From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F01C2C433F5
	for <linux-mm@archiver.kernel.org>; Mon,  3 Oct 2022 23:21:31 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8C1EF6B0073; Mon,  3 Oct 2022 19:21:31 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 871B18E0001; Mon,  3 Oct 2022 19:21:31 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 713036B0075; Mon,  3 Oct 2022 19:21:31 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 5BC166B0073
	for <linux-mm@kvack.org>; Mon,  3 Oct 2022 19:21:31 -0400 (EDT)
Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id 36FA28020D
	for <linux-mm@kvack.org>; Mon,  3 Oct 2022 23:21:31 +0000 (UTC)
X-FDA: 79981211982.23.4999CB6
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
	by imf20.hostedemail.com (Postfix) with ESMTP id CAD031C0022
	for <linux-mm@kvack.org>; Mon,  3 Oct 2022 23:21:29 +0000 (UTC)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dfw.source.kernel.org (Postfix) with ESMTPS id D242C61070;
	Mon,  3 Oct 2022 23:21:28 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A6E7FC433D6;
	Mon,  3 Oct 2022 23:21:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1664839288;
	bh=yamzuIFFkRskLclSUhT79/xfr8FDVLCU37aEmswN37Y=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=XVgO/DyUkp+jUFZzaWodSpcYO30efmUyxWXqEfnBsgqWN6brv8pRGUZn6JxSO//TS
	 rB+zrBuc7mbAJ5O9vl49m51WMIvxHPnKgwc+qvmyddipHTn1d3EJI9TCQ/TNegKh4O
	 BEu8x1CK5szkrXo6GQXkpLZZTp9iI5b2V/MAplaeSmlhlc13Sj4DcZUyxQadlstEl+
	 dGCSuIlxRVhuxm2LOgNilLzmrOranFb/RSTMrWJ5/wSial2F5GDp7iQz2yIVAOpdiJ
	 v8eVK+Ic+Pc0vPaRtZmrA64t42M0M5DevU3YbNWzEPNi5WGfqe2t975WruwfOU5PLi
	 X8Y9j91CYOeIg==
Message-ID: <ed5f3a95-2854-8b36-7ed9-f1d7ad0a2e51@kernel.org>
Date: Mon, 3 Oct 2022 16:21:25 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.12.0
Subject: Re: [OPTIONAL/RFC v2 39/39] x86: Add alt shadow stack support
Content-Language: en-US
To: Rick Edgecombe <rick.p.edgecombe@intel.com>, x86@kernel.org,
 "H . Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>,
 Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org,
 linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org,
 linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
 Balbir Singh <bsingharora@gmail.com>, Borislav Petkov <bp@alien8.de>,
 Cyrill Gorcunov <gorcunov@gmail.com>,
 Dave Hansen <dave.hansen@linux.intel.com>,
 Eugene Syromiatnikov <esyr@redhat.com>, Florian Weimer <fweimer@redhat.com>,
 "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
 Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>,
 Mike Kravetz <mike.kravetz@oracle.com>, Nadav Amit <nadav.amit@gmail.com>,
 Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
 Peter Zijlstra <peterz@infradead.org>, Randy Dunlap <rdunlap@infradead.org>,
 "Ravi V . Shankar" <ravi.v.shankar@intel.com>,
 Weijiang Yang <weijiang.yang@intel.com>,
 "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
 joao.moreira@intel.com, John Allen <john.allen@amd.com>, kcc@google.com,
 eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com,
 dethoma@microsoft.com
References: <20220929222936.14584-1-rick.p.edgecombe@intel.com>
 <20220929222936.14584-40-rick.p.edgecombe@intel.com>
From: Andy Lutomirski <luto@kernel.org>
In-Reply-To: <20220929222936.14584-40-rick.p.edgecombe@intel.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1664839289; a=rsa-sha256;
	cv=none;
	b=OIewad82ykTCjA/HvClJO//Zlj4vuNzwY1/gVCwE9UCTYpYarDvObjzmhtbsCAtiP15B3r
	YJ3r+l0Tf9e8lZzYt5PHRUkagYmqvsuzvGU2iCXHrgS+BMb/aenRjcMj5PyORYhRX5/sBA
	qn93ONaWa9Rw6zGMNNoJUWm8/1U1SSs=
ARC-Authentication-Results: i=1;
	imf20.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b="XVgO/DyU";
	spf=pass (imf20.hostedemail.com: domain of luto@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=luto@kernel.org;
	dmarc=pass (policy=none) header.from=kernel.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1664839289;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=BQPbLOsQeBFfMfr8IIX4pzlXRVl4e3zexfuVERQsI/s=;
	b=JBU0g+wW+vlbIgpLHbeqfsg761D9d9H0W0Ft8K0YxbooopCdWfx2j0Xpt3Y9BxCd2rC05e
	CQlnvD9pwBtZ0yICvz2ivOuaTpfIB1PHHr2N13XKCNfhYfU1h1baSKGT4rMomhfTY1Jz5E
	pEzGhVD87O/WF+o1Yb1rBNLJ+arQz58=
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: CAD031C0022
X-Rspam-User: 
Authentication-Results: imf20.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b="XVgO/DyU";
	spf=pass (imf20.hostedemail.com: domain of luto@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=luto@kernel.org;
	dmarc=pass (policy=none) header.from=kernel.org
X-Stat-Signature: 5zqngy43mu3ng8gxqpes8eya6sauku69
X-HE-Tag: 1664839289-302469
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 9/29/22 15:29, Rick Edgecombe wrote:
> To handle stack overflows, applications can register a separate signal alt
> stack to use for the stack to handle signals. To handle shadow stack
> overflows the kernel can similarly provide the ability to have an alt
> shadow stack.


The overall SHSTK mechanism has a concept of a shadow stack that is 
valid and not in use and a shadow stack that is in use.  This is used, 
for example, by RSTORSSP.  I would like to imagine that this serves a 
real purpose (presumably preventing two different threads from using the 
same shadow stack and thus corrupting each others' state).

So maybe altshstk should use exactly the same mechanism.  Either signal 
delivery should do the atomic very-and-mark-busy routine or registering 
the stack as an altstack should do it.

I think your patch has this maybe 1/3 implemented, but I don't see any 
atomics, and you seem to have removed (?) the code that actually 
modifies the token on the stack.

>   
> +static bool on_alt_shstk(unsigned long ssp)
> +{
> +	unsigned long alt_ss_start = current->thread.sas_shstk_sp;
> +	unsigned long alt_ss_end = alt_ss_start + current->thread.sas_shstk_size;
> +
> +	return ssp >= alt_ss_start && ssp < alt_ss_end;
> +}

We're forcing AUTODISARM behavior (right?), so I don't think this is 
needed at all.  User code is never "on the alt stack".  It's either "on 
the alt stack but the alt stack is disarmed, so it's not on the alt 
stack" or it's just straight up not on the alt stack.