From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0D48C433F5 for ; Mon, 3 Oct 2022 17:25:41 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8C1D48E0002; Mon, 3 Oct 2022 13:25:41 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8703F6B0073; Mon, 3 Oct 2022 13:25:41 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 738248E0002; Mon, 3 Oct 2022 13:25:41 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 5F5016B0071 for ; Mon, 3 Oct 2022 13:25:41 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 12B8B80114 for ; Mon, 3 Oct 2022 17:25:41 +0000 (UTC) X-FDA: 79980315282.24.4806249 Received: from mail-io1-f54.google.com (mail-io1-f54.google.com [209.85.166.54]) by imf29.hostedemail.com (Postfix) with ESMTP id 9B22812001E for ; Mon, 3 Oct 2022 17:25:40 +0000 (UTC) Received: by mail-io1-f54.google.com with SMTP id 138so8616989iou.9 for ; Mon, 03 Oct 2022 10:25:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date; bh=aXZU5Aj6YsvWXsitBdXXflaJiNNG45fO0UR9crXv66M=; b=JDD6RdGS1X/0oc37WFA58H5j2nrAKksFyEOlTgYZcvKnTWUVhQ1SQnNoUiLrd+KrnV 8lq7ZTFxk7M6lh86aQ9Cz24Xs0rdnUApg2fMCQ9K2hoztWXNkN4uw31zvPVr5sUg2Tbk ZL7qWFsWfAn+wHbzMAzdfg3eBpQSbiwqnUFUFipjelqARDYVUUCI6UdANuCUUgof4xxE oY68vV+yG7wrJuJMKlZjTSYCKiLdWnqmh9n9FmjnWbXRTBNsaeci4bign2dCGdVZYSut dc1uKbLOPh1yNvNPwSV8aA3ls3Eny5jnkD2cB1fcj+00ZfiD+gaawJw4KPvKqCHKnPdY fptg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=aXZU5Aj6YsvWXsitBdXXflaJiNNG45fO0UR9crXv66M=; b=BiutEQdJwHOHh2nv3RC/0pXkXud0Wl0vunNMKQgbcEXa9BYEY+wW1OZ07o4iLRhS3/ D1/vpMu458KP2672xaUmrUpXV4eMPx0AAdlsYjLw9aUuxGrUTrdo3VJM9n1PTQEVnbyZ be24tealbnONEVNrDDfMV+MzOBvPNUSSUDeQE0AKY+iwGUNHtPh+AULxkkuZHYjEWnKH AN//yRzPC3beQ//5FElK6D24Anyv8c6GK5m0qALRseXU2n/8AIwmxgzADLCOqYXa0wTZ vE204J59WR9mpZmkrLLQhuW+wHwigN/IM3FUuZEM8dW7bg59BYZoOpMdxAyjX6NZu+3+ +3Iw== X-Gm-Message-State: ACrzQf0ki4e1q5gjGSnEDl+Pzj8+B1/3lqTe5KW/eUi/SyQnVglzk0RB w/b3/co6d8EGgdr8WlUwXMblDBZqLBXdgi6ologB6w== X-Google-Smtp-Source: AMsMyM7dn7qupZyf60dQ6GkvouHdJ6tsNLLe30VdYZNvyoqYu5T0D69XRGfJ2KOQ5KKXS8VFs9DXyBZ101Q8LQgCdw0= X-Received: by 2002:a05:6602:2ccd:b0:6a1:c561:50ca with SMTP id j13-20020a0566022ccd00b006a1c56150camr9365034iow.154.1664817939741; Mon, 03 Oct 2022 10:25:39 -0700 (PDT) MIME-Version: 1.0 References: <20220929222936.14584-1-rick.p.edgecombe@intel.com> <202210030946.CB90B94C11@keescook> In-Reply-To: <202210030946.CB90B94C11@keescook> From: Jann Horn Date: Mon, 3 Oct 2022 19:25:03 +0200 Message-ID: Subject: Re: [PATCH v2 00/39] Shadowstacks for userspace To: Kees Cook Cc: Rick Edgecombe , x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jonathan Corbet , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V . Shankar" , Weijiang Yang , "Kirill A . Shutemov" , joao.moreira@intel.com, John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1664817940; a=rsa-sha256; cv=none; b=KbwTi/z6vL4btWEQ691GiemwqA7cwN1gxsVALvO/rYeOcW7NuYk8+nG10ltDsceDgeQCy/ U26TSg1/m+mQhCYqYA30ZiB/DZ+zNovkFkxyzwAz6Htlk60aZs2jHQFQIqL2w4N/TCQgga uMLHRwQq83iHdFfbyK/Y7jp262yvfL4= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=JDD6RdGS; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf29.hostedemail.com: domain of jannh@google.com designates 209.85.166.54 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1664817940; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=aXZU5Aj6YsvWXsitBdXXflaJiNNG45fO0UR9crXv66M=; b=6rMEyReflrR35qSVaKQNoZLkFNqla3bZ+fOIVTofFz4cbc+axFcn1BeJZp816nwxgE208q hW7W9rME2eZ6NPRy3JyLHTmPbUg0evdhAIBJON8D0R7MUA3nvfZxIrPtoCPUDvVZ6c3FDN w4pz28CSmqfUM3qirST+A64DJDztJ3c= X-Rspam-User: Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=JDD6RdGS; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf29.hostedemail.com: domain of jannh@google.com designates 209.85.166.54 as permitted sender) smtp.mailfrom=jannh@google.com X-Stat-Signature: h1gnmo94ehrdnyhhcn5k8fkmtw5eg4ka X-Rspamd-Queue-Id: 9B22812001E X-Rspamd-Server: rspam09 X-HE-Tag: 1664817940-59576 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Oct 3, 2022 at 7:04 PM Kees Cook wrote: > On Thu, Sep 29, 2022 at 03:28:57PM -0700, Rick Edgecombe wrote: > > This is an overdue followup to the =E2=80=9CShadow stacks for userspace= =E2=80=9D CET series. > > Thanks for all the comments on the first version [0]. They drove a dece= nt > > amount of changes for v2. Since it has been awhile, I=E2=80=99ll try to= summarize the > > areas that got major changes since last time. Smaller changes are liste= d in > > each patch. > > Thanks for the write-up! > > > [...] > > GUP > > --- > > Shadow stack memory is generally treated as writable by the ker= nel, but > > it behaves differently then other writable memory with respect = to GUP. > > FOLL_WRITE will not GUP shadow stack memory unless FOLL_FORCE i= s also > > set. Shadow stack memory is writable from the perspective of be= ing > > changeable by userspace, but it is also protected memory from > > userspace=E2=80=99s perspective. So preventing it from being wr= itable via > > FOLL_WRITE help=E2=80=99s make it harder for userspace to arbit= rarily write to > > it. However, like read-only memory, FOLL_FORCE can still write = through > > it. This means shadow stacks can be written to via things like > > =E2=80=9C/proc/self/mem=E2=80=9D. Apps that want extra security= will have to prevent > > access to kernel features that can write with FOLL_FORCE. > > This seems like a problem to me -- the point of SS is that there cannot b= e > a way to write to them without specific instruction sequences. The fact > that /proc/self/mem bypasses memory protections was an old design mistake > that keeps leading to surprising behaviors. It would be much nicer to > draw the line somewhere and just say that FOLL_FORCE doesn't work on > VM_SHADOW_STACK. Why must FOLL_FORCE be allowed to write to SS? But once you have FOLL_FORCE, you can also just write over stuff like executable code instead of writing over the stack. I don't think allowing FOLL_FORCE writes over shadow stacks from /proc/$pid/mem is making things worse in any way, and it's probably helpful for stuff like debuggers. If you don't want /proc/$pid/mem to be able to do stuff like that, then IMO the way to go is to change when /proc/$pid/mem uses FOLL_FORCE, or to limit overall write access to /proc/$pid/mem.