From patchwork Tue Jan 16 07:57:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Thomas Huth X-Patchwork-Id: 1886976 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=XEZIZuPu; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TDhGh6Zxsz1ydd for ; Tue, 16 Jan 2024 18:58:52 +1100 (AEDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rPeKY-0002je-6G; Tue, 16 Jan 2024 02:57:54 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPeKW-0002j7-98 for qemu-devel@nongnu.org; Tue, 16 Jan 2024 02:57:52 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPeKU-00082j-Op for qemu-devel@nongnu.org; Tue, 16 Jan 2024 02:57:52 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705391869; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PY/0I2XojmiWkV1BF7mBoOC0UvyzVy2C3rOBFwJebGM=; b=XEZIZuPumtrMaorc3dm4fsmBBxYQz2tSrGFhMij5bbxdIzDGD0HvxMY99IBV3dx3WuVMEW B5cG70y7oQpOdtxKgwggVopD9+lzA7u49/zZpMZpEV2WwkaM6PjD8ii5UUSCusQ5NPBXOZ dYBPjINJk2SFRE2grPxoABoRDc2vvZY= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-314-WE3oCqwwMKyhhH93M-IRLQ-1; Tue, 16 Jan 2024 02:57:47 -0500 X-MC-Unique: WE3oCqwwMKyhhH93M-IRLQ-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 716B129ABA2C; Tue, 16 Jan 2024 07:57:47 +0000 (UTC) Received: from thuth-p1g4.redhat.com (unknown [10.39.192.78]) by smtp.corp.redhat.com (Postfix) with ESMTP id 941F83C25; Tue, 16 Jan 2024 07:57:46 +0000 (UTC) From: Thomas Huth To: qemu-devel@nongnu.org Cc: Peter Maydell , =?utf-8?q?Daniel_P=2E_Berrang?= =?utf-8?q?=C3=A9?= Subject: [PULL 1/5] tests/qtest/meson.build: Bump the boot-serial-test timeout to 4 minutes Date: Tue, 16 Jan 2024 08:57:40 +0100 Message-ID: <20240116075744.219169-2-thuth@redhat.com> In-Reply-To: <20240116075744.219169-1-thuth@redhat.com> References: <20240116075744.219169-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.1 Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -35 X-Spam_score: -3.6 X-Spam_bar: --- X-Spam_report: (-3.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.531, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org When running with TCI, the boot-serial-test can take longer than 3 minutes: https://gitlab.com/qemu-project/qemu/-/jobs/5890481086#L4774 Bump the timeout to 4 minutes to avoid CI failures here. Message-ID: <20240115071146.31213-1-thuth@redhat.com> Reviewed-by: "Daniel P. Berrangé" Signed-off-by: Thomas Huth --- tests/qtest/meson.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index fd40136fa9..78c298ce97 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -8,7 +8,7 @@ slow_qtests = { 'test-hmp' : 240, 'pxe-test': 600, 'prom-env-test': 360, - 'boot-serial-test': 180, + 'boot-serial-test': 240, 'qos-test': 120, } From patchwork Tue Jan 16 07:57:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Thomas Huth X-Patchwork-Id: 1886973 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NBaRARPQ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TDhGc218bz1ydd for ; Tue, 16 Jan 2024 18:58:48 +1100 (AEDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rPeKe-0002kp-Oq; Tue, 16 Jan 2024 02:58:00 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPeKb-0002kA-Gj for qemu-devel@nongnu.org; Tue, 16 Jan 2024 02:57:57 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPeKa-00084F-1s for qemu-devel@nongnu.org; Tue, 16 Jan 2024 02:57:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705391875; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CiZ5aeBqPeEt/6oA7OW7+AA8UU18obZBCrF4z7ZuLiM=; b=NBaRARPQeZNbThNx1770Sx7eDIrCugZkX7gnNn6LD6ShdK7g/Kuar0t2udYNBIvSlluvYS 7e/sGIl4wgGizmbQRfPcZoQEq3Y8dZLClYGvd2ds5UgP03HjOo9nfJcHjTozakC1cCbVz0 H+0xjPF2AeL4RI43CCEMOAJhHPj7Ofs= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-609-I5eTH9duPqKwqyU9y2BNTA-1; Tue, 16 Jan 2024 02:57:51 -0500 X-MC-Unique: I5eTH9duPqKwqyU9y2BNTA-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C3BFC3814E9F; Tue, 16 Jan 2024 07:57:50 +0000 (UTC) Received: from thuth-p1g4.redhat.com (unknown [10.39.192.78]) by smtp.corp.redhat.com (Postfix) with ESMTP id 80AC63C25; Tue, 16 Jan 2024 07:57:49 +0000 (UTC) From: Thomas Huth To: qemu-devel@nongnu.org Cc: Peter Maydell , =?utf-8?q?Daniel_P=2E_Berrang?= =?utf-8?q?=C3=A9?= Subject: [PULL 3/5] qtest: Bump npcm7xx_watchdog_timer-test timeout to 2 minutes Date: Tue, 16 Jan 2024 08:57:42 +0100 Message-ID: <20240116075744.219169-4-thuth@redhat.com> In-Reply-To: <20240116075744.219169-1-thuth@redhat.com> References: <20240116075744.219169-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.1 Received-SPF: pass client-ip=170.10.129.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -35 X-Spam_score: -3.6 X-Spam_bar: --- X-Spam_report: (-3.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.531, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The npcm7xx_watchdog_timer-test can take more than 60 seconds in SPEED=slow mode on a loaded host system. Bumping to 2 minutes will give more headroom. Message-ID: <20240112164717.1063954-1-thuth@redhat.com> Reviewed-by: "Daniel P. Berrangé" Signed-off-by: Thomas Huth --- tests/qtest/meson.build | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index 78c298ce97..4293f3b133 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -4,6 +4,7 @@ slow_qtests = { 'device-introspect-test' : 720, 'migration-test' : 480, 'npcm7xx_pwm-test': 300, + 'npcm7xx_watchdog_timer-test': 120, 'qom-test' : 900, 'test-hmp' : 240, 'pxe-test': 600, From patchwork Tue Jan 16 07:57:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Thomas Huth X-Patchwork-Id: 1886975 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=WJ/85eyB; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TDhGc4yD8z23ds for ; Tue, 16 Jan 2024 18:58:48 +1100 (AEDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rPeKh-0002l3-4E; Tue, 16 Jan 2024 02:58:03 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPeKb-0002k9-ES for qemu-devel@nongnu.org; Tue, 16 Jan 2024 02:57:57 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPeKZ-00083Q-5e for qemu-devel@nongnu.org; Tue, 16 Jan 2024 02:57:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705391874; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rK4G/hDLCBvwA7yABQhY936O72tPfB4fcdr3DYb+3as=; b=WJ/85eyBrRBcIiQNr7MI/5Owo4MfLD51hbe/86Gt1KKcS6WbneyB4yr6OXk2FfcA11ofER seaEsjO1JQ+NQNQ8hmItGe/mjSyiwCjPO+pGm0ENgiARFqx2+M5WoW05vbEjJa5E6IgIzf cJLlhuSm/9Wd/FHDVYXkj4H1nZOdDNI= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-133-wtBdEYpRPGu5yqUlHb3jTg-1; Tue, 16 Jan 2024 02:57:52 -0500 X-MC-Unique: wtBdEYpRPGu5yqUlHb3jTg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 382E3863010; Tue, 16 Jan 2024 07:57:52 +0000 (UTC) Received: from thuth-p1g4.redhat.com (unknown [10.39.192.78]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2EBEC3C25; Tue, 16 Jan 2024 07:57:51 +0000 (UTC) From: Thomas Huth To: qemu-devel@nongnu.org Cc: Peter Maydell , =?utf-8?q?Daniel_P=2E_Berrang?= =?utf-8?q?=C3=A9?= Subject: [PULL 4/5] meson: mitigate against ROP exploits with -fzero-call-used-regs Date: Tue, 16 Jan 2024 08:57:43 +0100 Message-ID: <20240116075744.219169-5-thuth@redhat.com> In-Reply-To: <20240116075744.219169-1-thuth@redhat.com> References: <20240116075744.219169-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.1 Received-SPF: pass client-ip=170.10.129.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.531, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_SBL_A=0.1 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Daniel P. Berrangé To quote wikipedia: "Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing. In this technique, an attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already present in the machine's memory, called "gadgets". Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks." QEMU is by no means perfect with an ever growing set of CVEs from flawed hardware device emulation, which could potentially be exploited using ROP techniques. Since GCC 11 there has been a compiler option that can mitigate against this exploit technique: -fzero-call-user-regs To understand it refer to these two resources: https://www.jerkeby.se/newsletter/posts/rop-reduction-zero-call-user-regs/ https://gcc.gnu.org/pipermail/gcc-patches/2020-August/552262.html I used two programs to scan qemu-system-x86_64 for ROP gadgets: https://github.com/0vercl0k/rp https://github.com/JonathanSalwan/ROPgadget When asked to find 8 byte gadgets, the 'rp' tool reports: A total of 440278 gadgets found. You decided to keep only the unique ones, 156143 unique gadgets found. While the ROPgadget tool reports: Unique gadgets found: 353122 With the --ropchain argument, the latter attempts to use the found gadgets to product a chain that can execute arbitrary syscalls. With current QEMU it succeeds in this task, which is an undesirable situation. With QEMU modified to use -fzero-call-user-regs=used-gpr the 'rp' tool reports A total of 528991 gadgets found. You decided to keep only the unique ones, 121128 unique gadgets found. This is 22% fewer unique gadgets While the ROPgadget tool reports: Unique gadgets found: 328605 This is 7% fewer unique gadgets. Crucially though, despite this more modest reduction, the ROPgadget tool is no longer able to identify a chain of gadgets for executing arbitrary syscalls. It fails at the very first step, unable to find gadgets for populating registers for a future syscall. Having said that, more advanced tools do still manage to put together a viable ROP chain. Also this only takes into account QEMU code. QEMU links to many 3rd party shared libraries and ideally all of them would be compiled with this same hardening. That becomes a distro policy question though. In terms of performance impact, TCG was used as an evaluation test case. We're not interested in protecting TCG since it isn't designed to provide a security barrier, but it is performance sensitive code, so useful as a guide to how other areas of QEMU might be impacted. With the -fzero-call-user-regs=used-gpr argument present, using the real world test of booting a linux kernel and having init immediately poweroff, there is a ~1% slow down in performance under TCG. The QEMU binary size also grows by approximately 1%. By comparison, using the more aggressive -fzero-call-user-regs=all, results in a slowdown of over 25% in TCG, which is clearly not an acceptable impact, and a binary size increase of 5%. Considering that 'used-gpr' successfully stopped ROPgadget assembling a chain, this more targeted protection is a justifiable hardening / performance tradeoff. Reviewed-by: Thomas Huth Signed-off-by: "Daniel P. Berrangé" Message-ID: <20240103123414.2401208-2-berrange@redhat.com> Signed-off-by: Thomas Huth --- meson.build | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/meson.build b/meson.build index 38deb9363c..1bda391de6 100644 --- a/meson.build +++ b/meson.build @@ -552,6 +552,17 @@ if get_option('cfi') add_global_link_arguments(cfi_flags, native: false, language: all_languages) endif +# Check further flags that make QEMU more robust against malicious parties + +hardening_flags = [ + # Zero out registers used during a function call + # upon its return. This makes it harder to assemble + # ROP gadgets into something usable + '-fzero-call-used-regs=used-gpr', +] + +qemu_common_flags += cc.get_supported_arguments(hardening_flags) + add_global_arguments(qemu_common_flags, native: false, language: all_languages) add_global_link_arguments(qemu_ldflags, native: false, language: all_languages) From patchwork Tue Jan 16 07:57:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Thomas Huth X-Patchwork-Id: 1886977 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=R6WB7OmT; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TDhGt5WZvz1ydd