From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E4F7C3ABBF for ; Wed, 7 May 2025 13:10:28 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AFEC46B0092; Wed, 7 May 2025 09:10:27 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A3B0C6B0093; Wed, 7 May 2025 09:10:27 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 868A66B0095; Wed, 7 May 2025 09:10:27 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 63DCA6B0092 for ; Wed, 7 May 2025 09:10:27 -0400 (EDT) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 3F48E8015B for ; Wed, 7 May 2025 13:10:27 +0000 (UTC) X-FDA: 83416145694.26.E31CFE9 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by imf07.hostedemail.com (Postfix) with ESMTP id 3E7B240009 for ; Wed, 7 May 2025 13:10:25 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=JgPydtjk; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf07.hostedemail.com: domain of revest@chromium.org designates 209.85.128.44 as permitted sender) smtp.mailfrom=revest@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1746623425; a=rsa-sha256; cv=none; b=G1U8riB5YktgcIi56dS7FdHI0+GL8bUXN+gZd5o/M+KIFg/BDZQAOIJS+SAA41HSSvuC76 2VD9g88qZ+rUOlWi9LR8geqOR9+oFrIEKBwjBoOZgRcN9RboGPJ8nDJkUyfUsdkvjEnYAb 0b3xLf5h63SptqaaLDBwaNfwx+6Mhc4= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=JgPydtjk; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf07.hostedemail.com: domain of revest@chromium.org designates 209.85.128.44 as permitted sender) smtp.mailfrom=revest@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1746623425; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7Y9rpyN4yLEJrlewSRVGRCn2URs38bBszmjv7HdQYkM=; b=H46LJ6Izn9rYsFXLNSewCq4CzkmG3EjeMVFlC8oyFQzljZLGMePpnfSGIkchJrbhy3xwin Oo5sKdHqUiOLtA45v8NbcYFNFKVt3xHXvsTZynAhQ4KocN9xRrC9Egjs+PKRqtaumnvFgR gLzPS7MFo6iNQdLipyRq6WJ3hLSB2zM= Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-43d4ff56136so7617935e9.3 for ; Wed, 07 May 2025 06:10:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1746623424; x=1747228224; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7Y9rpyN4yLEJrlewSRVGRCn2URs38bBszmjv7HdQYkM=; b=JgPydtjksgczVz7WZnpDUqF53hZqeIQKZAFqPG8TNu/aHpNteacmBNpaKPaOlQ3WMB zlMHn5DkIaSIQDJR07ylzClirSAfjqT41u8M55lG6dK/0Mh4NSUwVFr0GHXJgQU0bQvz lF4LF2A8NLFBA4Y/ld47JHW1uzWlYJbGsjMTY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746623424; x=1747228224; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7Y9rpyN4yLEJrlewSRVGRCn2URs38bBszmjv7HdQYkM=; b=MrrrhhlKXtThavLcFNaoP0lpmA1L8PR1shHnjnbyhmcfwmAn00kkMYhUD/tPxb3Bui HILUPOP4J0QHUz5Rd/RN7h1RdRS9qkgnk8br1d6dIUh9iwpDvPXm/n5NZeDSB475A01i QcYYwrnpN3gPkl3DLeVO5cpdpBR1Anuqw1JxkldnXf+Ac9SnAmoyyAnlx2Ur+nQFNpF6 vI0qi0woV7uIli6ipwxPxd9q5FVUO00FeYVQqZ69kqajrCE+EUKdBLB1FLetcVxWFco4 NV19D0Ap7OoBu6LedolU/C7WOA1Rb7osRE1BcfY2rJMjlngiAufs6OH/ccneuiHin+t4 3AYQ== X-Forwarded-Encrypted: i=1; AJvYcCV/y9ZzowmhRPQ+r/esWfLIv2kGzvBvrOKjvqHWXiE9/KJnDJ65cxW3pefjfa2ENVqscHXesvc5kQ==@kvack.org X-Gm-Message-State: AOJu0Yzzulz3+sc68YgfLydx9wvesfvVyFJWDLBdaNJKcXTJsFs2nCzK K8C3mWaeborQVLc1MEL/XLb/gvfeQKr8jiWMAQrWnwc7tkqerkQuuA1HZN597w== X-Gm-Gg: ASbGncsv/R4qF0uoUEOJ1UsFN0lW5186jpdC2W+3Gje6It7tmr+EgtScspj4fiYahTX xYppmokdye0HWUl6CZx9N2xiLSHidhw9ibBcjo7iVtPRunRmlndrrZuSFCkIyXS9qK6DONJEwZj 3UzuBRvcWuJIiFGYeg4aMoo8frMEiZuJjFhhNCt2j8yt7zjX3DQHxNh8pJWUCJZ8JlaQFz55XJy Bwgfw739vPpVKzuSrZ/7HVkI7yLFnFePfpFxDCIYS+pKj54uVG2T0okURCQ1ctMHhGquJfnGlPy Wf99KrZADmRZLtGxir57YR08/dCoi3DE2hsTASPeySmGjqlGd/0HK0fW X-Google-Smtp-Source: AGHT+IGAHrJrwAiLSC3RwdUM1dYZaf33fAuwlrAULQijJUqxqu70I8Scjch/eI8CbDwOeg7SeJPHZw== X-Received: by 2002:a05:600c:4ecc:b0:439:9fde:da76 with SMTP id 5b1f17b1804b1-441d448cab2mr10128165e9.0.1746623423817; Wed, 07 May 2025 06:10:23 -0700 (PDT) Received: from revest.zrh.corp.google.com ([2a00:79e0:9d:6:558d:e1fb:c2ec:7513]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-442cd32adcasm647435e9.6.2025.05.07.06.10.