| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Feb 2023 10:38:21 +0800
From: Pengfei Xu <pengfei.xu@...el.com>
To: Rick Edgecombe <rick.p.edgecombe@...el.com>
CC: <x86@...nel.org>, "H . Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, <linux-kernel@...r.kernel.org>,
<linux-doc@...r.kernel.org>, <linux-mm@...ck.org>,
<linux-arch@...r.kernel.org>, <linux-api@...r.kernel.org>,
Arnd Bergmann <arnd@...db.de>,
Andy Lutomirski <luto@...nel.org>,
Balbir Singh <bsingharora@...il.com>,
Borislav Petkov <bp@...en8.de>,
Cyrill Gorcunov <gorcunov@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Eugene Syromiatnikov <esyr@...hat.com>,
Florian Weimer <fweimer@...hat.com>,
"H . J . Lu" <hjl.tools@...il.com>, "Jann Horn" <jannh@...gle.com>,
Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Mike Kravetz <mike.kravetz@...cle.com>,
Nadav Amit <nadav.amit@...il.com>,
Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
Peter Zijlstra <peterz@...radead.org>,
Randy Dunlap <rdunlap@...radead.org>,
Weijiang Yang <weijiang.yang@...el.com>,
"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
John Allen <john.allen@....com>, <kcc@...gle.com>,
<eranian@...gle.com>, <rppt@...nel.org>,
<jamorris@...ux.microsoft.com>, <dethoma@...rosoft.com>,
<akpm@...ux-foundation.org>, <Andrew.Cooper3@...rix.com>,
<christina.schimpe@...el.com>, <david@...hat.com>,
<debug@...osinc.com>, <heng.su@...el.com>
Subject: Re: [PATCH v6 00/41] Shadow stacks for userspace
Hi Rick,
On 2023-02-18 at 13:13:52 -0800, Rick Edgecombe wrote:
> Hi,
>
...
>
> I left tested-by tags in place per discussion with testers. Testers, please
> retest.
>
1. Tested kself-test from user space shstk on ADL-S, TGL-U without Glibc shstk
support in CentOS 8 stream OS:
// From the test_shadow_stack code in this patch series:
# ./test_shadow_stack
[INFO] new_ssp = 7f014ac2dff8, *new_ssp = 7f014ac2e001
[INFO] changing ssp from 7f014a1ffff0 to 7f014ac2dff8
[INFO] ssp is now 7f014ac2e000
[OK] Shadow stack pivot
[OK] Shadow stack faults
[INFO] Corrupting shadow stack
[INFO] Generated shadow stack violation successfully
[OK] Shadow stack violation test
[INFO] Gup read -> shstk access success
[INFO] Gup write -> shstk access success
[INFO] Violation from normal write
[INFO] Gup read -> write access success
[INFO] Violation from normal write
[INFO] Gup write -> write access success
[INFO] Cow gup write -> write access success
[OK] Shadow gup test
[INFO] Violation from shstk access
[OK] mprotect() test
[OK] Userfaultfd test
[OK] 32 bit test
// shstk violation without SHSTK glibc support
// Code link: https://github.com/intel/lkvs/blob/main/cet/shstk_cp.c
# ./shstk_cp
[PASS] Enable SHSTK successfully
[PASS] Disabling shadow stack successfully
[PASS] Re-enable shadow stack successfully
[PASS] SHSTK enabled, ssp:7fa3bfe00000
[INFO] do_hack() change address for return:
[INFO] Before,ssp:7fa3bfdffff8,*ssp:40133f,rbp:0x7ffc23b5b440,*rbp:7ffc23b5b480,*(rbp+1):40133f
[INFO] After, ssp:7fa3bfdffff8,*ssp:40133f,rbp:0x7ffc23b5b440,*rbp:7ffc23b5b480,*(rbp+1):401146
Segmentation fault (core dumped)
Dmesg:
[1117184.518588] shstk_cp[1523882] control protection ip:40122c sp:7ffc23b5b448 ssp:7fa3bfdffff8 error:1(near ret) in shstk_cp[401000+1000]
// shstk ARCH_SHSTK_STATUS read/set test without SHSTK Glibc support
// Code link: https://github.com/intel/lkvs/blob/main/cet/shstk_unlock_test.c
# ./shstk_unlock_test
[PASS] Parent process enable SHSTK.
[PASS] Parent pid:1522040, ssp:0x7f57fc400000
[INFO] pid:1522040, ssp:0x7f57fc3ffff8, *ssp:401799
[PASS] Unlock CET successfully for pid:1522041
[PASS] GET CET REG ret:0, err:0, ssp:7f57fc3ffff8
[PASS] SET CET REG ret:0, err:0, ssp:7f57fc3ffff8
[PASS] SET ssp -1 failed(expected) ret:-1, errno:22
[PASS] GET xstate successfully ret:0
[PASS] SHSTK is enabled in child process
[INFO] Child:1522041 origin ssp:0x7f57fc400000
[INFO] Child:1522041, ssp:0x7f57fc400000, bp,0x7ffcf32ba0f0, *bp:401dc0, *(bp+1):7f57fc43ad85
[PASS] Disabling shadow stack succesfully
[PASS] SHSTK_STATUS ok, feature:0 is 0, ret:0
[PASS] Child process re-enable ssp
[PASS] SHSTK_STATUS ok, feature:1 1st bit is 1, ret:0
[PASS] Child process enabled wrss
[PASS] SHSTK_STATUS ok, feature:3 2nd bit is 1, ret:0
[INFO] Child:1522041, ssp:0x7f57fc400000, bp,0x7ffcf32ba0f0, *bp:401dc0, *(bp+1):7f57fc43ad85
[INFO] ssp addr:0x7f57fc400000 is same as ssp_verify:0x7f57fc400000
[PASS] Child process disable shstk successfully.
[PASS] Parent process disable shadow stack successfully.
2. Tested fedora37 OS + Hongjiu provided user space SHSTK support Glibc:
// shstk with Glibc support:
// Related Glibc support for Fedora37: http://gnu-4.sc.intel.com/git/?p=hjl/misc.git;a=tree;f=setup/fedora/37;h=63af84a8f28f3d0802f09266e47fb94eb5cdff26;hb=HEAD
# readelf -n shadow_test_fork | head
readelf: Warning: Gap in build notes detected from 0x4011d7 to 0x4011e4
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000040 NT_GNU_PROPERTY_TYPE_0
Properties: x86 feature: IBT, SHSTK
...
// shadow_test_fork code is in attached
// gcc -fcf-protection=full -mshstk -O0 -fno-stack-check -fno-stack-protector shadow_test_fork.c -o shadow_test_fork
# ./shadow_test_fork s2
[INFO] s2: stack rbp + 1
[INFO] do_hack() change address for return:
[INFO] After change, rbp+1 to hacked:0x401296
Segmentation fault (core dumped)
Dmesg:
[418653.591014] shadow_test_for[16529] control protection ip:401367 sp:7fff6ed0a728 ssp:7f661265bfe0 error:1(near ret) in shadow_test_fork[401000+1000]
All above user space SHSTK tests are passed.
Many thanks Rick and all!
Thanks!
BR.
Pengfei
> --
> 2.17.1
>
View attachment "shadow_test_fork.c" of type "text/plain" (9907 bytes)
Powered by blists - more mailing lists