lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240329044459.3990638-13-debug@rivosinc.com>
Date: Thu, 28 Mar 2024 21:44:44 -0700
From: Deepak Gupta <debug@...osinc.com>
To: paul.walmsley@...ive.com,
	rick.p.edgecombe@...el.com,
	broonie@...nel.org,
	Szabolcs.Nagy@....com,
	kito.cheng@...ive.com,
	keescook@...omium.org,
	ajones@...tanamicro.com,
	conor.dooley@...rochip.com,
	cleger@...osinc.com,
	atishp@...shpatra.org,
	alex@...ti.fr,
	bjorn@...osinc.com,
	alexghiti@...osinc.com,
	samuel.holland@...ive.com,
	palmer@...ive.com,
	conor@...nel.org,
	linux-doc@...r.kernel.org,
	linux-riscv@...ts.infradead.org,
	linux-kernel@...r.kernel.org,
	devicetree@...r.kernel.org,
	linux-mm@...ck.org,
	linux-arch@...r.kernel.org,
	linux-kselftest@...r.kernel.org
Cc: corbet@....net,
	tech-j-ext@...ts.risc-v.org,
	palmer@...belt.com,
	aou@...s.berkeley.edu,
	robh+dt@...nel.org,
	krzysztof.kozlowski+dt@...aro.org,
	oleg@...hat.com,
	akpm@...ux-foundation.org,
	arnd@...db.de,
	ebiederm@...ssion.com,
	Liam.Howlett@...cle.com,
	vbabka@...e.cz,
	lstoakes@...il.com,
	shuah@...nel.org,
	brauner@...nel.org,
	debug@...osinc.com,
	andy.chiu@...ive.com,
	jerry.shih@...ive.com,
	hankuan.chen@...ive.com,
	greentime.hu@...ive.com,
	evan@...osinc.com,
	xiao.w.wang@...el.com,
	charlie@...osinc.com,
	apatel@...tanamicro.com,
	mchitale@...tanamicro.com,
	dbarboza@...tanamicro.com,
	sameo@...osinc.com,
	shikemeng@...weicloud.com,
	willy@...radead.org,
	vincent.chen@...ive.com,
	guoren@...nel.org,
	samitolvanen@...gle.com,
	songshuaishuai@...ylab.org,
	gerg@...nel.org,
	heiko@...ech.de,
	bhe@...hat.com,
	jeeheng.sia@...rfivetech.com,
	cyy@...self.name,
	maskray@...gle.com,
	ancientmodern4@...il.com,
	mathis.salmen@...sal.de,
	cuiyunhui@...edance.com,
	bgray@...ux.ibm.com,
	mpe@...erman.id.au,
	baruch@...s.co.il,
	alx@...nel.org,
	david@...hat.com,
	catalin.marinas@....com,
	revest@...omium.org,
	josh@...htriplett.org,
	shr@...kernel.io,
	deller@....de,
	omosnace@...hat.com,
	ojeda@...nel.org,
	jhubbard@...dia.com
Subject: [PATCH v2 12/27] riscv mmu: write protect and shadow stack

`fork` implements copy on write (COW) by making pages readonly in child
and parent both.

ptep_set_wrprotect and pte_wrprotect clears _PAGE_WRITE in PTE.
Assumption is that page is readable and on fault copy on write happens.

To implement COW on such pages, clearing up W bit makes them XWR = 000.
This will result in wrong PTE setting which says no perms but V=1 and PFN
field pointing to final page. Instead desired behavior is to turn it into
a readable page, take an access (load/store) fault on sspush/sspop
(shadow stack) and then perform COW on such pages. This way regular reads
would still be allowed and not lead to COW maintaining current behavior
of COW on non-shadow stack but writeable memory.

On the other hand it doesn't interfere with existing COW for read-write
memory. Assumption is always that _PAGE_READ must have been set and thus
setting _PAGE_READ is harmless.

Signed-off-by: Deepak Gupta <debug@...osinc.com>
---
 arch/riscv/include/asm/pgtable.h | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h
index 9b837239d3e8..7a1c2a98d272 100644
--- a/arch/riscv/include/asm/pgtable.h
+++ b/arch/riscv/include/asm/pgtable.h
@@ -398,7 +398,7 @@ static inline int pte_special(pte_t pte)
 
 static inline pte_t pte_wrprotect(pte_t pte)
 {
-	return __pte(pte_val(pte) & ~(_PAGE_WRITE));
+	return __pte((pte_val(pte) & ~(_PAGE_WRITE)) | (_PAGE_READ));
 }
 
 /* static inline pte_t pte_mkread(pte_t pte) */
@@ -581,7 +581,15 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm,
 static inline void ptep_set_wrprotect(struct mm_struct *mm,
 				      unsigned long address, pte_t *ptep)
 {
-	atomic_long_and(~(unsigned long)_PAGE_WRITE, (atomic_long_t *)ptep);
+	volatile pte_t read_pte = *ptep;
+	/*
+	 * ptep_set_wrprotect can be called for shadow stack ranges too.
+	 * shadow stack memory is XWR = 010 and thus clearing _PAGE_WRITE will lead to
+	 * encoding 000b which is wrong encoding with V = 1. This should lead to page fault
+	 * but we dont want this wrong configuration to be set in page tables.
+	 */
+	atomic_long_set((atomic_long_t *)ptep,
+			((pte_val(read_pte) & ~(unsigned long)_PAGE_WRITE) | _PAGE_READ));
 }
 
 #define __HAVE_ARCH_PTEP_CLEAR_YOUNG_FLUSH
-- 
2.43.2


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