| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Oct 2023 16:05:28 +0100
From: Mark Brown <broonie@...nel.org>
To: "Szabolcs.Nagy@....com" <Szabolcs.Nagy@....com>
Cc: Deepak Gupta <debug@...osinc.com>,
"Edgecombe, Rick P" <rick.p.edgecombe@...el.com>,
"dietmar.eggemann@....com" <dietmar.eggemann@....com>,
"keescook@...omium.org" <keescook@...omium.org>,
"brauner@...nel.org" <brauner@...nel.org>,
"shuah@...nel.org" <shuah@...nel.org>,
"mgorman@...e.de" <mgorman@...e.de>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
"fweimer@...hat.com" <fweimer@...hat.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"vincent.guittot@...aro.org" <vincent.guittot@...aro.org>,
"hjl.tools@...il.com" <hjl.tools@...il.com>,
"rostedt@...dmis.org" <rostedt@...dmis.org>,
"mingo@...hat.com" <mingo@...hat.com>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"vschneid@...hat.com" <vschneid@...hat.com>,
"catalin.marinas@....com" <catalin.marinas@....com>,
"bristot@...hat.com" <bristot@...hat.com>,
"will@...nel.org" <will@...nel.org>,
"hpa@...or.com" <hpa@...or.com>,
"peterz@...radead.org" <peterz@...radead.org>,
"jannh@...gle.com" <jannh@...gle.com>,
"bp@...en8.de" <bp@...en8.de>,
"bsegall@...gle.com" <bsegall@...gle.com>,
"linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>,
"linux-api@...r.kernel.org" <linux-api@...r.kernel.org>,
"x86@...nel.org" <x86@...nel.org>,
"juri.lelli@...hat.com" <juri.lelli@...hat.com>
Subject: Re: [PATCH RFC RFT 2/5] fork: Add shadow stack support to clone3()
On Fri, Oct 27, 2023 at 12:49:59PM +0100, Szabolcs.Nagy@....com wrote:
> The 10/26/2023 13:40, Deepak Gupta wrote:
> > In general, I am assuming such placement requirements emanate because
> > regular stack holds data (local args, etc) as well and thus software may
> > make assumptions about how stack frame is prepared and may worry about
> > layout and such. In case of shadow stack, it can only hold return
> no. the lifetime is the issue: a stack in principle can outlive
> a thread and resumed even after the original thread exited.
> for that to work the shadow stack has to outlive the thread too.
> (or the other way around: a stack can be freed before the thread
> exits, if the thread pivots away from that stack.)
> posix threads etc. don't allow this, but the linux syscall abi
> (clone) does allow it.
> i think it is reasonable to tie the shadow stack lifetime to the
> thread lifetime, but this clearly introduces a limitation on how
> the clone api can be used. such constraint on the userspace
> programming model is normally a bad decision, but given that most
> software (including all posix conforming code) is not affected,
> i think it is acceptable for an opt-in feature like shadow stack.
I tend to agree - software that's doing a lot of stack pivoting could do
something like allocate a small stack with clone3() and then immediately
pivoting away from it so they never actually use the stack that's tied
to the thread. It's a bit clunky and wasteful but should work.
Since everyone seems OK with dealing with the placement issues by
specifying size only I'm planning on sending a new version that does
that after the merge window, assuming nobody else raises concerns.
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists