| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Apr 2021 09:17:06 -0700
From: "Yu, Yu-cheng" <yu-cheng.yu@...el.com>
To: Borislav Petkov <bp@...en8.de>
Cc: x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org, linux-mm@...ck.org,
linux-arch@...r.kernel.org, linux-api@...r.kernel.org,
Arnd Bergmann <arnd@...db.de>,
Andy Lutomirski <luto@...nel.org>,
Balbir Singh <bsingharora@...il.com>,
Cyrill Gorcunov <gorcunov@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Eugene Syromiatnikov <esyr@...hat.com>,
Florian Weimer <fweimer@...hat.com>,
"H.J. Lu" <hjl.tools@...il.com>, Jann Horn <jannh@...gle.com>,
Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Mike Kravetz <mike.kravetz@...cle.com>,
Nadav Amit <nadav.amit@...il.com>,
Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
Peter Zijlstra <peterz@...radead.org>,
Randy Dunlap <rdunlap@...radead.org>,
"Ravi V. Shankar" <ravi.v.shankar@...el.com>,
Vedvyas Shanbhogue <vedvyas.shanbhogue@...el.com>,
Dave Martin <Dave.Martin@....com>,
Weijiang Yang <weijiang.yang@...el.com>,
Pengfei Xu <pengfei.xu@...el.com>,
Haitao Huang <haitao.huang@...el.com>
Subject: Re: [PATCH v26 22/30] x86/cet/shstk: Add user-mode shadow stack
support
On 4/29/2021 2:12 AM, Borislav Petkov wrote:
> On Wed, Apr 28, 2021 at 11:39:00AM -0700, Yu, Yu-cheng wrote:
>> Sorry about that. After that email thread, we went ahead to separate shadow
>> stack and ibt into different files. I thought about the struct, the file
>> names cet.h, etc. The struct still needs to include ibt status, and if it
>> is shstk_desc, the name is not entirely true. One possible approach is, we
>> don't make it a struct here, and put every item directly in thread_struct.
>> However, the benefit of putting all in a struct is understandable (you might
>> argue the opposite :-)). Please make the call, and I will do the change.
>
> /me looks forward into the patchset...
>
> So this looks like the final version of it:
>
> @@ -15,6 +15,7 @@ struct cet_status {
> unsigned long shstk_base;
> unsigned long shstk_size;
> unsigned int locked:1;
> + unsigned int ibt_enabled:1;
> };
>
> If so, that thing should be simply:
>
> struct cet {
> unsigned long shstk_base;
> unsigned long shstk_size;
> unsigned int shstk_lock : 1,
> ibt : 1;
> }
>
> Is that ibt flag per thread or why is it here? I guess I'll find out.
>
> /me greps...
>
> ah yes, it is.
>
The lock applies to both shadow stack and ibt. So maybe just "locked"?
>> Yes, the comments are in patch #23: Handle thread shadow stack. I wanted to
>> add that in the patch that takes the path.
>
> That comes next, I'll look there.
>
>>> vm_munmap() can return other negative error values, where are you
>>> handling those?
>>>
>>
>> For other error values, the loop stops.
>
> And then what happens?
>
>>>> + cet->shstk_base = 0;
>>>> + cet->shstk_size = 0;
>
> You clear those here without even checking whether unmap failed somehow.
> And then stuff leaks but we don't care, right?
>
> Someone else's problem, I'm sure.
>
vm_munmap() returns error as the following:
(1) -EINVAL: address/size/alignment is wrong.
For shadow stack, the kernel keeps track of it, this cannot/should not
happen. Should it happen, it is a bug. The kernel can probably do WARN().
(2) -ENOMEM: when doing __split_vma()/__vma_adjust(), kmem_cache_alloc()
fails.
Not much we can do. Perhaps WARN()?
(3) -EINTR: mmap_write_lock_killable(mm) fails.
This should only happen to a pthread. When a thread is existing, its
siblings are holding mm->mmap_lock. This is handled here.
Right now, in the kernel, only the munmap() syscall returns
__vm_munmap() error code, otherwise the error is not checked. Within
the kernel and if -EINTR is not expected, this makes sense as explained
above.
Thanks for questioning. This piece needs to be correct.
Yu-cheng
Powered by blists - more mailing lists