lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 3 Oct 2018 16:36:10 +0200
From:   Eugene Syromiatnikov <esyr@...hat.com>
To:     Yu-cheng Yu <yu-cheng.yu@...el.com>
Cc:     x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
        linux-doc@...r.kernel.org, linux-mm@...ck.org,
        linux-arch@...r.kernel.org, linux-api@...r.kernel.org,
        Arnd Bergmann <arnd@...db.de>,
        Andy Lutomirski <luto@...capital.net>,
        Balbir Singh <bsingharora@...il.com>,
        Cyrill Gorcunov <gorcunov@...il.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Florian Weimer <fweimer@...hat.com>,
        "H.J. Lu" <hjl.tools@...il.com>, Jann Horn <jannh@...gle.com>,
        Jonathan Corbet <corbet@....net>,
        Kees Cook <keescook@...omium.org>,
        Mike Kravetz <mike.kravetz@...cle.com>,
        Nadav Amit <nadav.amit@...il.com>,
        Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
        Peter Zijlstra <peterz@...radead.org>,
        Randy Dunlap <rdunlap@...radead.org>,
        "Ravi V. Shankar" <ravi.v.shankar@...el.com>,
        Vedvyas Shanbhogue <vedvyas.shanbhogue@...el.com>
Subject: Re: [RFC PATCH v4 20/27] x86/cet/shstk: Signal handling for shadow
 stack

On Fri, Sep 21, 2018 at 08:03:44AM -0700, Yu-cheng Yu wrote:
> When setting up a signal, the kernel creates a shadow stack
> restore token at the current SHSTK address and then stores the
> token's address in the signal frame, right after the FPU state.
> Before restoring a signal, the kernel verifies and then uses the
> restore token to set the SHSTK pointer.

> diff --git a/arch/x86/kernel/cet.c b/arch/x86/kernel/cet.c
> index ec256ae27a31..5cc4be6e0982 100644
> --- a/arch/x86/kernel/cet.c
> +++ b/arch/x86/kernel/cet.c

> @@ -46,6 +47,69 @@ static unsigned long get_shstk_addr(void)
>  	return ptr;
>  }
>  
> +/*
> + * Verify the restore token at the address of 'ssp' is
> + * valid and then set shadow stack pointer according to the
> + * token.
> + */
> +static int verify_rstor_token(bool ia32, unsigned long ssp,
> +			      unsigned long *new_ssp)
> +{
> +	unsigned long token;
> +
> +	*new_ssp = 0;
> +
> +	if (!IS_ALIGNED(ssp, 8))
> +		return -EINVAL;
> +
> +	if (get_user(token, (unsigned long __user *)ssp))
> +		return -EFAULT;
> +

> +	/* Is 64-bit mode flag correct? */
> +	if (ia32 && (token & 3) != 0)
> +		return -EINVAL;
> +	else if ((token & 3) != 1)
> +		return -EINVAL;

It is probably worth adding constant names for these flags, example,
there's Section 2.4 in the currently available description[1], and
it took some time before I decided to look into other patches
and find the patch with the documentation (or finally notice section 2.7).

[1] https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

> +	token &= ~(1UL);
> +
> +	if ((!ia32 && !IS_ALIGNED(token, 8)) || !IS_ALIGNED(token, 4))
> +		return -EINVAL;
> +
> +	if ((ALIGN_DOWN(token, 8) - 8) != ssp)
> +		return -EINVAL;
> +
> +	*new_ssp = token;
> +	return 0;
> +}
> +
> +/*
> + * Create a restore token on the shadow stack.
> + * A token is always 8-byte and aligned to 8.
> + */
> +static int create_rstor_token(bool ia32, unsigned long ssp,
> +			      unsigned long *new_ssp)
> +{
> +	unsigned long addr;
> +
> +	*new_ssp = 0;
> +
> +	if ((!ia32 && !IS_ALIGNED(ssp, 8)) || !IS_ALIGNED(ssp, 4))
> +		return -EINVAL;

Maybe refactor this check into a separate function/macro?

> +
> +	addr = ALIGN_DOWN(ssp, 8) - 8;
> +
> +	/* Is the token for 64-bit? */
> +	if (!ia32)
> +		ssp |= 1;

Again, usage of a named constant might document it better.

> +
> +	if (write_user_shstk_64(addr, ssp))

This function is defined in "[RFC PATCH v4 19/27] x86/cet/shstk:
Introduce WRUSS instruction"

