From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BD94C77B62 for ; Sun, 19 Mar 2023 00:16:56 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 46C1E280021; Sat, 18 Mar 2023 20:16:55 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 3F2FA280001; Sat, 18 Mar 2023 20:16:55 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0E81B280022; Sat, 18 Mar 2023 20:16:55 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id E5B76280001 for ; Sat, 18 Mar 2023 20:16:54 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id B7964C0CF5 for ; Sun, 19 Mar 2023 00:16:54 +0000 (UTC) X-FDA: 80583732348.20.ADBAB9F Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by imf30.hostedemail.com (Postfix) with ESMTP id B461C80014 for ; Sun, 19 Mar 2023 00:16:52 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=lQdokpHL; spf=pass (imf30.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.115 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1679185013; a=rsa-sha256; cv=none; b=CxZFh/8gJMbWi6OLDqSqVPIQ/SMlVEaQ5n3haKoEgUSmatKzO3zBAqOUbrhriYb1CTJITK xd5AsRQ/kugrgSBBtVFzPMwaPMFt1MkcdbJrMhoH0wTm9N6mx1AVjLEu4/Ud37cUDqGD6P OrcH7syK2EY4jBieBwtQWSpyC9olZiA= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=lQdokpHL; spf=pass (imf30.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.115 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1679185013; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:dkim-signature; bh=f2N7NeFbDpnW0PteYmflUApJP8SLzh237LLNBHrJXWg=; b=maaXdzTr6jtuOhl+3Z7wjxkiUwI6QGFN1zIg2kZLBVAHs8rS7NRVC5WmqHYju0DtK9Lxcw PZcM2V7jvdMRaoA+hTFss3TBSDlgNnXpy+JI8F4xx6y46vuoFsjcXnd3qKR4rXkj/W7eYa XmavkHzfsZxqTIhpmM0RsEEHXNmO3so= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679185012; x=1710721012; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=yPUIYMNlxQJ7Nq6500igNTRtdiMTwrmDSrCHmUaqViI=; b=lQdokpHLbDQF8QZp1+v4J+/OY+b0DSmR3jCRtA37JxgFHiMgTPQlsamY zBN5mlf9yR0GAsEfQ1KpvdXfu9wyQ0+towsfmiyxFDGcta/abl60dehyS 6jXuvR/mW3peC9nuwm9/YJPCFlLebeO9LzyTykikuglLEnRygNWkUAmiH mJIV0tiJa9aHEI6DdhQC39fEuQbPBbpAgfjSakhQ0vcsZfg3+phH6pKoD 1ZvLPfLTuLzW5ekBTh3/UnmP+IaH3g5L/eckiX7uMitxFfR4guSVe2FxS XMUAqkVhaMBvPNA9GoIxEWBY9LrLPQjEBGi9DTIs956/6hw1YGhNq4CBN Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10653"; a="338491478" X-IronPort-AV: E=Sophos;i="5.98,272,1673942400"; d="scan'208";a="338491478" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2023 17:16:49 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10653"; a="749672961" X-IronPort-AV: E=Sophos;i="5.98,272,1673942400"; d="scan'208";a="749672961" Received: from bmahatwo-mobl1.gar.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.135.34.5]) by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2023 17:16:48 -0700 From: Rick Edgecombe To: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com, szabolcs.nagy@arm.com Cc: rick.p.edgecombe@intel.com Subject: [PATCH v8 33/40] x86/shstk: Introduce map_shadow_stack syscall Date: Sat, 18 Mar 2023 17:15:28 -0700 Message-Id: <20230319001535.23210-34-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230319001535.23210-1-rick.p.edgecombe@intel.com> References: <20230319001535.23210-1-rick.p.edgecombe@intel.com> X-Rspam-User: X-Rspamd-Queue-Id: B461C80014 X-Rspamd-Server: rspam01 X-Stat-Signature: