From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C019C52D6F for ; Wed, 21 Aug 2024 18:03:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 176526B0172; Wed, 21 Aug 2024 14:03:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1267D6B0174; Wed, 21 Aug 2024 14:03:33 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F2FBA6B0173; Wed, 21 Aug 2024 14:03:32 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id D6C636B014E for ; Wed, 21 Aug 2024 14:03:32 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 4D87380FED for ; Wed, 21 Aug 2024 18:03:32 +0000 (UTC) X-FDA: 82477025064.17.71D1C67 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by imf23.hostedemail.com (Postfix) with ESMTP id EEEB6140007 for ; Wed, 21 Aug 2024 18:03:29 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=hVf6XBs6; spf=pass (imf23.hostedemail.com: domain of broonie@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=broonie@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1724263394; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SsINhCIK6N++W2psav2O31JMBWNx2zHWLokZ95Mr6tw=; b=RfrhPPiPbvwUBwCgkj1CujHv+mZdqqY6RgYhgbUGjG8F1L4GndXpC7uFWsfrobYq4Ejp57 vdb0hkKxiijfe7gB6eqPJHMJp6kjD50ZUW81+cslBaCg/t9C3sTq+gSYDab4uqws4JnjsD Bmf7+plOFeX5TsM+ZEGkOJtk8q/qNMw= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=hVf6XBs6; spf=pass (imf23.hostedemail.com: domain of broonie@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=broonie@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1724263394; a=rsa-sha256; cv=none; b=XbBTjM3rEx/jnsAm+gMvILTkwXhLmCI0lNlTbDSH7EUz5dcKbD2gyUtOZa0dfnqxbHf0+C rWw3n3Vsz/TlrXCLzWexj9uip3h6EggZeOaDqzpI6QZ/pUbTvpi30oTo70Mw7yyuoRqACY ucZQAIePTxIbwCplvXaGmEvQFLv6I7U= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id C021BCE0EA0; Wed, 21 Aug 2024 18:03:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E75F2C32781; Wed, 21 Aug 2024 18:03:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1724263403; bh=/aRfrKXnSS1N7hftXMF8UQpgchZc2Ul1bFVicgzIero=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hVf6XBs6LZ1VwE8MCvsuECUI8wDLGVGOsDoP+OXniIlNf3c8k325LY7GWi5qo07XQ L5WmJeQ22aV02dE0bx8Uv+TTVGqk392h6XEVMUcuE3/Bquc1IP3YU+Tv4lXSErAX1A tIPxc5SMCm4nwEyJW3TPX0DkImgCK/ZstcvqRamVSUaFlJI7wlo8DK+zzT1787oA5Q JymUOdFqBvriwf4scDwIi3uE8VJVvMh86PiQJ2tfnUuD/uI1YznuR8F+kaHBKgHIDU UKW/QdL/rg3e0M2U1kBKyw20f1xQDKzBhdwPOjgZjNs5tM589OUaEaken7gv5k/X4w /DkM7l6sKJTGg== Date: Wed, 21 Aug 2024 19:03:13 +0100 From: Mark Brown To: Catalin Marinas Cc: Will Deacon , Jonathan Corbet , Andrew Morton , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Arnd Bergmann , Oleg Nesterov , Eric Biederman , Shuah Khan , "Rick P. Edgecombe" , Deepak Gupta , Ard Biesheuvel , Szabolcs Nagy , Kees Cook , "H.J. Lu" , Paul Walmsley , Palmer Dabbelt , Albert Ou , Florian Weimer , Christian Brauner , Thiago Jung Bauermann , Ross Burton , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Subject: Re: [PATCH v10 23/40] arm64/signal: Set up and restore the GCS context for signal handlers Message-ID: References: <20240801-arm64-gcs-v10-0-699e2bd2190b@kernel.org> <20240801-arm64-gcs-v10-23-699e2bd2190b@kernel.