> +		return -EFAULT;
> +
> +	*new_ssp = addr;
> +	return 0;
> +}
> +
>  int cet_setup_shstk(void)
>  {
>  	unsigned long addr, size;
> @@ -107,3 +171,54 @@ void cet_disable_free_shstk(struct task_struct *tsk)
>  
>  	tsk->thread.cet.shstk_enabled = 0;
>  }
> +
> +int cet_restore_signal(unsigned long ssp)
> +{
> +	unsigned long new_ssp;
> +	int err;
> +
> +	if (!current->thread.cet.shstk_enabled)
> +		return 0;
> +
> +	err = verify_rstor_token(in_ia32_syscall(), ssp, &new_ssp);
> +
> +	if (err)
> +		return err;
> +
> +	return set_shstk_ptr(new_ssp);
> +}
> +
> +/*
> + * Setup the shadow stack for the signal handler: first,
> + * create a restore token to keep track of the current ssp,
> + * and then the return address of the signal handler.
> + */
> +int cet_setup_signal(bool ia32, unsigned long rstor_addr,
> +		     unsigned long *new_ssp)
> +{
> +	unsigned long ssp;
> +	int err;
> +
> +	if (!current->thread.cet.shstk_enabled)
> +		return 0;
> +
> +	ssp = get_shstk_addr();
> +	err = create_rstor_token(ia32, ssp, new_ssp);
> +
> +	if (err)
> +		return err;
> +
> +	if (ia32) {
> +		ssp = *new_ssp - sizeof(u32);
> +		err = write_user_shstk_32(ssp, (unsigned int)rstor_addr);
> +	} else {
> +		ssp = *new_ssp - sizeof(u64);
> +		err = write_user_shstk_64(ssp, rstor_addr);
> +	}
> +
> +	if (err)
> +		return err;
> +
> +	set_shstk_ptr(ssp);
> +	return 0;
> +}
> diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
> index 92a3b312a53c..e9a85689143f 100644
> --- a/arch/x86/kernel/signal.c
> +++ b/arch/x86/kernel/signal.c
> @@ -46,6 +46,7 @@
>  
>  #include <asm/sigframe.h>
>  #include <asm/signal.h>
> +#include <asm/cet.h>
>  
>  #define COPY(x)			do {			\
>  	get_user_ex(regs->x, &sc->x);			\
> @@ -152,6 +153,10 @@ static int restore_sigcontext(struct pt_regs *regs,
>  
>  	err |= fpu__restore_sig(buf, IS_ENABLED(CONFIG_X86_32));
>  
> +#ifdef CONFIG_X86_64
> +	err |= restore_sigcontext_ext(buf);
> +#endif
> +
>  	force_iret();
>  
>  	return err;
> @@ -266,6 +271,11 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
>  	}
>  

>  	if (fpu->initialized) {
> +#ifdef CONFIG_X86_64
> +		/* sigcontext extension */
> +		if (boot_cpu_has(X86_FEATURE_SHSTK))
> +			sp -= sizeof(struct sc_ext) + 8;
> +#endif
>  		sp = fpu__alloc_mathframe(sp, IS_ENABLED(CONFIG_X86_32),
>  					  &buf_fx, &math_size);

That might be refactored in a separate function.

Also, it looks like that possible padding for 8-byte alignment
(copy_ext_{to,from}_user) is not accounted here.

>  		*fpstate = (void __user *)sp;
> @@ -493,6 +503,9 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
>  	err |= setup_sigcontext(&frame->uc.uc_mcontext, fp, regs, set->sig[0]);
>  	err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
>  
> +	if (!err)
> +		err = setup_sigcontext_ext(ksig, fp);
> +

Why is this not in setup_sigcontext, for example?

>  	if (err)
>  		return -EFAULT;
>  
> @@ -576,6 +589,9 @@ static int x32_setup_rt_frame(struct ksignal *ksig,
>  				regs, set->sig[0]);
>  	err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
>  
> +	if (!err)
> +		err = setup_sigcontext_ext(ksig, fpstate);
> +
>  	if (err)
>  		return -EFAULT;
>  
> @@ -707,6 +723,86 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
>  	}
>  }
>  
> +#ifdef CONFIG_X86_64
> +static int copy_ext_from_user(struct sc_ext *ext, void __user *fpu)
> +{
> +	void __user *p;
> +
> +	if (!fpu)
> +		return -EINVAL;
> +
> +	p = fpu + fpu_user_xstate_size + FP_XSTATE_MAGIC2_SIZE;
> +	p = (void __user *)ALIGN((unsigned long)p, 8);
> +
> +	if (!access_ok(VERIFY_READ, p, sizeof(*ext)))
> +		return -EFAULT;
> +
> +	if (__copy_from_user(ext, p, sizeof(*ext)))
> +		return -EFAULT;
> +
> +	if (ext->total_size != sizeof(*ext))
> +		return -EINVAL;
> +	return 0;
> +}
> +
> +static int copy_ext_to_user(void __user *fpu, struct sc_ext *ext)
> +{
> +	void __user *p;
> +
> +	if (!fpu)
> +		return -EINVAL;
> +
> +	if (ext->total_size != sizeof(*ext))
> +		return -EINVAL;
> +
> +	p = fpu + fpu_user_xstate_size + FP_XSTATE_MAGIC2_SIZE;
> +	p = (void __user *)ALIGN((unsigned long)p, 8);
> +
> +	if (!access_ok(VERIFY_WRITE, p, sizeof(*ext)))
> +		return -EFAULT;
> +
> +	if (__copy_to_user(p, ext, sizeof(*ext)))
> +		return -EFAULT;
> +
> +	return 0;
> +}
> +
> +int restore_sigcontext_ext(void __user *fp)
> +{
> +	int err = 0;
> +
> +	if (boot_cpu_has(X86_FEATURE_SHSTK) && fp) {
> +		struct sc_ext ext = {0, 0};
> +
> +		err = copy_ext_from_user(&ext, fp);
> +
> +		if (!err)
> +			err = cet_restore_signal(ext.ssp);
> +	}
> +
> +	return err;
> +}
> +
> +int setup_sigcontext_ext(struct ksignal *ksig, void __user *fp)
> +{
> +	int err = 0;
> +
> +	if (boot_cpu_has(X86_FEATURE_SHSTK) && fp) {
> +		struct sc_ext ext = {0, 0};
> +		unsigned long rstor;
> +
> +		rstor = (unsigned long)ksig->ka.sa.sa_restorer;
> +		err = cet_setup_signal(is_ia32_frame(ksig), rstor, &ext.ssp);
> +		if (!err) {
> +			ext.total_size = sizeof(ext);
> +			err = copy_ext_to_user(fp, &ext);
> +		}
> +	}
> +
> +	return err;
> +}
> +#endif
> +
>  static void
>  handle_signal(struct ksignal *ksig, struct pt_regs *regs)
>  {
> -- 
> 2.17.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