From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7698C2BBD1 for ; Mon, 14 Sep 2020 20:44:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B8CF520E65 for ; Mon, 14 Sep 2020 20:44:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726091AbgINUo4 (ORCPT ); Mon, 14 Sep 2020 16:44:56 -0400 Received: from mga18.intel.com ([134.134.136.126]:37837 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725984AbgINUoz (ORCPT ); Mon, 14 Sep 2020 16:44:55 -0400 IronPort-SDR: 6nrcm9dSy+DO/jvdZmLKmHnbZys6BAG4RBu3iA68hckXf0bv8JIsargF5GyFyh7NcAW2OqeA4U NbxM7z0VeD1w== X-IronPort-AV: E=McAfee;i="6000,8403,9744"; a="146898430" X-IronPort-AV: E=Sophos;i="5.76,427,1592895600"; d="scan'208";a="146898430" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Sep 2020 13:44:54 -0700 IronPort-SDR: AkVfmk+B+R2AS1BdaSnCKau8ZPqZEqz9QQUtghb9wnE8lfT5XErlNWR4JSyOEhO3efMA9qoWq9 vHE3455/G5aw== X-IronPort-AV: E=Sophos;i="5.76,427,1592895600"; d="scan'208";a="506491218" Received: from yyu32-mobl1.amr.corp.intel.com (HELO [10.212.244.74]) ([10.212.244.74]) by fmsmga006-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Sep 2020 13:44:51 -0700 Subject: Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack To: Andy Lutomirski , Dave Hansen Cc: Dave Martin , "H.J. Lu" , Florian Weimer , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , LKML , "open list:DOCUMENTATION" , Linux-MM , linux-arch , Linux API , Arnd Bergmann , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Weijiang Yang References: <086c73d8-9b06-f074-e315-9964eb666db9@intel.com> <4f2dfefc-b55e-bf73-f254-7d95f9c67e5c@intel.com> <20200901102758.GY6642@arm.com> <32005d57-e51a-7c7f-4e86-612c2ff067f3@intel.com> <46dffdfd-92f8-0f05-6164-945f217b0958@intel.com> <6e1e22a5-1b7f-2783-351e-c8ed2d4893b8@intel.com> <5979c58d-a6e3-d14d-df92-72cdeb97298d@intel.com> <08c91835-8486-9da5-a7d1-75e716fc5d36@intel.com> <41aa5e8f-ad88-2934-6d10-6a78fcbe019b@intel.com> From: "Yu, Yu-cheng" Message-ID: <2d86fa40-3676-62b1-1571-90074ca65971@intel.com> Date: Mon, 14 Sep 2020 13:44:50 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-arch-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-arch@vger.kernel.org On 9/14/2020 11:31 AM, Andy Lutomirski wrote: >> On Sep 14, 2020, at 7:50 AM, Dave Hansen wrote: >> >> On 9/11/20 3:59 PM, Yu-cheng Yu wrote: >> ... >>> Here are the changes if we take the mprotect(PROT_SHSTK) approach. >>> Any comments/suggestions? >> >> I still don't like it. :) >> >> I'll also be much happier when there's a proper changelog to accompany >> this which also spells out the alternatives any why they suck so much. >> > > Let’s take a step back here. Ignoring the precise API, what exactly is > a shadow stack from the perspective of a Linux user program? > > The simplest answer is that it’s just memory that happens to have > certain protections. This enables all kinds of shenanigans. A > program could map a memfd twice, once as shadow stack and once as > non-shadow-stack, and change its control flow. Similarly, a program > could mprotect its shadow stack, modify it, and mprotect it back. In What if we do the following: - If the mapping has VM_SHARED, it cannot be turned to shadow stack. Shadow stack cannot be shared anyway. - Only allow an anonymous mapping to be converted to shadow stack, but not the other way. > some threat models, though could be seen as a WRSS bypass. (Although > if an attacker can coerce a process to call mprotect(), the game is > likely mostly over anyway.) > > But we could be more restrictive, or perhaps we could allow user code > to opt into more restrictions. For example, we could have shadow > stacks be special memory that cannot be written from usermode by any > means other than ptrace() and friends, WRSS, and actual shadow stack > usage. > > What is the goal? There primary goal is to allocate/mmap a shadow stack from user space. > > No matter what we do, the effects of calling vfork() are going to be a > bit odd with SHSTK enabled. I suppose we could disallow this, but > that seems likely to cause its own issues. > Do you mean vfork() has issues with call/return? That is taken care of in GLIBC. Or do you mean it has issues with mprotect(PROT_SHSTK)?