lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y/QunS2skya40mUu@xpf.sh.intel.com>
Date:   Tue, 21 Feb 2023 10:38:21 +0800
From:   Pengfei Xu <pengfei.xu@...el.com>
To:     Rick Edgecombe <rick.p.edgecombe@...el.com>
CC:     <x86@...nel.org>, "H . Peter Anvin" <hpa@...or.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, <linux-kernel@...r.kernel.org>,
        <linux-doc@...r.kernel.org>, <linux-mm@...ck.org>,
        <linux-arch@...r.kernel.org>, <linux-api@...r.kernel.org>,
        Arnd Bergmann <arnd@...db.de>,
        Andy Lutomirski <luto@...nel.org>,
        Balbir Singh <bsingharora@...il.com>,
        Borislav Petkov <bp@...en8.de>,
        Cyrill Gorcunov <gorcunov@...il.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Eugene Syromiatnikov <esyr@...hat.com>,
        Florian Weimer <fweimer@...hat.com>,
        "H . J . Lu" <hjl.tools@...il.com>, "Jann Horn" <jannh@...gle.com>,
        Jonathan Corbet <corbet@....net>,
        Kees Cook <keescook@...omium.org>,
        Mike Kravetz <mike.kravetz@...cle.com>,
        Nadav Amit <nadav.amit@...il.com>,
        Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
        Peter Zijlstra <peterz@...radead.org>,
        Randy Dunlap <rdunlap@...radead.org>,
        Weijiang Yang <weijiang.yang@...el.com>,
        "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
        John Allen <john.allen@....com>, <kcc@...gle.com>,
        <eranian@...gle.com>, <rppt@...nel.org>,
        <jamorris@...ux.microsoft.com>, <dethoma@...rosoft.com>,
        <akpm@...ux-foundation.org>, <Andrew.Cooper3@...rix.com>,
        <christina.schimpe@...el.com>, <david@...hat.com>,
        <debug@...osinc.com>, <heng.su@...el.com>
Subject: Re: [PATCH v6 00/41] Shadow stacks for userspace

Hi Rick,

On 2023-02-18 at 13:13:52 -0800, Rick Edgecombe wrote:
> Hi,
> 
...
> 
> I left tested-by tags in place per discussion with testers. Testers, please
> retest.
> 

1. Tested kself-test from user space shstk on ADL-S, TGL-U without Glibc shstk
support in CentOS 8 stream OS:

// From the test_shadow_stack code in this patch series:
# ./test_shadow_stack
[INFO]  new_ssp = 7f014ac2dff8, *new_ssp = 7f014ac2e001
[INFO]  changing ssp from 7f014a1ffff0 to 7f014ac2dff8
[INFO]  ssp is now 7f014ac2e000
[OK]    Shadow stack pivot
[OK]    Shadow stack faults
[INFO]  Corrupting shadow stack
[INFO]  Generated shadow stack violation successfully
[OK]    Shadow stack violation test
[INFO]  Gup read -> shstk access success
[INFO]  Gup write -> shstk access success
[INFO]  Violation from normal write
[INFO]  Gup read -> write access success
[INFO]  Violation from normal write
[INFO]  Gup write -> write access success
[INFO]  Cow gup write -> write access success
[OK]    Shadow gup test
[INFO]  Violation from shstk access
[OK]    mprotect() test
[OK]    Userfaultfd test
[OK]    32 bit test

// shstk violation without SHSTK glibc support
// Code link: https://github.com/intel/lkvs/blob/main/cet/shstk_cp.c
# ./shstk_cp
[PASS]  Enable SHSTK successfully
[PASS]  Disabling shadow stack successfully
[PASS]  Re-enable shadow stack successfully
[PASS]  SHSTK enabled, ssp:7fa3bfe00000
[INFO]  do_hack() change address for return:
[INFO]  Before,ssp:7fa3bfdffff8,*ssp:40133f,rbp:0x7ffc23b5b440,*rbp:7ffc23b5b480,*(rbp+1):40133f
[INFO]  After, ssp:7fa3bfdffff8,*ssp:40133f,rbp:0x7ffc23b5b440,*rbp:7ffc23b5b480,*(rbp+1):401146
Segmentation fault (core dumped)

