From: Borislav Petkov <bp@alien8.de>
To: Yu-cheng Yu <yu-cheng.yu@intel.com>
Cc: x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-mm@kvack.org, linux-arch@vger.kernel.org,
linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
Andy Lutomirski <luto@kernel.org>,
Balbir Singh <bsingharora@gmail.com>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Eugene Syromiatnikov <esyr@redhat.com>,
Florian Weimer <fweimer@redhat.com>,
"H.J. Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mike Kravetz <mike.kravetz@oracle.com>,
Nadav Amit <nadav.amit@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
Peter Zijlstra <peterz@infradead.org>,
Randy Dunlap <rdunlap@infradead.org>,
"Ravi V. Shankar" <ravi.v.shankar@intel.com>,
Dave Martin <Dave.Martin@arm.com>,
Weijiang Yang <weijiang.yang@intel.com>,
Pengfei Xu <pengfei.xu@intel.com>,
Haitao Huang <haitao.huang@intel.com>,
Rick P Edgecombe <rick.p.edgecombe@intel.com>
Subject: Re: [PATCH v29 26/32] x86/cet/shstk: Introduce shadow stack token setup/verify routines
Date: Thu, 26 Aug 2021 19:21:46 +0200 [thread overview]
Message-ID: <YSfNqo3xMBULne2a@zn.tnic> (raw)
In-Reply-To: <20210820181201.31490-27-yu-cheng.yu@intel.com>
On Fri, Aug 20, 2021 at 11:11:55AM -0700, Yu-cheng Yu wrote:
> A shadow stack restore token marks a restore point of the shadow stack, and
> the address in a token must point directly above the token, which is within
> the same shadow stack. This is distinctively different from other pointers
> on the shadow stack, since those pointers point to executable code area.
>
> The restore token can be used as an extra protection for signal handling.
> To deliver a signal, create a shadow stack restore token and put the token
> and the signal restorer address on the shadow stack. In sigreturn, verify
> the token and restore from it the shadow stack pointer.
I guess this all bla about signals needs to go now too...
> Introduce token setup and verify routines. Also introduce WRUSS, which is
> a kernel-mode instruction but writes directly to user shadow stack. It is
> used to construct user signal stack as described above.
>
> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
> Cc: Kees Cook <keescook@chromium.org>
...
> diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
> index 7c1ca2476a5e..548d0552f9b3 100644
> --- a/arch/x86/kernel/shstk.c
> +++ b/arch/x86/kernel/shstk.c
> @@ -20,6 +20,7 @@
> #include <asm/fpu/xstate.h>
> #include <asm/fpu/types.h>
> #include <asm/cet.h>
> +#include <asm/special_insns.h>
>
> static void start_update_msrs(void)
> {
> @@ -193,3 +194,142 @@ void shstk_disable(void)
>
> shstk_free(current);
> }
> +
> +static unsigned long get_user_shstk_addr(void)
> +{
> + struct fpu *fpu = ¤t->thread.fpu;
> + unsigned long ssp = 0;
Unneeded variable init.
> +
> + fpregs_lock();
> +
> + if (fpregs_state_valid(fpu, smp_processor_id())) {
> + rdmsrl(MSR_IA32_PL3_SSP, ssp);
> + } else {
> + struct cet_user_state *p;
> +
> + /*
> + * When !fpregs_state_valid() and get_xsave_addr() returns
What does "!fpregs_state_valid()" mean in English?
> + * null, XFEAUTRE_CET_USER is in init state. Shadow stack
XFEATURE_CET_USER
> + * pointer is null in this case, so return zero. This can
> + * happen when shadow stack is enabled, but its xstates in
s/its xstates/the shadow stack component/
> + * memory is corrupted.
> + */
> + p = get_xsave_addr(&fpu->state.xsave, XFEATURE_CET_USER);
> + if (p)
> + ssp = p->user_ssp;
else
ssp = 0;
and this way it is absolutely unambiguous what the comment says.
> + }
> +
> + fpregs_unlock();
> +
> + return ssp;
> +}
> +
> +/*
> + * Create a restore token on the shadow stack. A token is always 8-byte
> + * and aligned to 8.
> + */
> +static int create_rstor_token(bool ia32, unsigned long ssp,
s/ia32/proc32/g
> + unsigned long *token_addr)
> +{
> + unsigned long addr;
> +
> + /* Aligned to 8 is aligned to 4, so test 8 first */
> + if ((!ia32 && !IS_ALIGNED(ssp, 8)) || !IS_ALIGNED(ssp, 4))
> + return -EINVAL;
> +
> + addr = ALIGN_DOWN(ssp, 8) - 8;
> +
> + /* Is the token for 64-bit? */
> + if (!ia32)
> + ssp |= BIT(0);
> +
> + if (write_user_shstk_64((u64 __user *)addr, (u64)ssp))
> + return -EFAULT;
> +
> + *token_addr = addr;
> +
> + return 0;
> +}
...
> +/*
> + * Verify token_addr points to a valid token, and then set *new_ssp
"Verify the user shadow stack has a valid token on it, ... "
> + * according to the token.
> + */
> +int shstk_check_rstor_token(bool proc32, unsigned long *new_ssp)
> +{
> + unsigned long token_addr;
> + unsigned long token;
> + bool shstk32;
> +
> + token_addr = get_user_shstk_addr();
if (!token_addr)
return -EINVAL;
> +
> + if (get_user(token, (unsigned long __user *)token_addr))
> + return -EFAULT;
> +
> + /* Is mode flag correct? */
> + shstk32 = !(token & BIT(0));
> + if (proc32 ^ shstk32)
> + return -EINVAL;
> +
> + /* Is busy flag set? */
> + if (token & BIT(1))
> + return -EINVAL;
> +
> + /* Mask out flags */
> + token &= ~3UL;
> +
> + /*
> + * Restore address aligned?
