| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Feb 2022 22:38:51 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Dave Hansen' <dave.hansen@...el.com>,
Rick Edgecombe <rick.p.edgecombe@...el.com>,
"x86@...nel.org" <x86@...nel.org>,
"H . Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
"linux-api@...r.kernel.org" <linux-api@...r.kernel.org>,
Arnd Bergmann <arnd@...db.de>,
Andy Lutomirski <luto@...nel.org>,
Balbir Singh <bsingharora@...il.com>,
Borislav Petkov <bp@...en8.de>,
Cyrill Gorcunov <gorcunov@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"Eugene Syromiatnikov" <esyr@...hat.com>,
Florian Weimer <fweimer@...hat.com>,
"H . J . Lu" <hjl.tools@...il.com>, Jann Horn <jannh@...gle.com>,
Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Mike Kravetz <mike.kravetz@...cle.com>,
Nadav Amit <nadav.amit@...il.com>,
Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
Peter Zijlstra <peterz@...radead.org>,
Randy Dunlap <rdunlap@...radead.org>,
"Ravi V . Shankar" <ravi.v.shankar@...el.com>,
Dave Martin <Dave.Martin@....com>,
Weijiang Yang <weijiang.yang@...el.com>,
"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
"joao.moreira@...el.com" <joao.moreira@...el.com>,
John Allen <john.allen@....com>,
"kcc@...gle.com" <kcc@...gle.com>,
"eranian@...gle.com" <eranian@...gle.com>
CC: Yu-cheng Yu <yu-cheng.yu@...el.com>
Subject: RE: [PATCH 18/35] mm: Add guard pages around a shadow stack.
From: Dave Hansen
> Sent: 09 February 2022 22:24
>
> On 1/30/22 13:18, Rick Edgecombe wrote:
> > INCSSP(Q/D) increments shadow stack pointer and 'pops and discards' the
> > first and the last elements in the range, effectively touches those memory
> > areas.
>
> This is a pretty close copy of the instruction reference text for
> INCSSP. I'm feeling rather dense today, but that's just not making any
> sense.
>
> The pseudocode is more sensible in the SDM. I think this needs a better
> explanation:
>
> The INCSSP instruction increments the shadow stack pointer. It
> is the shadow stack analog of an instruction like:
>
> addq $0x80, %rsp
>
> However, there is one important difference between an ADD on
> %rsp and INCSSP. In addition to modifying SSP, INCSSP also
> reads from the memory of the first and last elements that were
> "popped". You can think of it as acting like this:
>
> READ_ONCE(ssp); // read+discard top element on stack
> ssp += nr_to_pop * 8; // move the shadow stack
> READ_ONCE(ssp-8); // read+discard last popped stack element
>
>
> > The maximum moving distance by INCSSPQ is 255 * 8 = 2040 bytes and
> > 255 * 4 = 1020 bytes by INCSSPD. Both ranges are far from PAGE_SIZE.
>
> ... That maximum distance, combined with an a guard pages at the end of
> a shadow stack ensures that INCSSP will fault before it is able to move
> across an entire guard page.
>
> > Thus, putting a gap page on both ends of a shadow stack prevents INCSSP,
> > CALL, and RET from going beyond.
Do you need a real guard page?
Or is it just enough to ensure that the adjacent page isn't another
shadow stack page?
Any other page will cause a fault because the PTE isn't readonly+dirty.
I'm not sure how common single page allocates are in Linux.
But adjacent shadow stacks may be rare anyway.
So a check against both adjacent PTE entries would suffice.
Or maybe always allocate an even (or odd) numbered page.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists