[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZLZW7Kvg2Rep8ySO@arm.com>
Date: Tue, 18 Jul 2023 10:10:04 +0100
From: Szabolcs Nagy <Szabolcs.Nagy@....com>
To: Mark Brown <broonie@...nel.org>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
Jonathan Corbet <corbet@....net>,
Andrew Morton <akpm@...ux-foundation.org>,
Marc Zyngier <maz@...nel.org>,
Oliver Upton <oliver.upton@...ux.dev>,
James Morse <james.morse@....com>,
Suzuki K Poulose <suzuki.poulose@....com>,
Arnd Bergmann <arnd@...db.de>, Oleg Nesterov <oleg@...hat.com>,
Eric Biederman <ebiederm@...ssion.com>,
Kees Cook <keescook@...omium.org>,
Shuah Khan <shuah@...nel.org>,
"Rick P. Edgecombe" <rick.p.edgecombe@...el.com>,
Deepak Gupta <debug@...osinc.com>,
Ard Biesheuvel <ardb@...nel.org>
Cc: "H.J. Lu" <hjl.tools@...il.com>,
Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
linux-arm-kernel@...ts.infradead.org, linux-doc@...r.kernel.org,
kvmarm@...ts.linux.dev, linux-fsdevel@...r.kernel.org,
linux-arch@...r.kernel.org, linux-mm@...ck.org,
linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-riscv@...ts.infradead.org
Subject: Re: [PATCH 22/35] arm64/mm: Implement map_shadow_stack()
The 07/16/2023 22:51, Mark Brown wrote:
> +SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags)
> +{
> + unsigned long aligned_size;
> + unsigned long __user *cap_ptr;
> + unsigned long cap_val;
> + int ret;
> +
> + if (!system_supports_gcs())
> + return -EOPNOTSUPP;
> +
> + if (flags)
> + return -EINVAL;
> +
> + /*
> + * An overflow would result in attempting to write the restore token
> + * to the wrong location. Not catastrophic, but just return the right
> + * error code and block it.
> + */
> + aligned_size = PAGE_ALIGN(size);
> + if (aligned_size < size)
> + return -EOVERFLOW;
> +
> + addr = alloc_gcs(addr, aligned_size, 0, false);
> + if (IS_ERR_VALUE(addr))
> + return addr;
> +
> + /*
> + * Put a cap token at the end of the allocated region so it
> + * can be switched to.
> + */
> + cap_ptr = (unsigned long __user *)(addr + aligned_size -
> + (2 * sizeof(unsigned long)));
> + cap_val = GCS_CAP(cap_ptr);
> +
> + ret = copy_to_user_gcs(cap_ptr, &cap_val, 1);
with
uint64_t *p = map_shadow_stack(0, N*8, 0);
i'd expect p[N-1] to be the end token and p[N-2] to be the cap token,
not p[PAGE_ALIGN(N*8)/8-2].
if we allow misalligned size here (and in munmap) then i think it's
better to not page align. size%8!=0 || size<16 can be an error.
> + if (ret != 0) {
> + vm_munmap(addr, size);
> + return -EFAULT;
> + }
> +
> + return addr;
> +}
Powered by blists - more mailing lists