From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A9C3BC433FE
	for <linux-mm@archiver.kernel.org>; Tue,  4 Oct 2022 03:59:09 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 9D0EC6B0072; Mon,  3 Oct 2022 23:59:08 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 97F5F6B0073; Mon,  3 Oct 2022 23:59:08 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8202D8E0001; Mon,  3 Oct 2022 23:59:08 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 6EF896B0072
	for <linux-mm@kvack.org>; Mon,  3 Oct 2022 23:59:08 -0400 (EDT)
Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id 3F8E6A0954
	for <linux-mm@kvack.org>; Tue,  4 Oct 2022 03:59:08 +0000 (UTC)
X-FDA: 79981911576.27.A2D38C8
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44])
	by imf27.hostedemail.com (Postfix) with ESMTP id BFB6C40017
	for <linux-mm@kvack.org>; Tue,  4 Oct 2022 03:59:07 +0000 (UTC)
Received: by mail-pj1-f44.google.com with SMTP id fw14so4769017pjb.3
        for <linux-mm@kvack.org>; Mon, 03 Oct 2022 20:59:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date:from:to
         :cc:subject:date;
        bh=6ZXZFqW1zvCEoHZIgPOM5DbWMEQFUkDUHhmwfnnqfck=;
        b=M06N2WAnCq6ae00Dt1ENQITbBcoMx6NqoCSc7aGK2zRr09KbTJuXqJ7I6KBSXpeouq
         WlPVfOqBFfWxcUNfCQleD0l3vdGcnc2mgsI/jkhnq1r94kJku4kfV2O+E/Ac3FdCrgST
         1GLcCVgfuKoNNA0mDgizAkNa8H7zCCMkkVtA8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :x-gm-message-state:from:to:cc:subject:date;
        bh=6ZXZFqW1zvCEoHZIgPOM5DbWMEQFUkDUHhmwfnnqfck=;
        b=XDmzJ5VJr8afHMGnN78eo9159tIwHzHr89lpstys9MGk3Y2LaOQnx+9o+uCC3eZtJL
         DNqgENhO3096cwfbPIlwwKzysjGiuBu1gX/N8zWPDRSIlcPKBBo3JrMfgaKrwv2EMzk5
         lfj6JDyhDvHbq1l0uLYbZfRHgD867zExZlZ2vWtFbw6QZLNO28v3ayMdwvfJDjZYwrLa
         S/vJs/e/LpX0r7Wk4cnRyBs7YubOEA9kzGzU+vvYFLRnpOOADm0ry53WKsYylIvof6ig
         C31j8k8fmc9OApG3muF3TPxXbI7D64CapZEpwQa3ArtyPMiDMA2r8yi/8CfcbEL+aueP
         uaug==
X-Gm-Message-State: ACrzQf2loAD9T9G9RavPaIYyDnccr9+fQWQJKsPQDy+8DM4BaJzDQqUg
	KVDKk5veKe3UUlcGl8Q9P2r5YA==
X-Google-Smtp-Source: AMsMyM50Foz8ANOtkKfZBNm5Ztw8tPSpl+z4P2LOSKo520ZEeaXLe42fyqEuBCWyfUwPzX1G0DOZwQ==
X-Received: by 2002:a17:902:7009:b0:178:b9c9:979f with SMTP id y9-20020a170902700900b00178b9c9979fmr24273802plk.39.1664855946656;
        Mon, 03 Oct 2022 20:59:06 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id h19-20020a656393000000b0042c0ffa0e62sm7543842pgv.47.2022.10.03.20.59.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 03 Oct 2022 20:59:05 -0700 (PDT)
Date: Mon, 3 Oct 2022 20:59:04 -0700
From: Kees Cook <keescook@chromium.org>
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
Cc: "bsingharora@gmail.com" <bsingharora@gmail.com>,
	"hpa@zytor.com" <hpa@zytor.com>,
	"Syromiatnikov, Eugene" <esyr@redhat.com>,
	"peterz@infradead.org" <peterz@infradead.org>,
	"rdunlap@infradead.org" <rdunlap@infradead.org>,
	"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
	"kirill.shutemov@linux.intel.com" <kirill.shutemov@linux.intel.com>,
	"Eranian, Stephane" <eranian@google.com>,
	"linux-mm@kvack.org" <linux-mm@kvack.org>,
	"fweimer@redhat.com" <fweimer@redhat.com>,
	"nadav.amit@gmail.com" <nadav.amit@gmail.com>,
	"jannh@google.com" <jannh@google.com>,
	"dethoma@microsoft.com" <dethoma@microsoft.com>,
	"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
	"kcc@google.com" <kcc@google.com>, "bp@alien8.de" <bp@alien8.de>,
	"oleg@redhat.com" <oleg@redhat.com>,
	"hjl.tools@gmail.com" <hjl.tools@gmail.com>,
	"Yang, Weijiang" <weijiang.yang@intel.com>,
	"Lutomirski, Andy" <luto@kernel.org>, "pavel@ucw.cz" <pavel@ucw.cz>,
	"arnd@arndb.de" <arnd@arndb.de>,
	"Moreira, Joao" <joao.moreira@intel.com>,
	"tglx@linutronix.de" <tglx@linutronix.de>,
	"mike.kravetz@oracle.com" <mike.kravetz@oracle.com>,
	"x86@kernel.org" <x86@kernel.org>,
	"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
	"jamorris@linux.microsoft.com" <jamorris@linux.microsoft.com>,
	"john.allen@amd.com" <john.allen@amd.com>,
	"rppt@kernel.org" <rppt@kernel.org>,
	"mingo@redhat.com" <mingo@redhat.com>,
	"Shankar, Ravi V" <ravi.v.shankar@intel.com>,
	"corbet@lwn.net" <corbet@lwn.net>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
	"gorcunov@gmail.com" <gorcunov@gmail.com>
Subject: Re: [PATCH v2 00/39] Shadowstacks for userspace
Message-ID: <202210032058.D17B1A3@keescook>
References: <20220929222936.14584-1-rick.p.edgecombe@intel.com>
 <202210030946.CB90B94C11@keescook>
 <7c85acd79688c5ea41f760535612ef77093a41c7.camel@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <7c85acd79688c5ea41f760535612ef77093a41c7.camel@intel.com>
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1664855947;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=6ZXZFqW1zvCEoHZIgPOM5DbWMEQFUkDUHhmwfnnqfck=;
	b=QOJcHr8jdQv8UuCNUTel2Xppn4izHB4KOq6ZHwgZ++LYo/FzuTMUb1MxrlPODqJUdvHtqt
	XNQ2OW1YiQd6niM272PBTpo6Xcf1Z21MXGpSuuNm9w7OImN5WlEYb+MFypetLDNBXDubE9
	cdVM3Kx1hN6e744jTYTvVqz9H9Z+ijo=
ARC-Authentication-Results: i=1;
	imf27.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=M06N2WAn;
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf27.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.44 as permitted sender) smtp.mailfrom=keescook@chromium.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1664855947; a=rsa-sha256;
	cv=none;
	b=kOZPZTNRPSCcUHpdEWYHtUAByYpKSCAKFSq5Zu7iBbcLNzsP5FeiEOtAj/aRkF+39Uof6y
	/RLu4zpqLM/loE67L5Y5OojvnviAeemAXIUCrrTzbxEAa3J1rF7yiNU+GzTBDX1fJ6ojLq
	M1O6xM4cru7UlJLa1erm745+va74PpY=
X-Rspam-User: 
X-Stat-Signature: y4eqozmmsnqubs9ydrw4691omyk4ttap
X-Rspamd-Queue-Id: BFB6C40017
Authentication-Results: imf27.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=M06N2WAn;
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf27.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.44 as permitted sender) smtp.mailfrom=keescook@chromium.org
X-Rspamd-Server: rspam01
X-HE-Tag: 1664855947-702831
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Oct 03, 2022 at 06:33:52PM +0000, Edgecombe, Rick P wrote:
> On Mon, 2022-10-03 at 10:04 -0700, Kees Cook wrote:
> > > Shadow stack signal format
> > > --------------------------
> > > So to handle alt shadow stacks we need to push some data onto a
> > > stack. To 
> > > prevent SROP we need to push something to the shadow stack that the
> > > kernel can 
> > > [...]
> > > shadow stack return address or a shadow stack tokens. To make sure
> > > it can’t be 
> > > used, data is pushed with the high bit (bit 63) set. This bit is a
> > > linear 
> > > address bit in both the token format and a normal return address,
> > > so it should 
> > > not conflict with anything. It puts any return address in the
> > > kernel half of 
> > > the address space, so would never be created naturally by a
> > > userspace program. 
> > > It will not be a valid restore token either, as the kernel address
> > > will never 
> > > be pointing to the previous frame in the shadow stack.
> > > 
> > > When a signal hits, the format pushed to the stack that is handling
> > > the signal 
> > > is four 8 byte values (since we are 64 bit only):
> > > > 1...old SSP|1...alt stack size|1...alt stack base|0|
> > 
> > Do these end up being non-canonical addresses? (To avoid confusion
> > with
> > "real" kernel addresses?)
> 
> Usually, but not necessarily with LAM. LAM cannot mask bit 63 though.
> So hypothetically they could become "real" kernel addresses some day.
> To keep them in the user half but still make sure they are not usable,
> you would either have to encode the bits over a lot of entries which
> would use extra space, or shrink the available address space, which
> could cause compatibility problems.
> 
> Do you think it's an issue?

Nah; I think it's a good solution. I was just trying to make sure I
understood it correctly. Thanks!

-- 
Kees Cook