From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39080C433EF for ; Sat, 5 Feb 2022 13:30:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 990F76B0085; Sat, 5 Feb 2022 08:30:33 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 941576B0087; Sat, 5 Feb 2022 08:30:33 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 82F3D6B0088; Sat, 5 Feb 2022 08:30:33 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.28]) by kanga.kvack.org (Postfix) with ESMTP id 76CBF6B0085 for ; Sat, 5 Feb 2022 08:30:33 -0500 (EST) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 3E3E922A95 for ; Sat, 5 Feb 2022 13:30:33 +0000 (UTC) X-FDA: 79108810746.02.9FC306D Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by imf25.hostedemail.com (Postfix) with ESMTP id E3B6FA0005 for ; Sat, 5 Feb 2022 13:30:32 +0000 (UTC) Received: by mail-pf1-f170.google.com with SMTP id a8so7576076pfa.6 for ; Sat, 05 Feb 2022 05:30:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kydsOHNHODshkDxPY7KvU0T0IWce/j+hWlmL4kU26hI=; b=RKaNDuRkyI2bk8AGGSwckT9GYuOeNpXNRbewTWqagxKeEQQCi+l7Ec9Qj/N1DNO7md VFz2Plibf/8/YpjBb5V7C1g+xCf+UaNYZdw6ivLxmQSMWJ3QyZynQjR2G/dHkkIAbce8 R3+Cwa4/UHYWr/iiRQXbTeiQpMJ1l8fT9cBYPDIaCzToTFeL3xP/1bUNMnOn9sOc7013 tnyo4DnivzwYVatgawIoo5IgFry9EOQRXHtMniidsmmzittuV2ldYObiu9EuX6Ih2Z2w YsMCG6UvfVv/J2ZKkR7fRppR12p90ArFdzB+fMMOSqdVnTtxUtH1gQeVmAUJe8oRp3c/ X7zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kydsOHNHODshkDxPY7KvU0T0IWce/j+hWlmL4kU26hI=; b=eTL+Pwa3HA1Aom3lAgegKwdWQhjZDf6oRuKQnDt11Q0SJwrz3ZnT4kAIe0z+52Q1x+ VtdzlnHCs6lnBw3TZY2AsKVPdGKNMJJ+nH45ZUQsGB4p2jbSiDcUA2ww3EgchbNZovEN vP/tgYF7qVzsHSCsIbmSXDkAfEuyDfgNKOGnBeiGXv/3jspt2E91ftBnmZymyzXzxJf2 D6zw73KfZ16VynAIVxhqdvp68SL+3G9g27Wgh3oW6AwxgrBM8aC5CTlzs7+vw/4zW76+ neF9rH0NDzmV1ygQp54tKYj94DHKKroQJ5J+rywpPC6w1FkgoCYY7c0eygiy9xxIKgZf Yhmg== X-Gm-Message-State: AOAM530zUPFfpnLvQr17xarfjWMpII7y9n3hARs2l8LTo9BEJxHH6B5d dkvAcdLVDy8faAdyRA+VcOMC0RK/pt/mRE/wtoc= X-Google-Smtp-Source: ABdhPJyUTAk4OgpIaaZWXAtlcw4ZBvWQBeU1t9V5Qf8CMIAguE7Ql+OB2GPB1vX3j9em0xP40euVrtxAZQCOIjfRI1s= X-Received: by 2002:aa7:888b:: with SMTP id z11mr7863984pfe.76.1644067831456; Sat, 05 Feb 2022 05:30:31 -0800 (PST) MIME-Version: 1.0 References: <87fsozek0j.ffs@tglx> <3421da7fc8474b6db0e265b20ffd28d0@AcuMS.aculab.com> In-Reply-To: <3421da7fc8474b6db0e265b20ffd28d0@AcuMS.aculab.com> From: "H.J. Lu" Date: Sat, 5 Feb 2022 05:29:55 -0800 Message-ID: Subject: Re: [PATCH 00/35] Shadow stacks for userspace To: David Laight Cc: "Edgecombe, Rick P" , "bsingharora@gmail.com" , "hpa@zytor.com" , "Syromiatnikov, Eugene" , "peterz@infradead.org" , "rdunlap@infradead.org" , "keescook@chromium.org" , "dave.hansen@linux.intel.com" , "kirill.shutemov@linux.intel.com" , "Eranian, Stephane" , "linux-mm@kvack.org" , "fweimer@redhat.com" , "nadav.amit@gmail.com" , "jannh@google.com" , "linux-arch@vger.kernel.org" , "kcc@google.com" , "bp@alien8.de" , "oleg@redhat.com" , "Yang, Weijiang" , "Lutomirski, Andy" , "pavel@ucw.cz" , "arnd@arndb.de" , "Moreira, Joao" , "tglx@linutronix.de" , "mike.kravetz@oracle.com" , "x86@kernel.org" , "linux-doc@vger.kernel.org" , "Dave.Martin@arm.com" , "john.allen@amd.com" , "mingo@redhat.com" , "Shankar, Ravi