From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f199.google.com (mail-pf0-f199.google.com [209.85.192.199]) by kanga.kvack.org (Postfix) with ESMTP id 239736B0007 for ; Mon, 18 Jun 2018 17:44:50 -0400 (EDT) Received: by mail-pf0-f199.google.com with SMTP id u16-v6so9190448pfm.15 for ; Mon, 18 Jun 2018 14:44:50 -0700 (PDT) Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id m62-v6si16576239pfb.127.2018.06.18.14.44.47 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Jun 2018 14:44:47 -0700 (PDT) Received: from mail-wm0-f49.google.com (mail-wm0-f49.google.com [74.125.82.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 95CD3208A6 for ; Mon, 18 Jun 2018 21:44:46 +0000 (UTC) Received: by mail-wm0-f49.google.com with SMTP id v16-v6so16502975wmh.5 for ; Mon, 18 Jun 2018 14:44:46 -0700 (PDT) MIME-Version: 1.0 References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <1528815820.8271.16.camel@2b52.sc.intel.com> <814fc15e80908d8630ff665be690ccbe6e69be88.camel@gmail.com> <1528988176.13101.15.camel@2b52.sc.intel.com> <2b77abb17dfaf58b7c23fac9d8603482e1887337.camel@gmail.com> In-Reply-To: <2b77abb17dfaf58b7c23fac9d8603482e1887337.camel@gmail.com> From: Andy Lutomirski Date: Mon, 18 Jun 2018 14:44:33 -0700 Message-ID: Subject: Re: [PATCH 00/10] Control Flow Enforcement - Part (3) Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Balbir Singh Cc: Yu-cheng Yu , LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com On Sat, Jun 16, 2018 at 8:16 PM Balbir Singh wrote: > > On Thu, 2018-06-14 at 07:56 -0700, Yu-cheng Yu wrote: > > On Thu, 2018-06-14 at 11:07 +1000, Balbir Singh wrote: > > > On Tue, 2018-06-12 at 08:03 -0700, Yu-cheng Yu wrote: > > > > On Tue, 2018-06-12 at 20:56 +1000, Balbir Singh wrote: > > > > > > > > > > On 08/06/18 00:37, Yu-cheng Yu wrote: > > > > > > This series introduces CET - Shadow stack > > > > > > > > > > > > At the high level, shadow stack is: > > > > > > > > > > > > Allocated from a task's address space with vm_flags VM_SHSTK; > > > > > > Its PTEs must be read-only and dirty; > > > > > > Fixed sized, but the default size can be changed by sys admin. > > > > > > > > > > > > For a forked child, the shadow stack is duplicated when the next > > > > > > shadow stack access takes place. > > > > > > > > > > > > For a pthread child, a new shadow stack is allocated. > > > > > > > > > > > > The signal handler uses the same shadow stack as the main program. > > > > > > > > > > > > > > > > Even with sigaltstack()? > > > > > > > > > > > > > Yes. > > > > > > I am not convinced that it would work, as we switch stacks, oveflow might > > > be an issue. I also forgot to bring up setcontext(2), I presume those > > > will get new shadow stacks > > > > Do you mean signal stack/sigaltstack overflow or swapcontext in a signal > > handler? > > > > I meant any combination of that. If there is a user space threads implementation that uses sigaltstack for switching threads > Anyone who does that is nuts. The whole point of user space threads is speed, and signals are very slow. For userspace threads to work, we need an API to allocate new shadow stacks, and we need to use the extremely awkwardly defined RSTORSSP stuff to switch. (I assume this is possible on an ISA level. The docs are bad, and the mnemonics for the relevant instructions are nonsensical.)