[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v7 1/3] xen: common: add ability to enable stack protector


  • To: Jan Beulich <jbeulich@xxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
  • Date: Mon, 24 Mar 2025 14:38:50 +0100
  • Arc-authentication-results: i=1; bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Arc-message-signature: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; c=relaxed/relaxed; t=1742823530; h=DKIM-Signature:MIME-Version:Date:From:To:Cc:Subject:In-Reply-To: References:Message-ID:X-Sender:Organization:Content-Type: Content-Transfer-Encoding; bh=fg4AdSp/4w4ePwGukNfy4BDqKs2+tU4sYzE8mqw+324=; b=ZIj4/E8hQwFKQUXMqJ7GP7f9P0yjvm/DyBvKVHiWxPQ77E/xxletkbZ4SiEEdiIXpa8V TBNNQs/Z2awcSyVvtStRv3ghf8dtFPRIN4iJ1bLuGouONix1/wHFJUK5ZAEACIforBaMp MFJEiY9ZmZ4Nyn7OW/AYxYWjQpyYyWbLdio59SQ18J8om8Q2KPWTA12p1hNtQZ8BK30pd /BxitcXAZ6tWTD61PNWnaox5jpwCjp6+CVhA7pk178PL0bGO0zj5VZlR2cIoGLhWKtZml 9CPcGI6187xLFkhQhQHlwoIHWG+svfDzlkxUou83+rpGMIIB2bcDt9McuoP/KNgXkka5A XRcxChxaz7ImYbQ/rRvN5wjVvaefIpen3sPkZh3kk6EvMikHP4F2beUsiJQqSLdlZJJdR UkaeKJKRnX/y4WiNLKnjLM3vtK9xMZcEdQqiroImU4IyMXhAXTrJsLuFMX2AxQRMma1Cp cs/nc8TtgLkxZiLiwKXpG3lnzlxbMOescVuFLd2G96IUpMFZB/SaJcxEx7OQYPUkIIoXe IBWvv2szCMqszp7xdNHYSGsIADyPx0gqeolL6fMW4l/DpElTBia4c7T1GGo+EeDiUChuR VqvVeYThvuCeRWEV1CV7HmFfx57Ri8SDpkOQepHROSufKp1ZDMCysdBr2dBKYyI=
  • Arc-seal: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; cv=none; t=1742823530; b=J+8s0KGKMzoLwGIRx1bf4t/QuiWX01e5HRlHwIbAlJF6APGtgicpZiFq7ATE1zHi1EbJ Lgr41xkQ/LQ3MWT4Oc+uqX+aMOCXsXIqeGt19P5D1XOAqDzotekgz5vJ73q5Egvhk34Hg QclhVldc0QLS0Ml0XOTMnyAHtg7d3WkMl12uN/c4nwketYYlqrItQIHhb/MNqG49Wnz42 4r3h3Lalwt5QS4hdpuFmqp096RJHTaDYFoqCYhGprJMS+/VKVjB3a8bU35t1MVHcnrj5w Jnz9AvK1zePwEXuA28tu0098k7zXcMCiqAk+izpLrJgtWbyrZ+P4tgWyzT6Bz6zPclQGb OxwOvV+I4MZGzCiY87gZLTe4UF7DBPFZGM+A/rkjuTbzHqzgVFUUHrlzTbNinK1cTzhpn 3Ca7rruYoDeSJaCXRfRJFbPB4ybqyWjpw5cWxhlDXcBVFUf4C+GN+nHZUWdI5GBxjcmKF 7vp1AvPVmpS0LAOK/B5g0rYG5dUuUNXfFosdM92Jp63N8ajHzCwbNcbN5vWk6ar6au/ci NgrKgRYB/l7sfJfzJpMMtVGF9To4SYetDLdSiog5/ZrXo1fu9XGXlnMaa5v+C3hDAB25A zTvYR3DYSkUZ73qZtcoVxBeByT5tI1662U9AdGlEemWoJxKPS1heWRMksfN50UE=
  • Authentication-results: bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Mon, 24 Mar 2025 13:38:54 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2025-03-24 13:50, Jan Beulich wrote:
On 18.03.2025 03:34, Volodymyr Babchuk wrote:
Both GCC and Clang support -fstack-protector feature, which add stack
canaries to functions where stack corruption is possible. This patch
makes general preparations to enable this feature on different
supported architectures:

 - Added CONFIG_HAS_STACK_PROTECTOR option so each architecture
   can enable this feature individually
 - Added user-selectable CONFIG_STACK_PROTECTOR option
 - Implemented code that sets up random stack canary and a basic
   handler for stack protector failures

Stack guard value is initialized in two phases:

1. Pre-defined randomly-selected value.

2. Own implementation linear congruent random number generator. It
relies on get_cycles() being available very early. If get_cycles()
returns zero, it would leave pre-defined value from the previous
step.

[...]

+void asmlinkage __stack_chk_fail(void)

The use of asmlinkage here comes close to an abuse: The Misra deviation is about C code called from assembly code only. This isn't the case here; instead it's a function that the compiler generates calls to without source code
explicitly saying so.

This imo wants approving from the Misra side as well, and even if approved
likely requires a justifying code comment.


Here my suggestion would be an explicit deviation via a code comment, as described in [1], to describe the motivation of introducing such definition without a declaration. Moreover, asmlinkage is only relevant for the missing declaration, but is not effective for other rules. It is probably appropriate to mark the function "noreturn" as well, given its purpose.

[1] https://gitlab.com/xen-project/xen/-/blob/staging/docs/misra/documenting-violations.rst

--- /dev/null
+++ b/xen/include/xen/stack-protector.h
@@ -0,0 +1,39 @@
+#ifndef __XEN_STACK_PROTECTOR_H__
+#define __XEN_STACK_PROTECTOR_H__
+
+extern unsigned long __stack_chk_guard;
+
+/*
+ * This function should be called from a C function that escapes stack
+ * canary tracking (by calling reset_stack_and_jump() for example).
+ */
+static always_inline void boot_stack_chk_guard_setup(void)
+{
+#ifdef CONFIG_STACK_PROTECTOR
+
+       /*

Nit: Hard tab slipped in.

Jan

--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.