[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrVOyZz72RuoRB=z_EjFTqqctSLfX30GM+MSEVtbcd=PeQ@mail.gmail.com>
Date: Tue, 12 Jun 2018 09:31:26 -0700
From: Andy Lutomirski <luto@...nel.org>
To: Yu-cheng Yu <yu-cheng.yu@...el.com>
Cc: Andrew Lutomirski <luto@...nel.org>, bsingharora@...il.com,
LKML <linux-kernel@...r.kernel.org>, linux-doc@...r.kernel.org,
Linux-MM <linux-mm@...ck.org>,
linux-arch <linux-arch@...r.kernel.org>, X86 ML <x86@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. J. Lu" <hjl.tools@...il.com>,
"Shanbhogue, Vedvyas" <vedvyas.shanbhogue@...el.com>,
"Ravi V. Shankar" <ravi.v.shankar@...el.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Jonathan Corbet <corbet@....net>,
Oleg Nesterov <oleg@...hat.com>, Arnd Bergmann <arnd@...db.de>,
mike.kravetz@...cle.com
Subject: Re: [PATCH 00/10] Control Flow Enforcement - Part (3)
On Tue, Jun 12, 2018 at 9:24 AM Yu-cheng Yu <yu-cheng.yu@...el.com> wrote:
>
> On Tue, 2018-06-12 at 09:00 -0700, Andy Lutomirski wrote:
> > On Tue, Jun 12, 2018 at 8:06 AM Yu-cheng Yu <yu-cheng.yu@...el.com> wrote:
> > >
> > > On Tue, 2018-06-12 at 20:56 +1000, Balbir Singh wrote:
> > > >
> > > > On 08/06/18 00:37, Yu-cheng Yu wrote:
> > > > > This series introduces CET - Shadow stack
> > > > >
> > > > > At the high level, shadow stack is:
> > > > >
> > > > > Allocated from a task's address space with vm_flags VM_SHSTK;
> > > > > Its PTEs must be read-only and dirty;
> > > > > Fixed sized, but the default size can be changed by sys admin.
> > > > >
> > > > > For a forked child, the shadow stack is duplicated when the next
> > > > > shadow stack access takes place.
> > > > >
> > > > > For a pthread child, a new shadow stack is allocated.
> > > > >
> > > > > The signal handler uses the same shadow stack as the main program.
> > > > >
> > > >
> > > > Even with sigaltstack()?
> > > >
> > > >
> > > > Balbir Singh.
> > >
> > > Yes.
> > >
> >
> > I think we're going to need some provision to add an alternate signal
> > stack to handle the case where the shadow stack overflows.
>
> The shadow stack stores only return addresses; its consumption will not
> exceed a percentage of (program stack size + sigaltstack size) before
> those overflow. When that happens, there is usually very little we can
> do. So we set a default shadow stack size that supports certain nested
> calls and allow sys admin to adjust it.
>
Of course there's something you can do: add a sigaltstack-like stack
switching mechanism. Have a reserve shadow stack and, when a signal
is delivered (possibly guarded by other conditions like "did the
shadow stack overflow"), switch to a new shadow stack and maybe write
a special token to the new shadow stack that says "signal delivery
jumped here and will restore to the previous shadow stack and
such-and-such address on return".
Also, I have a couple of other questions after reading the
documentation some more:
1. Why on Earth does INCSSP only take an 8-bit number of frames to
skip? It seems to me that code that calls setjmp() and then calls
longjmp() while nested more than 256 function call levels will crash.
2. The mnemonic RSTORSSP makes no sense to me. RSTORSSP is a stack
*switch* operation not a stack *restore* operation, unless I'm
seriously misunderstanding.
3. Is there anything resembling clear documentation of the format of
the shadow stack? That is, what types of values might be found on the
shadow stack and what do they all mean?
4. Usually Intel doesn't submit upstream Linux patches for ISA
extensions until the ISA is documented for real. CET does not appear
to be documented for real. Could Intel kindly release something that
at least claims to be authoritative documentation?
--Andy
Powered by blists - more mailing lists