From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E1F0C43461 for ; Mon, 26 Apr 2021 18:01:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 54A2F60240 for ; Mon, 26 Apr 2021 18:01:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235847AbhDZSBr (ORCPT ); Mon, 26 Apr 2021 14:01:47 -0400 Received: from mga06.intel.com ([134.134.136.31]:20514 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235357AbhDZSBr (ORCPT ); Mon, 26 Apr 2021 14:01:47 -0400 IronPort-SDR: DHMRGsqCkDzc30UCqVOFr+y9UtijMsne/6X/Xn1cjj6JN5H3t5byTc2K4XSYVMe4Q75NJAblIE LQ6Qlal7EAUg== X-IronPort-AV: E=McAfee;i="6200,9189,9966"; a="257683199" X-IronPort-AV: E=Sophos;i="5.82,252,1613462400"; d="scan'208";a="257683199" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Apr 2021 11:01:00 -0700 IronPort-SDR: K8cA858LlMyW2WrbT3P+DmNpVokOFgZuLVKN6Qcgrul5wvhMk4IOD+I9+DUpFMPPSMiSf1xXUh +qUVw8CigAcQ== X-IronPort-AV: E=Sophos;i="5.82,252,1613462400"; d="scan'208";a="422745165" Received: from yyu32-mobl1.amr.corp.intel.com (HELO [10.212.73.213]) ([10.212.73.213]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Apr 2021 11:00:58 -0700 Subject: Re: [PATCH v25 30/30] mm: Introduce PROT_SHSTK for shadow stack To: "Kirill A. Shutemov" Cc: x86@kernel.org, "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Dave Martin , Weijiang Yang , Pengfei Xu , Haitao Huang , "Kirill A . Shutemov" References: <20210415221419.31835-1-yu-cheng.yu@intel.com> <20210415221419.31835-31-yu-cheng.yu@intel.com> <20210426065243.ozh6doz6q5xonrqe@box.shutemov.name> From: "Yu, Yu-cheng" Message-ID: Date: Mon, 26 Apr 2021 11:00:58 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 In-Reply-To: <20210426065243.ozh6doz6q5xonrqe@box.shutemov.name> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-doc@vger.kernel.org On 4/25/2021 11:52 PM, Kirill A. Shutemov wrote: > On Thu, Apr 15, 2021 at 03:14:19PM -0700, Yu-cheng Yu wrote: >> There are three possible options to create a shadow stack allocation API: >> an arch_prctl, a new syscall, or adding PROT_SHSTK to mmap()/mprotect(). >> Each has its advantages and compromises. >> >> An arch_prctl() is the least intrusive. However, the existing x86 >> arch_prctl() takes only two parameters. Multiple parameters must be >> passed in a memory buffer. There is a proposal to pass more parameters in >> registers [1], but no active discussion on that. >> >> A new syscall minimizes compatibility issues and offers an extensible frame >> work to other architectures, but this will likely result in some overlap of >> mmap()/mprotect(). >> >> The introduction of PROT_SHSTK to mmap()/mprotect() takes advantage of > > Maybe PROT_SHADOW_STACK? > >> existing APIs. The x86-specific PROT_SHSTK is translated to >> VM_SHADOW_STACK and a shadow stack mapping is created without reinventing >> the wheel. There are potential pitfalls though. The most obvious one >> would be using this as a bypass to shadow stack protection. However, the >> attacker would have to get to the syscall first. >> >> [1] https://lore.kernel.org/lkml/20200828121624.108243-1-hjl.tools@gmail.com/ >> >> Signed-off-by: Yu-cheng Yu >> Cc: Kees Cook >> Cc: Kirill A. Shutemov >> --- >> v24: >> - Update arch_calc_vm_prot_bits(), leave PROT* checking to >> arch_validate_prot(). >> - Update arch_validate_prot(), leave vma flags checking to >> arch_validate_flags(). >> - Add arch_validate_flags(). >> >> arch/x86/include/asm/mman.h | 59 +++++++++++++++++++++++++++++++- >> arch/x86/include/uapi/asm/mman.h | 1 + >> include/linux/mm.h | 1 + >> 3 files changed, 60 insertions(+), 1 deletion(-) >> >> diff --git a/arch/x86/include/asm/mman.h b/arch/x86/include/asm/mman.h >> index 629f6c81263a..1821c179f35d 100644 >> --- a/arch/x86/include/asm/mman.h >> +++ b/arch/x86/include/asm/mman.h [...] >> + >> +#define arch_validate_prot arch_validate_prot >> + >> +static inline bool arch_validate_flags(unsigned long vm_flags, bool is_anon) >> +{ >> + if (vm_flags & VM_SHADOW_STACK) { >> + if ((vm_flags & VM_SHARED) || !is_anon) > > VM_SHARED check is redundant. vma_is_anonymous() should be enough. > Anonymous shared mappings would fail vma_is_anonymous(). > Thanks for looking into this. I will update and send another version. Yu-cheng