 +16,9 @@ struct x8664_pda {
        unsigned long oldrsp;           /* 24 user rsp for system call */
        int irqcount;                   /* 32 Irq nesting counter. Starts -1 */
        unsigned int cpunumber;         /* 36 Logical CPU number */
-#ifdef CONFIG_CC_STACKPROTECTOR
        unsigned long stack_canary;     /* 40 stack canary value */
                                        /* gcc-ABI: this canary MUST be at
                                           offset 40!!! */
-#endif
        char *irqstackptr;
        unsigned int __softirq_pending;
        unsigned int __nmi_count;       /* number of NMI on this CPUs */

diff --git a/include/asm-x86/system.h b/include/asm-x86/system.h
index a2f04cd79b29617e4677a0a1a1c23f4f1d434b23..172f54185093e9d02ae8101f47f4d1d26092a5f7 100644 (file)
--- a/include/asm-x86/system.h
+++ b/include/asm-x86/system.h
@@ -92,6 +92,8 @@ do {                                                                  \
             ".globl thread_return\n"                                     \
             "thread_return:\n\t"                                         \
             "movq %%gs:%P[pda_pcurrent],%%rsi\n\t"                       \
+            "movq %P[task_canary](%%rsi),%%r8\n\t"                       \
+            "movq %%r8,%%gs:%P[pda_canary]\n\t"                          \
             "movq %P[thread_info](%%rsi),%%r8\n\t"                       \
             LOCK_PREFIX "btr  %[tif_fork],%P[ti_flags](%%r8)\n\t"        \
             "movq %%rax,%%rdi\n\t"                                       \
@@ -103,7 +105,9 @@ do {                                                                        \
               [ti_flags] "i" (offsetof(struct thread_info, flags)),      \
               [tif_fork] "i" (TIF_FORK),                                 \
               [thread_info] "i" (offsetof(struct task_struct, stack)),   \
-              [pda_pcurrent] "i" (offsetof(struct x8664_pda, pcurrent))  \
+              [task_canary] "i" (offsetof(struct task_struct, stack_canary)),\
+              [pda_pcurrent] "i" (offsetof(struct x8664_pda, pcurrent)), \
+              [pda_canary] "i" (offsetof(struct x8664_pda, stack_canary))\
             : "memory", "cc" __EXTRA_CLOBBER)
 #endif
 

diff --git a/include/linux/sched.h b/include/linux/sched.h
index 5395a6176f4be13911a57d7174de0274947edb94..d6a515158783e721392872c6598313b64b5c9f8c 100644 (file)
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1096,10 +1096,9 @@ struct task_struct {
        pid_t pid;
        pid_t tgid;
 
-#ifdef CONFIG_CC_STACKPROTECTOR
        /* Canary value for the -fstack-protector gcc feature */
        unsigned long stack_canary;
-#endif
+
        /* 
         * pointers to (original) parent process, youngest child, younger sibling,
         * older sibling, respectively.  (p->father can be replaced with