txbedyzps61mde4x1zpjddwd9gz6e8pz X-HE-Tag: 1679185012-529417 X-HE-Meta: U2FsdGVkX19VYi70E8PH5V1DpbhXM2SOqwdaQjbPsEZMZ77jNyhRckLzq/z80A3Kjl8oCO4xKtpBLyGNXM8YQ3guPo09GByQoNcTXoJW33geuCcdytpCRKIepti3OYamf0d28dL79U8hbHBzRiVnHBdne6puDWWUTPhjtiFjZY3ym5nk8IvBZOdgaQHYCTg3c0bdGQ1Nrsi6Om7oLoDf9hJjOQeEGP5vujStnbYSz+Br6U+Ynmd58HbCeDojckAQz9nvbgJG1z+K85jOcC4P+SIc8Cq3VirRfm1UPplrEnmtW5PBen0BFlCF/YG8g6R8e03J6FV13fjRbjlhXqAdG44X5LE++bNKfoQX0nMGEAzAFHEhg+xGLXmWEgTzmzOYER+bMD7AVaIEIMn3jDp67z1ghqMYtAUKcdwSo7YGdxqV5ZXBjcPvqgXhPb9v1Qx2qxfOlKKGX6GFm4clQe8Lk5QKCqzZG4qAh1+60Hn8/dt7pQWadMK4qJUiNSr3+onGrBE0b6kIb4Evm19BKkh1M5KPCzdny3sy/5ivS3SvKj3Y1mvawmOf48GdxwsLUQWv5qg2TyfhE+NX/nHLx0EjZnowXOrTTevNFRt/xDGTNNr2n6rUiC8IbDX6kEgm5g4+alb2YRVeIyL3ErNrtWn4V7xA19TK93mfvJBXhGArujHhAPj+mpKnx2fPac8dYtUomHrh9Nhb528FOYg83oSRtQmqMR4jmQMTNpRVgw5NxCxff4hpskElv5w2veSIYhGvjHo3vwdQ3qHXU94StJZFwPIuyZElwntv+u4UUjxrqXu8ijd6ZhA+ebooEJQiYNPXsEeg+Y+1qgrMpFq4fMG8u9Ti37OUesUXKrE8FgZuioBTIh2FxVJRSckG2qa288pZnaoA1e/GPbXVNnPgoNpItcFqGDccht3RPVIimPYj88iWD8rehimQXj3RD2XyQflko1RFP9moEsH09mz5NmE 61+wsmfd /b+oqJpg/HhHbhxZtmIXlB8usDN90/LQp4gLyNzQbM/zTLhzahqbiPJBlZ4nX2LS80g6BGmxg+8t+YKGJ90e/AURhwzxaRruEP8rD4bqf2MC9iBMLHRk3JPJFbAVPjTjRweXLvK9OMPW0KIW29YhGNsQjUp2+k1aTrV6WY7ArzmfapLl78nuMVlpfBgKJs7kWjAGjqK6gwqfNCKEJBYChBr+K3OkTQEQX66qJAFR82nIGWj47Ja6dUcExM+E92VmCCq8DmLuXxf3Z7ftnbouX0irjocdYR4B3MGGOJb6ME+N+qsLd9iwFZzVzgjeMUJJkizuO+Mse1TZGTD+VAHYRjheFPCpJ/Ud3ptbavo+MWBhp3kQurBIxdFwIF1cFkDHflx8MLbMW1Nkpc+N2apZjfKACZQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: When operating with shadow stacks enabled, the kernel will automatically allocate shadow stacks for new threads, however in some cases userspace will need additional shadow stacks. The main example of this is the ucontext family of functions, which require userspace allocating and pivoting to userspace managed stacks. Unlike most other user memory permissions, shadow stacks need to be provisioned with special data in order to be useful. They need to be setup with a restore token so that userspace can pivot to them via the RSTORSSP instruction. But, the security design of shadow stacks is that they should not be written to except in limited circumstances. This presents a problem for userspace, as to how userspace can provision this special data, without allowing for the shadow stack to be generally writable. Previously, a new PROT_SHADOW_STACK was attempted, which could be mprotect()ed from RW permissions after the data was provisioned. This was found to not be secure enough, as other threads could write to the shadow stack during the writable window. The kernel can use a special instruction, WRUSS, to write directly to userspace shadow stacks. So the solution can be that memory can be mapped as shadow stack permissions from the beginning (never generally writable in userspace), and the kernel itself can write the restore token. First, a new madvise() flag was explored, which could operate on the PROT_SHADOW_STACK memory. This had a couple of downsides: 1. Extra checks were needed in mprotect() to prevent writable memory from ever becoming PROT_SHADOW_STACK. 