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="vOVm5CyTt8nbbuUu" Content-Disposition: inline In-Reply-To: X-Cookie: You are false data. X-Rspam-User: X-Stat-Signature: ajnm1yd4om9mbi78aiuoa7ootguk516q X-Rspamd-Queue-Id: EEEB6140007 X-Rspamd-Server: rspam11 X-HE-Tag: 1724263409-193787 X-HE-Meta: U2FsdGVkX18f5eXU2pFX8Gpmx/FQ2AHZ66sr1ckYRAevCXPBk6B2dK6PlO3dbYk4Agg8bK+ZYve9Q4cw9eyPOPjsNDAgKcPXcim9YVIVW9SqclMm+HU+mmMa64MXu1l9SQOfY5j/R1ususQUAdaa2kU++3Kerb8W6LIvrJ4q8bZnA89WJ/1o7N9Jqk+1sW6V3CHYuY4S2VEAXCtRgazQigSzNUqdTPJjYJoc0yca+3+6bp600Iq8voxQ9aqgI5VCuCl43XAfnO5yWgjYRcHeiTG+eIclOAFe3/ION+HmXGAQlt0ibFlnq5Pedzn3PVVv+5ZTVzer8IenKQxejggwTI9mAQtgOTvEqceOLQP9QNvNBi8oC5IL2fb3NLwvLV0hK5AxwU7iVUuhZ84cWCIDbGNp6QDsmQjOPo8LgMxuGxmGO4PQzbFJHCVCAF8hWuOWVWpnHerBlGLtt/nh0qmt1nBbY5FJydOaWeM8dMtkzHpfikakEe4MuHkDWl0itpa09Ry1BMxUnngJ26caU1Y+Dzq3MVQ2wGpaKWxhLXI1Mj6OMfHRbmvYaCoezG9xptJK4Kdlwzw4tseaSljvyPH7XKB9BKPpJQ9r87/CT5GUUWBdbQxTM05p6KXU2uehoKFj/IKA5pYKzNLh0Rir7tsWQC4nqdLuO4t7WMCR5q+wwf1PnTzyctj0QjKKNjjTcGiEmRUh12QsmGoqn3uHlIaoij+i0oi91Mk1jCZNIagyzupdcDwxacQDSadp3qsvANdsCVBQedso8Eg85g+mAUY/Q0dPSMXe5SGtrBP1Cmf3Xt3ykSs9xfSZARHFepoN6wFbhl+abacrf7uDoyH2Ta35kUvvEKI6DEa2DrrSYtxfdQAsOScZ8XYKchYL6GExQOEVL4e9vKu9Xxl8LT88/bHP7c5Ric3KSzvkt6l278UfV1hpE0IGb3JgLH0pyATblbEjix8uruMbWyr6tS4sSda 3UdFDNDv qOeDtr9JmFeXobQqWqb3AqY4N+YXUM5bWukREozsWiOTEVL4+9R+2lrx30GNMwbZuuDCcc2kdkuz1O0HxbM4vYE88MxmBkCyeGpEml3JvR8nHRHg8EFJ7jMzZ3EC79AsIw+fx+zItdGgDT5JTXpCzq3VmnrGtr56Ah+8XNXIT2SDeDej5+IrJ7PBqsPzeCoA7KG9AMkDXN3kacYe+43LCHXRSr2KTip3QIPl/a9ePHHCHmB7f14fo1OmUQueahio3T9i9QEpYmIb4t/TI9GQkOQTNr71EkvKSQx9AqpkR18QyghwAGcn3YwuoXq4awuxFTQ2eHqpv5GbQhdJJBqjE17VaoP9sQOHzmEEyW9KUz/NCBDg= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: --vOVm5CyTt8nbbuUu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Aug 21, 2024 at 06:28:49PM +0100, Catalin Marinas wrote: > On Thu, Aug 01, 2024 at 01:06:50PM +0100, Mark Brown wrote: > > + ret = copy_from_user(&cap, (__user void*)gcspr_el0, sizeof(cap)); > > + if (ret) > > + return -EFAULT; > Can the user change GCSPR_EL0 to a non-shadow-stack region, fake the > cap before sigreturn? copy_from_user() cannot check it's a GCS page. > Does it actually matter? We don't take any steps to prevent that since I'm not clear that it matters, as soon as userspace tries to use the non-GCS page as a GCS it will fault. Given the abundance of ways in which a signal handler can cause a crash it didn't seem worth specific code, the cap token check is about protecting an actual GCS. > > + /* > > + * Push a cap and the GCS entry for the trampoline onto the GCS. > > + */ > > + put_user_gcs((unsigned long)sigtramp, gcspr_el0 - 2, &ret); > > + put_user_gcs(GCS_SIGNAL_CAP(gcspr_el0 - 1), gcspr_el0 - 1, &ret); > > + if (ret != 0) > > + return ret; > Doesn't the second put_user_gcs() override the previous ret? No, we only set ret on error - if the first one faults it'll set ret then the second one will either leave it unchanged or write the same error code depending on if it fails. This idiom is used quite a lot in the signal code. --vOVm5CyTt8nbbuUu Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmbGK+AACgkQJNaLcl1U h9DN2ggAhLNXxP2D63m8tGi5TB8JVrMOEHceQoOhWbYArtPnk8DUJUwAVQKy4370 gWRlpUv3C9Prym8J79cdGllLtJAxGtFL846FtZ4GEzCwI0h42OKyIHIK0ayYDGwT 7mhlLJAE9x/zLEwqeSMWfUiGAUZs+B5Bcc/qe3gEkuBX9zJ1D4kkt0rUSUB8PR9+ mb7bq8tnqBOZ2/Ys/rHd7YOVTKnL9fNb3BG6ORxTFjKI/wwea16GhNrhUMcSaGCx OjyC6/p6czJQmOMjRXUIRp2W8KD6YyRu8dOKy8imoKaZl7tcxZRwOC2XNWdH+9vC sBN7fffBdrQUaKButl4to5BBOZzO0w== =oJjq -----END PGP SIGNATURE----- --vOVm5CyTt8nbbuUu--