for ; Tue, 16 Jan 2024 18:59:02 +1100 (AEDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rPeKl-0002m9-05; Tue, 16 Jan 2024 02:58:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPeKj-0002lp-GL for qemu-devel@nongnu.org; Tue, 16 Jan 2024 02:58:05 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPeKh-00085r-Ib for qemu-devel@nongnu.org; Tue, 16 Jan 2024 02:58:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705391882; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YDiShQtiRmeC1rYzS1HKd/EJLQjy5jMcLyfiyzMwQDE=; b=R6WB7OmT1gTVyuk8zYan3qjXmsckzT3pYrc4T1ziNS/BLfQFYCCaYOB6KuY03iWxeI50Pp V2G1oVrkdOZ9p5cZLCOoxf79Zz0eYL/VgqRaRTRC/ry3cWQYRpn9vJEc1HZEFhHUhX9fDz WbBJDL9xKufqTRdnsLZk4d9OfpbhRLk= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-368-Ei8UuMG5OJWXZxd76b6-1Q-1; Tue, 16 Jan 2024 02:57:53 -0500 X-MC-Unique: Ei8UuMG5OJWXZxd76b6-1Q-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 95B9C848C03; Tue, 16 Jan 2024 07:57:53 +0000 (UTC) Received: from thuth-p1g4.redhat.com (unknown [10.39.192.78]) by smtp.corp.redhat.com (Postfix) with ESMTP id 81D0F3C25; Tue, 16 Jan 2024 07:57:52 +0000 (UTC) From: Thomas Huth To: qemu-devel@nongnu.org Cc: Peter Maydell , =?utf-8?q?Daniel_P=2E_Berrang?= =?utf-8?q?=C3=A9?= Subject: [PULL 5/5] meson: mitigate against use of uninitialize stack for exploits Date: Tue, 16 Jan 2024 08:57:44 +0100 Message-ID: <20240116075744.219169-6-thuth@redhat.com> In-Reply-To: <20240116075744.219169-1-thuth@redhat.com> References: <20240116075744.219169-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.1 Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -35 X-Spam_score: -3.6 X-Spam_bar: --- X-Spam_report: (-3.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.531, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Daniel P. Berrangé When variables are used without being initialized, there is potential to take advantage of data that was pre-existing on the stack from an earlier call, to drive an exploit. It is good practice to always initialize variables, and the compiler can warn about flaws when -Wuninitialized is present. This warning, however, is by no means foolproof with its output varying depending on compiler version and which optimizations are enabled. The -ftrivial-auto-var-init option can be used to tell the compiler to always initialize all variables. This increases the security and predictability of the program, closing off certain attack vectors, reducing the risk of unsafe memory disclosure. While the option takes several possible values, using 'zero' is considered to be the option that is likely to lead to semantically correct or safe behaviour[1]. eg sizes/indexes are not likely to lead to out-of-bounds accesses when initialized to zero. Pointers are less likely to point something useful if initialized to zero. Even with -ftrivial-auto-var-init=zero set, GCC will still issue warnings with -Wuninitialized if it discovers a problem, so we are not loosing diagnostics for developers, just hardening runtime behaviour and making QEMU behave more predictably in case of hitting bad codepaths. [1] https://lists.llvm.org/pipermail/cfe-dev/2020-April/065221.html Signed-off-by: "Daniel P. Berrangé" Message-ID: <20240103123414.2401208-3-berrange@redhat.com> Signed-off-by: Thomas Huth --- meson.build | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meson.build b/meson.build index 1bda391de6..d0329966f1 100644 --- a/meson.build +++ b/meson.build @@ -559,6 +559,11 @@ hardening_flags = [ # upon its return. This makes it harder to assemble # ROP gadgets into something usable '-fzero-call-used-regs=used-gpr', + + # Initialize all stack variables to zero. This makes + # it harder to take advantage of uninitialized stack + # data to drive exploits + '-ftrivial-auto-var-init=zero', ] qemu_common_flags += cc.get_supported_arguments(hardening_flags)