Dmesg:
[1117184.518588] shstk_cp[1523882] control protection ip:40122c sp:7ffc23b5b448 ssp:7fa3bfdffff8 error:1(near ret) in shstk_cp[401000+1000]

// shstk ARCH_SHSTK_STATUS read/set test without SHSTK Glibc support
// Code link: https://github.com/intel/lkvs/blob/main/cet/shstk_unlock_test.c
# ./shstk_unlock_test
[PASS]  Parent process enable SHSTK.
[PASS]  Parent pid:1522040, ssp:0x7f57fc400000
[INFO]  pid:1522040, ssp:0x7f57fc3ffff8, *ssp:401799
[PASS]  Unlock CET successfully for pid:1522041
[PASS]  GET CET REG ret:0, err:0, ssp:7f57fc3ffff8
[PASS]  SET CET REG ret:0, err:0, ssp:7f57fc3ffff8
[PASS]  SET ssp -1 failed(expected) ret:-1, errno:22
[PASS]  GET xstate successfully ret:0
[PASS]  SHSTK is enabled in child process
[INFO]  Child:1522041 origin ssp:0x7f57fc400000
[INFO]  Child:1522041, ssp:0x7f57fc400000, bp,0x7ffcf32ba0f0, *bp:401dc0, *(bp+1):7f57fc43ad85
[PASS]  Disabling shadow stack succesfully
[PASS]  SHSTK_STATUS ok, feature:0 is 0, ret:0
[PASS]  Child process re-enable ssp
[PASS]  SHSTK_STATUS ok, feature:1 1st bit is 1, ret:0
[PASS]  Child process enabled wrss
[PASS]  SHSTK_STATUS ok, feature:3 2nd bit is 1, ret:0
[INFO]  Child:1522041, ssp:0x7f57fc400000, bp,0x7ffcf32ba0f0, *bp:401dc0, *(bp+1):7f57fc43ad85
[INFO]  ssp addr:0x7f57fc400000 is same as ssp_verify:0x7f57fc400000
[PASS]  Child process disable shstk successfully.
[PASS]  Parent process disable shadow stack successfully.


2. Tested fedora37 OS + Hongjiu provided user space SHSTK support Glibc:
// shstk with Glibc support:
// Related Glibc support for Fedora37:  http://gnu-4.sc.intel.com/git/?p=hjl/misc.git;a=tree;f=setup/fedora/37;h=63af84a8f28f3d0802f09266e47fb94eb5cdff26;hb=HEAD
# readelf  -n shadow_test_fork | head
readelf: Warning: Gap in build notes detected from 0x4011d7 to 0x4011e4

Displaying notes found in: .note.gnu.property
  Owner                Data size        Description
    GNU                  0x00000040       NT_GNU_PROPERTY_TYPE_0
          Properties: x86 feature: IBT, SHSTK
...
// shadow_test_fork code is in attached
// gcc -fcf-protection=full -mshstk -O0 -fno-stack-check -fno-stack-protector    shadow_test_fork.c   -o shadow_test_fork
# ./shadow_test_fork s2
[INFO]  s2: stack rbp + 1
[INFO]  do_hack() change address for return:
[INFO]  After change, rbp+1 to hacked:0x401296
Segmentation fault (core dumped)

Dmesg:
[418653.591014] shadow_test_for[16529] control protection ip:401367 sp:7fff6ed0a728 ssp:7f661265bfe0 error:1(near ret) in shadow_test_fork[401000+1000]

All above user space SHSTK tests are passed.

Many thanks Rick and all!

Thanks!
BR.
Pengfei

> -- 
> 2.17.1
> 

View attachment "shadow_test_fork.c" of type "text/plain" (9907 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