From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0677C2BC11 for ; Mon, 14 Sep 2020 20:44:59 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 7EFFD221E5 for ; Mon, 14 Sep 2020 20:44:59 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7EFFD221E5 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id BA8328E0001; Mon, 14 Sep 2020 16:44:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B584E6B0062; Mon, 14 Sep 2020 16:44:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A47AD8E0001; Mon, 14 Sep 2020 16:44:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0082.hostedemail.com [216.40.44.82]) by kanga.kvack.org (Postfix) with ESMTP id 8C63C6B005D for ; Mon, 14 Sep 2020 16:44:58 -0400 (EDT) Received: from smtpin03.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 412A1181AEF1E for ; Mon, 14 Sep 2020 20:44:58 +0000 (UTC) X-FDA: 77262846276.03.fifth78_39116c12710b Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin03.hostedemail.com (Postfix) with ESMTP id 0F64328A4EA for ; Mon, 14 Sep 2020 20:44:58 +0000 (UTC) X-HE-Tag: fifth78_39116c12710b X-Filterd-Recvd-Size: 6012 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by imf35.hostedemail.com (Postfix) with ESMTP for ; Mon, 14 Sep 2020 20:44:56 +0000 (UTC) IronPort-SDR: 0xMlyOI02A/SXyPd3zIHLZEA1tiJx7b2JyT4jJwRqdgo2SV2BN2/9jcynPbIiCya1VbiGP5drM 7DgC+EmH0BqA== X-IronPort-AV: E=McAfee;i="6000,8403,9744"; a="160094530" X-IronPort-AV: E=Sophos;i="5.76,427,1592895600"; d="scan'208";a="160094530" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Sep 2020 13:44:54 -0700 IronPort-SDR: AkVfmk+B+R2AS1BdaSnCKau8ZPqZEqz9QQUtghb9wnE8lfT5XErlNWR4JSyOEhO3efMA9qoWq9 vHE3455/G5aw== X-IronPort-AV: E=Sophos;i="5.76,427,1592895600"; d="scan'208";a="506491218" Received: from yyu32-mobl1.amr.corp.intel.com (HELO [10.212.244.74]) ([10.212.244.74]) by fmsmga006-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Sep 2020 13:44:51 -0700 Subject: Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack To: Andy Lutomirski , Dave Hansen Cc: Dave Martin , "H.J. Lu" , Florian Weimer , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , LKML , "open list:DOCUMENTATION" , Linux-MM , linux-arch , Linux API , Arnd Bergmann , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Weijiang Yang References: <086c73d8-9b06-f074-e315-9964eb666db9@intel.com> <4f2dfefc-b55e-bf73-f254-7d95f9c67e5c@intel.com> <20200901102758.GY6642@arm.com> <32005d57-e51a-7c7f-4e86-612c2ff067f3@intel.com> <46dffdfd-92f8-0f05-6164-945f217b0958@intel.com> <6e1e22a5-1b7f-2783-351e-c8ed2d4893b8@intel.com> <5979c58d-a6e3-d14d-df92-72cdeb97298d@intel.com> <08c91835-8486-9da5-a7d1-75e716fc5d36@intel.com> <41aa5e8f-ad88-2934-6d10-6a78fcbe019b@intel.com> From: "Yu, Yu-cheng" Message-ID: <2d86fa40-3676-62b1-1571-90074ca65971@intel.com> Date: Mon, 14 Sep 2020 13:44:50 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US X-Rspamd-Queue-Id: 0F64328A4EA X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam02 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 9/14/2020 11:31 AM, Andy Lutomirski wrote: >> On Sep 14, 2020, at 7:50 AM, Dave Hansen wrote= : >> >> =EF=BB=BFOn 9/11/20 3:59 PM, Yu-cheng Yu wrote: >> ... >>> Here are the changes if we take the mprotect(PROT_SHSTK) approach. >>> Any comments/suggestions? >> >> I still don't like it. :) >> >> I'll also be much happier when there's a proper changelog to accompany >> this which also spells out the alternatives any why they suck so much. >> >=20 > Let=E2=80=99s take a step back here. Ignoring the precise API, what exa= ctly is > a shadow stack from the perspective of a Linux user program? >=20 > The simplest answer is that it=E2=80=99s just memory that happens to ha= ve > certain protections. This enables all kinds of shenanigans. A > program could map a memfd twice, once as shadow stack and once as > non-shadow-stack, and change its control flow. Similarly, a program > could mprotect its shadow stack, modify it, and mprotect it back. In What if we do the following: - If the mapping has VM_SHARED, it cannot be turned to shadow stack.=20 Shadow stack cannot be shared anyway. - Only allow an anonymous mapping to be converted to shadow stack, but=20 not the other way. > some threat models, though could be seen as a WRSS bypass. (Although > if an attacker can coerce a process to call mprotect(), the game is > likely mostly over anyway.) >=20 > But we could be more restrictive, or perhaps we could allow user code > to opt into more restrictions. For example, we could have shadow > stacks be special memory that cannot be written from usermode by any > means other than ptrace() and friends, WRSS, and actual shadow stack > usage. >=20 > What is the goal? There primary goal is to allocate/mmap a shadow stack from user space. >=20 > No matter what we do, the effects of calling vfork() are going to be a > bit odd with SHSTK enabled. I suppose we could disallow this, but > that seems likely to cause its own issues. >=20 Do you mean vfork() has issues with call/return? That is taken care of=20 in GLIBC. Or do you mean it has issues with mprotect(PROT_SHSTK)?