> + */
Single line comment works too:
/* Restore address aligned? */
> + if ((!proc32 && !IS_ALIGNED(token, 8)) || !IS_ALIGNED(token, 4))
> + return -EINVAL;
> +
> + /*
> + * Token placed properly?
> + */
Ditto.
> + if (((ALIGN_DOWN(token, 8) - 8) != token_addr) || token >= TASK_SIZE_MAX)
> + return -EINVAL;
> +
> + *new_ssp = token;
> +
> + return 0;
> +}
> --
> 2.21.0
>
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
next prev parent reply other threads:[~2021-08-26 17:21 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-20 18:11 [PATCH v29 00/32] Control-flow Enforcement: Shadow Stack Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 01/32] Documentation/x86: Add CET description Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 02/32] x86/cet/shstk: Add Kconfig option for Shadow Stack Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 03/32] x86/cpufeatures: Add CET CPU feature flags for Control-flow Enforcement Technology (CET) Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 04/32] x86/cpufeatures: Introduce CPU setup and option parsing for CET Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 05/32] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 06/32] x86/cet: Add control-protection fault handler Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 07/32] x86/mm: Remove _PAGE_DIRTY from kernel RO pages Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 08/32] x86/mm: Move pmd_write(), pud_write() up in the file Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 09/32] x86/mm: Introduce _PAGE_COW Yu-cheng Yu
2021-08-21 19:20 ` Edgecombe, Rick P
2021-08-22 2:59 ` Edgecombe, Rick P
2021-08-20 18:11 ` [PATCH v29 10/32] drm/i915/gvt: Change _PAGE_DIRTY to _PAGE_DIRTY_BITS Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 11/32] x86/mm: Update pte_modify for _PAGE_COW Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 12/32] x86/mm: Update ptep_set_wrprotect() and pmdp_set_wrprotect() for transition from _PAGE_DIRTY to _PAGE_COW Yu-cheng Yu
2021-08-26 10:42 ` Borislav Petkov
2021-08-20 18:11 ` [PATCH v29 13/32] mm: Move VM_UFFD_MINOR_BIT from 37 to 38 Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 14/32] mm: Introduce VM_SHADOW_STACK for shadow stack memory Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 15/32] x86/mm: Shadow Stack page fault error checking Yu-cheng Yu
2021-08-26 10:55 ` Borislav Petkov
2021-08-20 18:11 ` [PATCH v29 16/32] x86/mm: Update maybe_mkwrite() for shadow stack Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 17/32] mm: Fixup places that call pte_mkwrite() directly Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 18/32] mm: Add guard pages around a shadow stack Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 19/32] mm/mmap: Add shadow stack pages to memory accounting Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 20/32] mm: Update can_follow_write_pte() for shadow stack Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 21/32] mm/mprotect: Exclude shadow stack from preserve_write Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 22/32] mm: Re-introduce vm_flags to do_mmap() Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 23/32] x86/cet/shstk: Add user-mode shadow stack support Yu-cheng Yu
2021-08-26 16:25 ` Borislav Petkov
2021-08-27 18:10 ` Yu, Yu-cheng
2021-08-27 18:21 ` Borislav Petkov
2021-08-27 18:37 ` Yu, Yu-cheng
2021-08-27 18:46 ` Borislav Petkov
2021-08-27 20:25 ` Dave Hansen
2021-09-01 13:00 ` Borislav Petkov
2021-09-01 15:24 ` Dave Hansen
2021-08-20 18:11 ` [PATCH v29 24/32] x86/process: Change copy_thread() argument 'arg' to 'stack_size' Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 25/32] x86/cet/shstk: Handle thread shadow stack Yu-cheng Yu
2021-08-26 16:50 ` Borislav Petkov
2021-08-26 17:22 ` H.J. Lu
2021-08-26 17:28 ` Borislav Petkov
2021-08-26 17:33 ` Yu, Yu-cheng
2021-08-26 17:25 ` Yu, Yu-cheng
2021-08-20 18:11 ` [PATCH v29 26/32] x86/cet/shstk: Introduce shadow stack token setup/verify routines Yu-cheng Yu
2021-08-26 17:21 ` Borislav Petkov [this message]
2021-08-20 18:11 ` [PATCH v29 27/32] x86/cet/shstk: Handle signals for shadow stack Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 28/32] ELF: Introduce arch_setup_elf_property() Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 29/32] x86/cet/shstk: Add arch_prctl functions for shadow stack Yu-cheng Yu
2021-08-20 18:11 ` [PATCH v29 30/32] mm: Move arch_calc_vm_prot_bits() to arch/x86/include/asm/mman.h Yu-cheng Yu
2021-08-20 18:12 ` [PATCH v29 31/32] mm: Update arch_validate_flags() to test vma anonymous Yu-cheng Yu
2021-08-20 18:12 ` [PATCH v29 32/32] mm: Introduce PROT_SHADOW_STACK for shadow stack Yu-cheng Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YSfNqo3xMBULne2a@zn.tnic \
--to=bp@alien8.de \
--cc=Dave.Martin@arm.com \
--cc=arnd@arndb.de \
--cc=bsingharora@gmail.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=esyr@redhat.com \
--cc=fweimer@redhat.com \
--cc=gorcunov@gmail.com \
--cc=haitao.huang@intel.com \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mike.kravetz@oracle.com \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=oleg@redhat.com \
--cc=pavel@ucw.cz \
--cc=pengfei.xu@intel.com \
--cc=peterz@infradead.org \
--cc=ravi.v.shankar@intel.com \
--cc=rdunlap@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=tglx@linutronix.de \
--cc=weijiang.yang@intel.com \
--cc=x86@kernel.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).