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 May 2025 06:10:23 -0700 (PDT) From: Florent Revest To: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org Cc: catalin.marinas@arm.com, will@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, akpm@linux-foundation.org, broonie@kernel.org, thiago.bauermann@linaro.org, jackmanb@google.com, Florent Revest , stable@vger.kernel.org Subject: [PATCH v2 1/4] mm: fix VM_UFFD_MINOR == VM_SHADOW_STACK on USERFAULTFD=y && ARM64_GCS=y Date: Wed, 7 May 2025 15:09:57 +0200 Message-ID: <20250507131000.1204175-2-revest@chromium.org> X-Mailer: git-send-email 2.49.0.987.g0cc8ee98dc-goog In-Reply-To: <20250507131000.1204175-1-revest@chromium.org> References: <20250507131000.1204175-1-revest@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 3E7B240009 X-Stat-Signature: tuh767m5519tnsj4bohrg6crh696dhau X-Rspam-User: X-HE-Tag: 1746623425-715435 X-HE-Meta: U2FsdGVkX19Y9kYSON3aCUQubpSP/RVTe10r2Pw0NBshKw8xDZ0JsId/zmKrglxmq4RQQ/2jX2ETfRWjPQS/FR2kdhT64GDWcgntYX+QP5utw33elfHRLm65H5MIZE3dEVsJ7kIoROeGu3wuhz5cV+k4jYe0CCHkJyujZgU+VGE32SUx1V+QdIf8lWH4j3rgRftMzr/6Akf/CN8VifFpQSDBw2QuUFHIsHwLkKgKIIqpgNP5BYw7MhU2aH1YxZkuIfLcL6hGUvywJ+Us1m5mJl4cEJbPSIyoUrjtYEvR9GiTbVdAqqXYzXecGMKXG3ziEWo2EgCDIZK1ObxGdfCgEgohWXNHyWoE47TR2D2JPtc2warDpN2BG2v2gZUalBmhYJcTLLCcwLvtmvGmmirgnHLVWR8ZzIFZLyYhqkMFGYQn6fdKgsY+pLoqHm2k9QzFRjwRxReSutJCgKwDPiPVmZhlE17rc98cBVOhnVPpIkrXBQ29YfsnmBw0f27E1hT3ynPmmqerj0XcfuKX74gpS2XkNtGyq3fvA9AxoNsdLRucG/wtJecNLS3YmxW01jubvG4SX0R5AzASteYAdglcKsPA3oWL3jVYqeeGF8N/s6ItTApSuPU6EAqXrKwzwN+aIr2fsTUL/GGKx6x+PDVhU2B+93D5hOFe83BX70RBt8v5koStf8bp2LZg6T/GWIrFYRYywoJ7qCqgjrOMWpXVgBJb+jbrt+qVw4kgsbhKSrL4z5IiMO43uHlmWJPh0ofzhMFG+Ki10fsLMghkuLhQFBNUlLCSTZLHQqjHaZ91WfaTlcNFvzCITTKpOYOkOvNnouucPVENfz2su1aK/YcfLNvKADncDkU4eI+3XnQ4bvwt+sl/2Yz0+RbqNRDPsa4lEE705px+zCCUIAbaoHIHS9TQV9lhQgwm1LMR+H8pLh7p04izJY6t/rx++hz/GmLPJLg9lpAtZZ+2wB/umdb di3UuE4s wJOWcTUf1gCU8MzUhKBWxczNqzqIbJFQR1CYsYx55NlNzTJV/y0r0v+NHmwDkVJkJqAAU0qvQW9DhJ35YzLtVfXckqdMQb8B1+ja5mOoR9xotc852YfC8+5VipStY089uhK5cxvk6KlNQcuktbNaguLnJBDL8y7LKofdkUZWG984+jiL7J08uuH2mmrhQ8sUwyQq/sX1dLeIYEj5JXcrnp41t0eLs0qhlIEt42JODCVkV9xp+GN/j39/FYXTBx31YblV5pRo3wacRGC7Q9/rE72ZP8QeWs1lnV+HcjWD4qZ+IeSdAYeY7XZShND1y4IOw1IWqQEUA+6ztddbLE5gxzb6wKT8z/s2kJmS6RQi4018cus02pNKD+gvH6A0aLgh6589L X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On configs with CONFIG_ARM64_GCS=y, VM_SHADOW_STACK is bit 38. On configs with CONFIG_HAVE_ARCH_USERFAULTFD_MINOR=y (selected by CONFIG_ARM64 when CONFIG_USERFAULTFD=y), VM_UFFD_MINOR is _also_ bit 38. This bit being shared by two different VMA flags could lead to all sorts of unintended behaviors. Presumably, a process could maybe call into userfaultfd in a way that disables the shadow stack vma flag. I can't think of any attack where this would help (presumably, if an attacker tries to disable shadow stacks, they are trying to hijack control flow so can't arbitrarily call into userfaultfd yet anyway) but this still feels somewhat scary. Reviewed-by: Mark Brown Fixes: ae80e1629aea ("mm: Define VM_SHADOW_STACK for arm64 when we support GCS") Cc: Signed-off-by: Florent Revest --- include/linux/mm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index bf55206935c46..fdda6b16263b3 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -385,7 +385,7 @@ extern unsigned int kobjsize(const void *objp); #endif #ifdef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR -# define VM_UFFD_MINOR_BIT 38 +# define VM_UFFD_MINOR_BIT 41 # define VM_UFFD_MINOR BIT(VM_UFFD_MINOR_BIT) /* UFFD minor faults */ #else /* !CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */ # define VM_UFFD_MINOR VM_NONE -- 2.49.0.987.g0cc8ee98dc-goog