V" , "corbet@lwn.net" , "linux-kernel@vger.kernel.org" , "linux-api@vger.kernel.org" , "gorcunov@gmail.com" Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: E3B6FA0005 X-Rspam-User: nil Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=RKaNDuRk; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf25.hostedemail.com: domain of hjl.tools@gmail.com designates 209.85.210.170 as permitted sender) smtp.mailfrom=hjl.tools@gmail.com X-Stat-Signature: r9p8k9d76hrsz3hh6kzfp9k1hpcmh5pb X-HE-Tag: 1644067832-113561 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sat, Feb 5, 2022 at 5:27 AM David Laight wrote: > > From: Edgecombe, Rick P > > Sent: 04 February 2022 01:08 > > Hi Thomas, > > > > Thanks for feedback on the plan. > > > > On Thu, 2022-02-03 at 22:07 +0100, Thomas Gleixner wrote: > > > > Until now, the enabling effort was trying to support both Shadow > > > > Stack and IBT. > > > > This history will focus on a few areas of the shadow stack > > > > development history > > > > that I thought stood out. > > > > > > > > Signals > > > > ------- > > > > Originally signals placed the location of the shadow stack > > > > restore > > > > token inside the saved state on the stack. This was > > > > problematic from a > > > > past ABI promises perspective. So the restore location was > > > > instead just > > > > assumed from the shadow stack pointer. This works because in > > > > normal > > > > allowed cases of calling sigreturn, the shadow stack pointer > > > > should be > > > > right at the restore token at that time. There is no > > > > alternate shadow > > > > stack support. If an alt shadow stack is added later we > > > > would > > > > need to > > > > > > So how is that going to work? altstack is not an esoteric corner > > > case. > > > > My understanding is that the main usages for the signal stack were > > handling stack overflows and corruption. Since the shadow stack only > > contains return addresses rather than large stack allocations, and is > > not generally writable or pivotable, I thought there was a good > > possibility an alt shadow stack would not end up being especially > > useful. Does it seem like reasonable guesswork? > > The other 'problem' is that it is valid to longjump out of a signal handler. > These days you have to use siglongjmp() not longjmp() but it is still used. > > It is probably also valid to use siglongjmp() to jump from a nested > signal handler into the outer handler. > Given both signal handlers can have their own stack, there can be three > stacks involved. > > I think the shadow stack pointer has to be in ucontext - which also > means the application can change it before returning from a signal. > In much the same way as all the segment registers can be changed > leading to all the nasty bugs when the final 'return to user' code > traps in kernel when loading invalid segment registers or executing iret. > > Hmmm... do shadow stacks mean that longjmp() has to be a system call? No. setjmp/longjmp save and restore shadow stack pointer. -- H.J.