| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240403234054.2020347-14-debug@rivosinc.com>
Date: Wed, 3 Apr 2024 16:35:01 -0700
From: Deepak Gupta <debug@...osinc.com>
To: paul.walmsley@...ive.com,
rick.p.edgecombe@...el.com,
broonie@...nel.org,
Szabolcs.Nagy@....com,
kito.cheng@...ive.com,
keescook@...omium.org,
ajones@...tanamicro.com,
conor.dooley@...rochip.com,
cleger@...osinc.com,
atishp@...shpatra.org,
alex@...ti.fr,
bjorn@...osinc.com,
alexghiti@...osinc.com,
samuel.holland@...ive.com,
conor@...nel.org
Cc: linux-doc@...r.kernel.org,
linux-riscv@...ts.infradead.org,
linux-kernel@...r.kernel.org,
devicetree@...r.kernel.org,
linux-mm@...ck.org,
linux-arch@...r.kernel.org,
linux-kselftest@...r.kernel.org,
corbet@....net,
palmer@...belt.com,
aou@...s.berkeley.edu,
robh+dt@...nel.org,
krzysztof.kozlowski+dt@...aro.org,
oleg@...hat.com,
akpm@...ux-foundation.org,
arnd@...db.de,
ebiederm@...ssion.com,
Liam.Howlett@...cle.com,
vbabka@...e.cz,
lstoakes@...il.com,
shuah@...nel.org,
brauner@...nel.org,
debug@...osinc.com,
andy.chiu@...ive.com,
jerry.shih@...ive.com,
hankuan.chen@...ive.com,
greentime.hu@...ive.com,
evan@...osinc.com,
xiao.w.wang@...el.com,
charlie@...osinc.com,
apatel@...tanamicro.com,
mchitale@...tanamicro.com,
dbarboza@...tanamicro.com,
sameo@...osinc.com,
shikemeng@...weicloud.com,
willy@...radead.org,
vincent.chen@...ive.com,
guoren@...nel.org,
samitolvanen@...gle.com,
songshuaishuai@...ylab.org,
gerg@...nel.org,
heiko@...ech.de,
bhe@...hat.com,
jeeheng.sia@...rfivetech.com,
cyy@...self.name,
maskray@...gle.com,
ancientmodern4@...il.com,
mathis.salmen@...sal.de,
cuiyunhui@...edance.com,
bgray@...ux.ibm.com,
mpe@...erman.id.au,
baruch@...s.co.il,
alx@...nel.org,
david@...hat.com,
catalin.marinas@....com,
revest@...omium.org,
josh@...htriplett.org,
shr@...kernel.io,
deller@....de,
omosnace@...hat.com,
ojeda@...nel.org,
jhubbard@...dia.com
Subject: [PATCH v3 13/29] riscv mmu: write protect and shadow stack
`fork` implements copy on write (COW) by making pages readonly in child
and parent both.
ptep_set_wrprotect and pte_wrprotect clears _PAGE_WRITE in PTE.
Assumption is that page is readable and on fault copy on write happens.
To implement COW on such pages, clearing up W bit makes them XWR = 000.
This will result in wrong PTE setting which says no perms but V=1 and PFN
field pointing to final page. Instead desired behavior is to turn it into
a readable page, take an access (load/store) fault on sspush/sspop
(shadow stack) and then perform COW on such pages. This way regular reads
would still be allowed and not lead to COW maintaining current behavior
of COW on non-shadow stack but writeable memory.
On the other hand it doesn't interfere with existing COW for read-write
memory. Assumption is always that _PAGE_READ must have been set and thus
setting _PAGE_READ is harmless.
Signed-off-by: Deepak Gupta <debug@...osinc.com>
---
arch/riscv/include/asm/pgtable.h | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h
index 9b837239d3e8..7a1c2a98d272 100644
--- a/arch/riscv/include/asm/pgtable.h
+++ b/arch/riscv/include/asm/pgtable.h
@@ -398,7 +398,7 @@ static inline int pte_special(pte_t pte)
static inline pte_t pte_wrprotect(pte_t pte)
{
- return __pte(pte_val(pte) & ~(_PAGE_WRITE));
+ return __pte((pte_val(pte) & ~(_PAGE_WRITE)) | (_PAGE_READ));
}
/* static inline pte_t pte_mkread(pte_t pte) */
@@ -581,7 +581,15 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm,
static inline void ptep_set_wrprotect(struct mm_struct *mm,
unsigned long address, pte_t *ptep)
{
- atomic_long_and(~(unsigned long)_PAGE_WRITE, (atomic_long_t *)ptep);
+ volatile pte_t read_pte = *ptep;
+ /*
+ * ptep_set_wrprotect can be called for shadow stack ranges too.
+ * shadow stack memory is XWR = 010 and thus clearing _PAGE_WRITE will lead to
+ * encoding 000b which is wrong encoding with V = 1. This should lead to page fault
+ * but we dont want this wrong configuration to be set in page tables.
+ */
+ atomic_long_set((atomic_long_t *)ptep,
+ ((pte_val(read_pte) & ~(unsigned long)_PAGE_WRITE) | _PAGE_READ));
}
#define __HAVE_ARCH_PTEP_CLEAR_YOUNG_FLUSH
--
2.43.2
Powered by blists - more mailing lists