2. Extra checks/vma state were needed in the new madvise() to prevent restore tokens being written into the middle of pre-used shadow stacks. It is ideal to prevent restore tokens being added at arbitrary locations, so the check was to make sure the shadow stack had never been written to. 3. It stood out from the rest of the madvise flags, as more of direct action than a hint at future desired behavior. So rather than repurpose two existing syscalls (mmap, madvise) that don't quite fit, just implement a new map_shadow_stack syscall to allow userspace to map and setup new shadow stacks in one step. While ucontext is the primary motivator, userspace may have other unforeseen reasons to setup its own shadow stacks using the WRSS instruction. Towards this provide a flag so that stacks can be optionally setup securely for the common case of ucontext without enabling WRSS. Or potentially have the kernel set up the shadow stack in some new way. The following example demonstrates how to create a new shadow stack with map_shadow_stack: void *shstk = map_shadow_stack(addr, stack_size, SHADOW_STACK_SET_TOKEN); Signed-off-by: Rick Edgecombe Reviewed-by: Kees Cook Acked-by: Mike Rapoport (IBM) Tested-by: Pengfei Xu Tested-by: John Allen Tested-by: Kees Cook --- v8: - Update commit log verbiage (Boris) - Use SZ_4G (Boris) - Return different error codes for each reason (Boris) v5: - Fix addr/mapped_addr (Kees) - Switch to EOPNOTSUPP (Kees suggested ENOTSUPP, but checkpatch suggests this) - Return error for addresses below 4G v3: - Change syscall common -> 64 (Kees) - Use bit shift notation instead of 0x1 for uapi header (Kees) - Call do_mmap() with MAP_FIXED_NOREPLACE (Kees) - Block unsupported flags (Kees) - Require size >= 8 to set token (Kees) v2: - Change syscall to take address like mmap() for CRIU's usage --- arch/x86/entry/syscalls/syscall_64.tbl | 1 + arch/x86/include/uapi/asm/mman.h | 3 ++ arch/x86/kernel/shstk.c | 59 ++++++++++++++++++++++---- include/linux/syscalls.h | 1 + include/uapi/asm-generic/unistd.h | 2 +- kernel/sys_ni.c | 1 + 6 files changed, 58 insertions(+), 9 deletions(-) diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl index c84d12608cd2..f65c671ce3b1 100644 --- a/arch/x86/entry/syscalls/syscall_64.tbl +++ b/arch/x86/entry/syscalls/syscall_64.tbl @@ -372,6 +372,7 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 64 map_shadow_stack sys_map_shadow_stack # # Due to a historical design error, certain syscalls are numbered differently diff --git a/arch/x86/include/uapi/asm/mman.h b/arch/x86/include/uapi/asm/mman.h index 5a0256e73f1e..8148bdddbd2c 100644 --- a/arch/x86/include/uapi/asm/mman.h +++ b/arch/x86/include/uapi/asm/mman.h @@ -13,6 +13,9 @@ ((key) & 0x8 ? VM_PKEY_BIT3 : 0)) #endif +/* Flags for map_shadow_stack(2) */ +#define SHADOW_STACK_SET_TOKEN (1ULL << 0) /* Set up a restore token in the shadow stack */ + #include #endif /* _ASM_X86_MMAN_H */ diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index f02e8ea4f1b5..6d2531ce661c 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -71,19 +72,31 @@ static int create_rstor_token(unsigned long ssp, unsigned long *token_addr) return 0; } -static unsigned long alloc_shstk(unsigned long size) +static unsigned long alloc_shstk(unsigned long addr, unsigned long size, + unsigned long token_offset, bool set_res_tok) { int flags = MAP_ANONYMOUS | MAP_PRIVATE | MAP_ABOVE4G; struct mm_struct *mm = current->mm; - unsigned