From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40764C678D4 for ; Mon, 6 Mar 2023 08:16:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8B64E6B0072; Mon, 6 Mar 2023 03:16:37 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 864F96B0073; Mon, 6 Mar 2023 03:16:37 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 72C6F280001; Mon, 6 Mar 2023 03:16:37 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 64C0E6B0072 for ; Mon, 6 Mar 2023 03:16:37 -0500 (EST) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 37750120B6A for ; Mon, 6 Mar 2023 08:16:37 +0000 (UTC) X-FDA: 80537766834.17.1A4518C Received: from mail.skyhub.de (mail.skyhub.de [5.9.137.197]) by imf20.hostedemail.com (Postfix) with ESMTP id 9D9AA1C0010 for ; Mon, 6 Mar 2023 08:16:34 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=alien8.de header.s=dkim header.b=hT6yTUHC; dmarc=pass (policy=none) header.from=alien8.de; spf=pass (imf20.hostedemail.com: domain of bp@alien8.de designates 5.9.137.197 as permitted sender) smtp.mailfrom=bp@alien8.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1678090595; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SCgxwhfA8a2XzbeTj8pvN/P7ji/tBRIr/iWcDVYJ/Qg=; b=votQBe2/WXIhUFNT2/arGOsQ/UiAYT5z6WkrjMmPKBL9wp4VGricqL3lzmLqTMw2lV/9fQ E/rmd+nzp2C7ACvRLrGGOiUVyitNLpVlxMr2PFqIP43OzlA3VYCzvlM58EZtssMtouTT4x f+1ASlVKMipdK/IZjNTdsVobf/lm0+g= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=alien8.de header.s=dkim header.b=hT6yTUHC; dmarc=pass (policy=none) header.from=alien8.de; spf=pass (imf20.hostedemail.com: domain of bp@alien8.de designates 5.9.137.197 as permitted sender) smtp.mailfrom=bp@alien8.de ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678090595; a=rsa-sha256; cv=none; b=EekVqBTaJnKBOJpEzwYC0x0Rnjajhet3MzRncScibVyXj/Bc9JVs9qfAH6B1kZnT85ODeg ncRwcczrS+o8v4DqWRxC0e2Kr0Np7LpR0Oe5T0t67a5I9hLmfUNkFXi97LevL8eG+ishDq rHCL47h6CwpH6wJrHsFPNeDKr/c2V6o= Received: from zn.tnic (p5de8e9fe.dip0.t-ipconnect.de [93.232.233.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id E1E6E1EC0554; Mon, 6 Mar 2023 09:08:09 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim; t=1678090090; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=SCgxwhfA8a2XzbeTj8pvN/P7ji/tBRIr/iWcDVYJ/Qg=; b=hT6yTUHCM7iuFYwq3kiPpevrJfbf4NruRD+AiFavDW1R6kYkHTKRc/xTU5hzHlHM6vNlww 7jJxJGZh0qVyTqFR6adcA6K1PvN+XdSFZAVoo3V++d05KbDQ6rcktqT4oC+5k+UJO7/RW9 PC9GbmSz3dUK8wPBfDmFSPsylMM0BzE= Date: Mon, 6 Mar 2023 09:08:05 +0100 From: Borislav Petkov To: Rick Edgecombe Cc: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com, Yu-cheng Yu Subject: Re: [PATCH v7 21/41] mm: Add guard pages around a shadow stack. Message-ID: References: <20230227222957.24501-1-rick.p.edgecombe@intel.com> <20230227222957.24501-22-rick.p.edgecombe@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20230227222957.24501-22-rick.p.edgecombe@intel.com> X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 9D9AA1C0010 X-Stat-Signature: f9ft9jjwp7bcu7efs9egxcwf4qg53cs7 X-HE-Tag: 1678090594-450094 X-HE-Meta: U2FsdGVkX18/cL6KPUpWhPg7ZTKPriai6NoNjLUc4jizBS1C+wWIQEiMHpMsFjgospzr5Ah7B/c2J5erC17kr+u7RV4gZw4VG1TEM4Xwzn+A/RsixFlkdDTDDXUELid5Fh4QNoAsX4MfpfebJwGiaVQcZzFsSj7QMldQkWPW88qja0rxyiqDbr4YxQzehp6Qd3N+oT3YXcnC8PfWAbBc07JV4JYGFfDKIPZtYs0x12QFbFfkyz2NXpcZGCz6VEEZII9p9abqZt99+7tK/L3gTgGyh9EiPFu6I25BYwbEzMh04ZnSjwYWRKYWVTX3b1xMrPnBaWEdYbFtsDkh+Lg5dIScgogiGCn/PqUs8SJdRKWrBvGlgpe15+gO+rmYpc5L753H2x/RJoOgnoY2K8vtVXn4/sbXtPHRX63tWqGchE+CNyebvF+/trVRmLTUVoQ30M7hUECX09N+ZUMBctfQBnVFbrIKDcAFX2ihVFw/8NEnEs6UkFwIgpYNez2G5fsPRKbP+8Czsjg0W5w+E6g7WvQ1l2uTsqB51sz8tBRrGokaTYTSAkiYa7Jb2L4XnOXjrHDjaKcpc44lKNH6CQ9d9BZ8wHpBSFu4vRYs7XRT2XqkGo20f0h53JkMZN1IPYLD+fctYg/ZceWOqjcq731xR1B1tOa5sU0cx6OZwzCJYz/sU9icoG5BGxb8vXXg7Vm43B2L0zzOT1nDSTkVs6nOClpBmY0fpAqyuGvLR6EIi683iTqeOV8FdjVQthTNoaQtqL7BUjlpO+6zkncSKmyze/hVq8v0EVd5q+Cyd9lj6vQEMQ5xZiz/uEl1aTiad2VNgMScxiaYgsuAe5LFDQkby32QlXaoKHVNSY2vRpmfSXWnd4xl2hbSUVmUR1n4CnawyRsh48/hoje/Axd/WikuJ0i5L/c3t1/ew0oVQ49W+6Te2E93GXAslmTZ7bYr6hepicG9HBBpVXlrO7a5JbB g9vZm1bF hpZQ62L2C3H8IY0FVmNS8NUwfQF8rssqEo6sGYfy5T3VCouVEjLXRJXs7IfIK+H/s3oAlD9ZteunzWCgMufqmEDRuxW3hkkBT1IuZYMvg0hQExXHS0vY429fA1ofXD/tejmu3174JLxVDDGbrdKI1TG4S0bEfD9j8fi+PGw7uGIiystdLUWGH9cLPO8/XB7+iMTgJUPcVQvO+SjsTP2uE9xeNhd2F9wQOp790M6o5KjwBpQNjuoSS82agQZ2qnYQfGwE/6DB7KFGWBcTsYXMIBjvNKLoKU6/VMohOgiBE9pjlg6jlnFo+U6meazfymYVlPJiCddlgnsQBjrTKT7gvmkitjUHvSeWix45sK2p4GnX5XEhpfivov6BBfMLFRONWYeUNax3GCkX7UdI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Just typos: On Mon, Feb 27, 2023 at 02:29:37PM -0800, Rick Edgecombe wrote: > From: Yu-cheng Yu > > The x86 Control-flow Enforcement Technology (CET) feature includes a new > type of memory called shadow stack. This shadow stack memory has some > unusual properties, which requires some core mm changes to function > properly. > > The architecture of shadow stack constrains the ability of userspace to > move the shadow stack pointer (SSP) in order to prevent corrupting or > switching to other shadow stacks. The RSTORSSP can move the ssp to ^ instruction s/ssp/SSP/g > different shadow stacks, but it requires a specially placed token in order > to do this. However, the architecture does not prevent incrementing the > stack pointer to wander onto an adjacent shadow stack. To prevent this in > software, enforce guard pages at the beginning of shadow stack vmas, such VMAs > that there will always be a gap between adjacent shadow stacks. > > Make the gap big enough so that no userspace SSP changing operations > (besides RSTORSSP), can move the SSP from one stack to the next. The > SSP can increment or decrement by CALL, RET and INCSSP. CALL and RET "can be incremented or decremented" > can move the SSP by a maximum of 8 bytes, at which point the shadow > stack would be accessed. > > The INCSSP instruction can also increment the shadow stack pointer. It > is the shadow stack analog of an instruction like: > > addq $0x80, %rsp > > However, there is one