[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ed5f3a95-2854-8b36-7ed9-f1d7ad0a2e51@kernel.org>
Date: Mon, 3 Oct 2022 16:21:25 -0700
From: Andy Lutomirski <luto@...nel.org>
To: Rick Edgecombe <rick.p.edgecombe@...el.com>, x86@...nel.org,
"H . Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org, linux-mm@...ck.org,
linux-arch@...r.kernel.org, linux-api@...r.kernel.org,
Arnd Bergmann <arnd@...db.de>,
Balbir Singh <bsingharora@...il.com>,
Borislav Petkov <bp@...en8.de>,
Cyrill Gorcunov <gorcunov@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Eugene Syromiatnikov <esyr@...hat.com>,
Florian Weimer <fweimer@...hat.com>,
"H . J . Lu" <hjl.tools@...il.com>, Jann Horn <jannh@...gle.com>,
Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Mike Kravetz <mike.kravetz@...cle.com>,
Nadav Amit <nadav.amit@...il.com>,
Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
Peter Zijlstra <peterz@...radead.org>,
Randy Dunlap <rdunlap@...radead.org>,
"Ravi V . Shankar" <ravi.v.shankar@...el.com>,
Weijiang Yang <weijiang.yang@...el.com>,
"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
joao.moreira@...el.com, John Allen <john.allen@....com>,
kcc@...gle.com, eranian@...gle.com, rppt@...nel.org,
jamorris@...ux.microsoft.com, dethoma@...rosoft.com
Subject: Re: [OPTIONAL/RFC v2 39/39] x86: Add alt shadow stack support
On 9/29/22 15:29, Rick Edgecombe wrote:
> To handle stack overflows, applications can register a separate signal alt
> stack to use for the stack to handle signals. To handle shadow stack
> overflows the kernel can similarly provide the ability to have an alt
> shadow stack.
The overall SHSTK mechanism has a concept of a shadow stack that is
valid and not in use and a shadow stack that is in use. This is used,
for example, by RSTORSSP. I would like to imagine that this serves a
real purpose (presumably preventing two different threads from using the
same shadow stack and thus corrupting each others' state).
So maybe altshstk should use exactly the same mechanism. Either signal
delivery should do the atomic very-and-mark-busy routine or registering
the stack as an altstack should do it.
I think your patch has this maybe 1/3 implemented, but I don't see any
atomics, and you seem to have removed (?) the code that actually
modifies the token on the stack.
>
> +static bool on_alt_shstk(unsigned long ssp)
> +{
> + unsigned long alt_ss_start = current->thread.sas_shstk_sp;
> + unsigned long alt_ss_end = alt_ss_start + current->thread.sas_shstk_size;
> +
> + return ssp >= alt_ss_start && ssp < alt_ss_end;
> +}
We're forcing AUTODISARM behavior (right?), so I don't think this is
needed at all. User code is never "on the alt stack". It's either "on
the alt stack but the alt stack is disarmed, so it's not on the alt
stack" or it's just straight up not on the alt stack.
Powered by blists - more mailing lists