lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <168980685456.28540.8149705038742119504.tip-bot2@tip-bot2>
Date:   Wed, 19 Jul 2023 22:47:34 -0000
From:   "tip-bot2 for Rick Edgecombe" <tip-bot2@...utronix.de>
To:     linux-tip-commits@...r.kernel.org
Cc:     Rick Edgecombe <rick.p.edgecombe@...el.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        "Borislav Petkov (AMD)" <bp@...en8.de>,
        Kees Cook <keescook@...omium.org>,
        "Mike Rapoport (IBM)" <rppt@...nel.org>,
        David Hildenbrand <david@...hat.com>,
        Pengfei Xu <pengfei.xu@...el.com>,
        John Allen <john.allen@....com>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: [tip: x86/shstk] mm: Don't allow write GUPs to shadow stack memory

The following commit has been merged into the x86/shstk branch of tip:

Commit-ID:     7c8f82db8acb9f0935703c0d96cda552bbf91ff2
Gitweb:        https://git.kernel.org/tip/7c8f82db8acb9f0935703c0d96cda552bbf91ff2
Author:        Rick Edgecombe <rick.p.edgecombe@...el.com>
AuthorDate:    Mon, 12 Jun 2023 17:10:48 -07:00
Committer:     Rick Edgecombe <rick.p.edgecombe@...el.com>
CommitterDate: Tue, 11 Jul 2023 14:12:47 -07:00

mm: Don't allow write GUPs to shadow stack memory

The x86 Control-flow Enforcement Technology (CET) feature includes a
new type of memory called shadow stack. This shadow stack memory has
some unusual properties, which requires some core mm changes to
function properly.

In userspace, shadow stack memory is writable only in very specific,
controlled ways. However, since userspace can, even in the limited
ways, modify shadow stack contents, the kernel treats it as writable
memory. As a result, without additional work there would remain many
ways for userspace to trigger the kernel to write arbitrary data to
shadow stacks via get_user_pages(, FOLL_WRITE) based operations. To
help userspace protect their shadow stacks, make this a little less
exposed by blocking writable get_user_pages() operations for shadow
stack VMAs.

Still allow FOLL_FORCE to write through shadow stack protections, as it
does for read-only protections. This is required for debugging use
cases.

Signed-off-by: Rick Edgecombe <rick.p.edgecombe@...el.com>
Signed-off-by: Dave Hansen <dave.hansen@...ux.intel.com>
Reviewed-by: Borislav Petkov (AMD) <bp@...en8.de>
Reviewed-by: Kees Cook <keescook@...omium.org>
Acked-by: Mike Rapoport (IBM) <rppt@...nel.org>
Acked-by: David Hildenbrand <david@...hat.com>
Tested-by: Pengfei Xu <pengfei.xu@...el.com>
Tested-by: John Allen <john.allen@....com>
Tested-by: Kees Cook <keescook@...omium.org>
Link: https://lore.kernel.org/all/20230613001108.3040476-23-rick.p.edgecombe%40intel.com
---
 arch/x86/include/asm/pgtable.h | 5 +++++
 mm/gup.c                       | 6 +-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
index 61b5244..e95cfd3 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -1631,6 +1631,11 @@ static inline bool __pte_access_permitted(unsigned long pteval, bool write)
 {
 	unsigned long need_pte_bits = _PAGE_PRESENT|_PAGE_USER;
 
+	/*
+	 * Write=0,Dirty=1 PTEs are shadow stack, which the kernel
+	 * shouldn't generally allow access to, but since they
+	 * are already Write=0, the below logic covers both cases.
+	 */
 	if (write)
 		need_pte_bits |= _PAGE_RW;
 
diff --git a/mm/gup.c b/mm/gup.c
index 76d222c..86ccdb7 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1050,11 +1050,7 @@ static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags)
 		return -EFAULT;
 
 	if (write) {
-		if (!vma_anon &&
-		    !writable_file_mapping_allowed(vma, gup_flags))
-			return -EFAULT;
-
-		if (!(vm_flags & VM_WRITE)) {
+		if (!(vm_flags & VM_WRITE) || (vm_flags & VM_SHADOW_STACK)) {
 			if (!(gup_flags & FOLL_FORCE))
 				return -EFAULT;
 			/* hugetlb does not support FOLL_FORCE|FOLL_WRITE. */

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