lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 17 May 2021 13:55:01 -0700
From:   "Yu, Yu-cheng" <yu-cheng.yu@...el.com>
To:     Borislav Petkov <bp@...en8.de>
Cc:     x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
        linux-doc@...r.kernel.org, linux-mm@...ck.org,
        linux-arch@...r.kernel.org, linux-api@...r.kernel.org,
        Arnd Bergmann <arnd@...db.de>,
        Andy Lutomirski <luto@...nel.org>,
        Balbir Singh <bsingharora@...il.com>,
        Cyrill Gorcunov <gorcunov@...il.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Eugene Syromiatnikov <esyr@...hat.com>,
        Florian Weimer <fweimer@...hat.com>,
        "H.J. Lu" <hjl.tools@...il.com>, Jann Horn <jannh@...gle.com>,
        Jonathan Corbet <corbet@....net>,
        Kees Cook <keescook@...omium.org>,
        Mike Kravetz <mike.kravetz@...cle.com>,
        Nadav Amit <nadav.amit@...il.com>,
        Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
        Peter Zijlstra <peterz@...radead.org>,
        Randy Dunlap <rdunlap@...radead.org>,
        "Ravi V. Shankar" <ravi.v.shankar@...el.com>,
        Vedvyas Shanbhogue <vedvyas.shanbhogue@...el.com>,
        Dave Martin <Dave.Martin@....com>,
        Weijiang Yang <weijiang.yang@...el.com>,
        Pengfei Xu <pengfei.xu@...el.com>,
        Haitao Huang <haitao.huang@...el.com>
Subject: Re: [PATCH v26 24/30] x86/cet/shstk: Introduce shadow stack token
 setup/verify routines

On 5/17/2021 12:45 AM, Borislav Petkov wrote:
> On Tue, Apr 27, 2021 at 01:43:09PM -0700, Yu-cheng Yu wrote:
>> +static inline int write_user_shstk_32(u32 __user *addr, u32 val)
>> +{
>> +	WARN_ONCE(1, "%s used but not supported.\n", __func__);
>> +	return -EFAULT;
>> +}
>> +#endif
> 
> What is that supposed to catch? Any concrete (mis-)use cases?
> 

If 32-bit apps are not supported, there should be no need of 32-bit 
shadow stack write, otherwise there is a bug.

[...]

>> diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
>> index d387df84b7f1..48a0c87414ef 100644
>> --- a/arch/x86/kernel/shstk.c
>> +++ b/arch/x86/kernel/shstk.c
>> @@ -20,6 +20,7 @@
>>   #include <asm/fpu/xstate.h>
>>   #include <asm/fpu/types.h>
>>   #include <asm/cet.h>
>> +#include <asm/special_insns.h>
>>   
>>   static void start_update_msrs(void)
>>   {
>> @@ -176,3 +177,128 @@ void shstk_disable(void)
>>   
>>   	shstk_free(current);
>>   }
>> +
>> +static unsigned long _get_user_shstk_addr(void)
> 
> What's the "_" prefix in the name supposed to denote?
> 
> Ditto for the other functions with "_" prefix you're adding.
> 

These are static functions.  I thought that would make the static scope 
clear.  I can remove "_".

>> +{
>> +	struct fpu *fpu = &current->thread.fpu;
>> +	unsigned long ssp = 0;
>> +
>> +	fpregs_lock();
>> +
>> +	if (fpregs_state_valid(fpu, smp_processor_id())) {
>> +		rdmsrl(MSR_IA32_PL3_SSP, ssp);
>> +	} else {
>> +		struct cet_user_state *p;
>> +
>> +		p = get_xsave_addr(&fpu->state.xsave, XFEATURE_CET_USER);
>> +		if (p)
>> +			ssp = p->user_ssp;
>> +	}
>> +
>> +	fpregs_unlock();
> 
> <---- newline here.
> 
>> +	return ssp;
>> +}
>> +
>> +#define TOKEN_MODE_MASK	3UL
>> +#define TOKEN_MODE_64	1UL
>> +#define IS_TOKEN_64(token) (((token) & TOKEN_MODE_MASK) == TOKEN_MODE_64)
>> +#define IS_TOKEN_32(token) (((token) & TOKEN_MODE_MASK) == 0)
> 
> Why do you have to look at the second, busy bit, too in order to
> determine the mode?
> 

If the busy bit is set, it is only for SAVEPREVSSP, and invalid as a 
normal restore token.

> Also, you don't need most of those defines - see below.
> 
>> +/*
>> + * Create a restore token on the shadow stack.  A token is always 8-byte
>> + * and aligned to 8.
>> + */
>> +static int _create_rstor_token(bool ia32, unsigned long ssp,
>> +			       unsigned long *token_addr)
>> +{
>> +	unsigned long addr;
>> +
>> +	*token_addr = 0;
> 
> What for? Callers should check this function's retval and then interpret
> the validity of token_addr and it should not unconditionally write into
> it.
> 

Ok.

>> +
>> +	if ((!ia32 && !IS_ALIGNED(ssp, 8)) || !IS_ALIGNED(ssp, 4))
> 
> Flip this logic:
> 
> 	if ((ia32 && !IS_ALIGNED(ssp, 4)) || !IS_ALIGNED(ssp, 8))
> 
>> +		return -EINVAL;
>> +
>> +	addr = ALIGN_DOWN(ssp, 8) - 8;
> 
> Yah, so this is weird. Why does the restore token need to be at -8
> instead on the shadow stack address itself?

With the lower two bits masked out, the restore token must point 
directly above itself.

> 
> Looking at
> 
> Figure 18-2. RSTORSSP to Switch to New Shadow Stack
> Figure 18-3. SAVEPREVSSP to Save a Restore Point
> 
> in the SDM, it looks like unnecessarily more complex than it should be.
> But maybe there's some magic I'm missing.
> 
>> +
>> +	/* Is the token for 64-bit? */
>> +	if (!ia32)
>> +		ssp |= TOKEN_MODE_64;
> 
> 		    |= BIT(0);
> 

Ok, then, we don't use #define's.  I will put in comments about what it 
is doing, and fix the rest.

Thanks,
Yu-cheng

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