long addr, unused; + unsigned long mapped_addr, unused; - mmap_write_lock(mm); - addr = do_mmap(NULL, 0, size, PROT_READ, flags, - VM_SHADOW_STACK | VM_WRITE, 0, &unused, NULL); + if (addr) + flags |= MAP_FIXED_NOREPLACE; + mmap_write_lock(mm); + mapped_addr = do_mmap(NULL, addr, size, PROT_READ, flags, + VM_SHADOW_STACK | VM_WRITE, 0, &unused, NULL); mmap_write_unlock(mm); - return addr; + if (!set_res_tok || IS_ERR_VALUE(mapped_addr)) + goto out; + + if (create_rstor_token(mapped_addr + token_offset, NULL)) { + vm_munmap(mapped_addr, size); + return -EINVAL; + } + +out: + return mapped_addr; } static unsigned long adjust_shstk_size(unsigned long size) @@ -134,7 +147,7 @@ static int shstk_setup(void) return -EOPNOTSUPP; size = adjust_shstk_size(0); - addr = alloc_shstk(size); + addr = alloc_shstk(0, size, 0, false); if (IS_ERR_VALUE(addr)) return PTR_ERR((void *)addr); @@ -178,7 +191,7 @@ unsigned long shstk_alloc_thread_stack(struct task_struct *tsk, unsigned long cl return 0; size = adjust_shstk_size(stack_size); - addr = alloc_shstk(size); + addr = alloc_shstk(0, size, 0, false); if (IS_ERR_VALUE(addr)) return addr; @@ -368,6 +381,36 @@ static int shstk_disable(void) return 0; } +SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags) +{ + bool set_tok = flags & SHADOW_STACK_SET_TOKEN; + unsigned long aligned_size; + + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) + return -EOPNOTSUPP; + + if (flags & ~SHADOW_STACK_SET_TOKEN) + return -EINVAL; + + /* If there isn't space for a token */ + if (set_tok && size < 8) + return -ENOSPC; + + if (addr && addr < SZ_4G) + return -ERANGE; + + /* + * An overflow would result in attempting to write the restore token + * to the wrong location. Not catastrophic, but just return the right + * error code and block it. + */ + aligned_size = PAGE_ALIGN(size); + if (aligned_size < size) + return -EOVERFLOW; + + return alloc_shstk(addr, aligned_size, size, set_tok); +} + long shstk_prctl(struct task_struct *task, int option, unsigned long features) { if (option == ARCH_SHSTK_LOCK) { diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 33a0ee3bcb2e..392dc11e3556 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -1058,6 +1058,7 @@ asmlinkage long sys_memfd_secret(unsigned int flags); asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long len, unsigned long home_node, unsigned long flags); +asmlinkage long sys_map_shadow_stack(unsigned long addr, unsigned long size, unsigned int flags); /* * Architecture-specific system calls diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h index 45fa180cc56a..b12940ec5926 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h @@ -887,7 +887,7 @@ __SYSCALL(__NR_futex_waitv, sys_futex_waitv) __SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node) #undef __NR_syscalls -#define __NR_syscalls 451 +#define __NR_syscalls 452 /* * 32 bit systems traditionally used different diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index 860b2dcf3ac4..cb9aebd34646 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -381,6 +381,7 @@ COND_SYSCALL(vm86old); COND_SYSCALL(modify_ldt); COND_SYSCALL(vm86); COND_SYSCALL(kexec_file_load); +COND_SYSCALL(map_shadow_stack); /* s390 */ COND_SYSCALL(s390_pci_mmio_read); -- 2.17.1