important difference between an ADD on %rsp and > INCSSP. In addition to modifying SSP, INCSSP also reads from the memory > of the first and last elements that were "popped". It can be thought of > as acting like this: > > READ_ONCE(ssp); // read+discard top element on stack > ssp += nr_to_pop * 8; // move the shadow stack > READ_ONCE(ssp-8); // read+discard last popped stack element > > The maximum distance INCSSP can move the SSP is 2040 bytes, before it > would read the memory. Therefore a single page gap will be enough to ^ , > prevent any operation from shifting the SSP to an adjacent stack, since > it would have to land in the gap at least once, causing a fault. > > This could be accomplished by using VM_GROWSDOWN, but this has a > downside. The behavior would allow shadow stack's to grow, which is s/stack's/stacks/ > unneeded and adds a strange difference to how most regular stacks work. > > Tested-by: Pengfei Xu > Tested-by: John Allen > Tested-by: Kees Cook > Acked-by: Mike Rapoport (IBM) > Reviewed-by: Kees Cook > Signed-off-by: Yu-cheng Yu > Co-developed-by: Rick Edgecombe > Signed-off-by: Rick Edgecombe > Cc: Kees Cook > > --- > v5: > - Fix typo in commit log > > v4: > - Drop references to 32 bit instructions > - Switch to generic code to drop __weak (Peterz) > > v2: > - Use __weak instead of #ifdef (Dave Hansen) > - Only have start gap on shadow stack (Andy Luto) > - Create stack_guard_start_gap() to not duplicate code > in an arch version of vm_start_gap() (Dave Hansen) > - Improve commit log partly with verbiage from (Dave Hansen) > > Yu-cheng v25: > - Move SHADOW_STACK_GUARD_GAP to arch/x86/mm/mmap.c. > --- > include/linux/mm.h | 31 ++++++++++++++++++++++++++----- > 1 file changed, 26 insertions(+), 5 deletions(-) > > diff --git a/include/linux/mm.h b/include/linux/mm.h > index 097544afb1aa..6a093daced88 100644 > --- a/include/linux/mm.h > +++ b/include/linux/mm.h > @@ -3107,15 +3107,36 @@ struct vm_area_struct *vma_lookup(struct mm_struct *mm, unsigned long addr) > return mtree_load(&mm->mm_mt, addr); > } > > +static inline unsigned long stack_guard_start_gap(struct vm_area_struct *vma) > +{ > + if (vma->vm_flags & VM_GROWSDOWN) > + return stack_guard_gap; > + > + /* > + * Shadow stack pointer is moved by CALL, RET, and INCSSPQ. > + * INCSSPQ moves shadow stack pointer up to 255 * 8 = ~2 KB > + * and touches the first and the last element in the range, which > + * triggers a page fault if the range is not in a shadow stack. > + * Because of this, creating 4-KB guard pages around a shadow > + * stack prevents these instructions from going beyond. I'd prefer the equivalant explanation above from the commit message - it is more precise. > + * > + * Creation of VM_SHADOW_STACK is tightly controlled, so a vma > + * can't be both VM_GROWSDOWN and VM_SHADOW_STACK > + */ > + if (vma->vm_flags & VM_SHADOW_STACK) > + return PAGE_SIZE; > + > + return 0; > +} -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette