| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2905adaa-97f8-912d-5d23-bee92eb4483e@redhat.com>
Date: Thu, 23 Feb 2023 13:55:47 +0100
From: David Hildenbrand <david@...hat.com>
To: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>,
"bsingharora@...il.com" <bsingharora@...il.com>,
"hpa@...or.com" <hpa@...or.com>,
"Syromiatnikov, Eugene" <esyr@...hat.com>,
"peterz@...radead.org" <peterz@...radead.org>,
"rdunlap@...radead.org" <rdunlap@...radead.org>,
"keescook@...omium.org" <keescook@...omium.org>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
"kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>,
"Eranian, Stephane" <eranian@...gle.com>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"fweimer@...hat.com" <fweimer@...hat.com>,
"nadav.amit@...il.com" <nadav.amit@...il.com>,
"jannh@...gle.com" <jannh@...gle.com>,
"dethoma@...rosoft.com" <dethoma@...rosoft.com>,
"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
"kcc@...gle.com" <kcc@...gle.com>, "pavel@....cz" <pavel@....cz>,
"oleg@...hat.com" <oleg@...hat.com>,
"hjl.tools@...il.com" <hjl.tools@...il.com>,
"bp@...en8.de" <bp@...en8.de>,
"Lutomirski, Andy" <luto@...nel.org>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
"arnd@...db.de" <arnd@...db.de>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"Schimpe, Christina" <christina.schimpe@...el.com>,
"x86@...nel.org" <x86@...nel.org>,
"mike.kravetz@...cle.com" <mike.kravetz@...cle.com>,
"Yang, Weijiang" <weijiang.yang@...el.com>,
"debug@...osinc.com" <debug@...osinc.com>,
"jamorris@...ux.microsoft.com" <jamorris@...ux.microsoft.com>,
"john.allen@....com" <john.allen@....com>,
"rppt@...nel.org" <rppt@...nel.org>,
"andrew.cooper3@...rix.com" <andrew.cooper3@...rix.com>,
"mingo@...hat.com" <mingo@...hat.com>,
"corbet@....net" <corbet@....net>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-api@...r.kernel.org" <linux-api@...r.kernel.org>,
"gorcunov@...il.com" <gorcunov@...il.com>,
"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>
Cc: "Yu, Yu-cheng" <yu-cheng.yu@...el.com>
Subject: Re: [PATCH v6 19/41] x86/mm: Check shadow stack page fault errors
On 23.02.23 00:07, Edgecombe, Rick P wrote:
> On Mon, 2023-02-20 at 13:57 +0100, David Hildenbrand wrote:
>>>
>>> + /*
>>> + * When a page becomes COW it changes from a shadow stack
>>> permission
>>> + * page (Write=0,Dirty=1) to (Write=0,Dirty=0,SavedDirty=1),
>>> which is simply
>>> + * read-only to the CPU. When shadow stack is enabled, a RET
>>> would
>>> + * normally pop the shadow stack by reading it with a "shadow
>>> stack
>>> + * read" access. However, in the COW case the shadow stack
>>> memory does
>>> + * not have shadow stack permissions, it is read-only. So it
>>> will
>>> + * generate a fault.
>>> + *
>>> + * For conventionally writable pages, a read can be serviced
>>> with a
>>> + * read only PTE, and COW would not have to happen. But for
>>> shadow
>>> + * stack, there isn't the concept of read-only shadow stack
>>> memory.
>>> + * If it is shadow stack permission, it can be modified via
>>> CALL and
>>> + * RET instructions. So COW needs to happen before any memory
>>> can be
>>> + * mapped with shadow stack permissions.
>>> + *
>>> + * Shadow stack accesses (read or write) need to be serviced
>>> with
>>> + * shadow stack permission memory, so in the case of a shadow
>>> stack
>>> + * read access, treat it as a WRITE fault so both COW will
>>> happen and
>>> + * the write fault path will tickle maybe_mkwrite() and map
>>> the memory
>>> + * shadow stack.
>>> + */
>>
>> Again, I suggest dropping all details about COW from this comment
>> and
>> from the patch description. It's just one such case that can happen.
>
> Hi David,
Hi Rick,
>
> I was just trying to edit this one to drop COW details, but I think in
> this case, one of the major reasons for the code *is* actually COW. We
> are not working around the whole inadvertent shadow stack memory piece
> here, but something else: Making sure shadow stack memory is faulted in
> and doing COW if required to make this possible. I came up with this,
> does it seem better?
Regarding the fault handling I completely agree. We have to treat a read
like a write event. And as read-only shadow stack PTEs don't exist, we
have to tell the MM to create a writable one for us.
>
>
> /*
> * For conventionally writable pages, a read can be serviced with a
> *
> read only PTE. But for shadow stack, there isn't a concept of
> * read-
> only shadow stack memory. If it a PTE has the shadow stack
> *
> permission, it can be modified via CALL and RET instructions. So
> * core
> MM needs to fault in a writable PTE and do things it already
> * does for
> write faults.
> *
> * Shadow stack accesses (read or write) need to be
> serviced with
> * shadow stack permission memory, so in the case of a
> shadow stack
> * read access, treat it as a WRITE fault so both any
> required COW will
> * happen and the write fault path will tickle
> maybe_mkwrite() and map
> * the memory shadow stack.
> */
That sounds good! I'd rewrite the last part slightly.
"
Shadow stack accesses (read or write) need to be serviced with
shadow stack permission memory, which always include write permissions.
So in the case of a shadow stack read access, treat it as a WRITE fault.
This will make sure that MM will prepare everything (e.g., break COW)
such that maybe_mkwrite() can create a proper shadow stack PTE.
"
--
Thanks,
David / dhildenb
Powered by blists - more mailing lists