lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Zo7SdDT_cBp6uXgT@finisterre.sirena.org.uk>
Date: Wed, 10 Jul 2024 19:27:00 +0100
From: Mark Brown <broonie@...nel.org>
To: Florian Weimer <fweimer@...hat.com>
Cc: Catalin Marinas <catalin.marinas@....com>,
	Will Deacon <will@...nel.org>, Jonathan Corbet <corbet@....net>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Marc Zyngier <maz@...nel.org>,
	Oliver Upton <oliver.upton@...ux.dev>,
	James Morse <james.morse@....com>,
	Suzuki K Poulose <suzuki.poulose@....com>,
	Arnd Bergmann <arnd@...db.de>, Oleg Nesterov <oleg@...hat.com>,
	Eric Biederman <ebiederm@...ssion.com>,
	Shuah Khan <shuah@...nel.org>,
	"Rick P. Edgecombe" <rick.p.edgecombe@...el.com>,
	Deepak Gupta <debug@...osinc.com>, Ard Biesheuvel <ardb@...nel.org>,
	Szabolcs Nagy <Szabolcs.Nagy@....com>, Kees Cook <kees@...nel.org>,
	"H.J. Lu" <hjl.tools@...il.com>,
	Paul Walmsley <paul.walmsley@...ive.com>,
	Palmer Dabbelt <palmer@...belt.com>,
	Albert Ou <aou@...s.berkeley.edu>,
	Christian Brauner <brauner@...nel.org>,
	Thiago Jung Bauermann <thiago.bauermann@...aro.org>,
	Ross Burton <ross.burton@....com>,
	linux-arm-kernel@...ts.infradead.org, linux-doc@...r.kernel.org,
	kvmarm@...ts.linux.dev, linux-fsdevel@...r.kernel.org,
	linux-arch@...r.kernel.org, linux-mm@...ck.org,
	linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-riscv@...ts.infradead.org,
	"Schimpe, Christina" <christina.schimpe@...el.com>,
	"Pandey, Sunil K" <sunil.k.pandey@...el.com>
Subject: Re: [PATCH v9 05/39] arm64/gcs: Document the ABI for Guarded Control
 Stacks

On Wed, Jul 10, 2024 at 12:36:21PM +0200, Florian Weimer wrote:
> * Mark Brown:

> > +* When GCS is enabled for the interrupted thread a signal handling specific
> > +  GCS cap token will be written to the GCS, this is an architectural GCS cap
> > +  token with bit 63 set and the token type (bits 0..11) all clear.  The
> > +  GCSPR_EL0 reported in the signal frame will point to this cap token.

> How does this marker interfere with Top Byte Ignore (TBI; I hope I got
> the name right)?  The specification currently does not say that only
> addresses pushed to the shadow stack with the top byte cleared, which
> potentially makes the markup ambiguous.  On x86-64, the same issue may

Indeed...  Given that we use the address on the GCS as part of the token
on first pass I think we could get away with just using the address and
not setting the top bit, we'd have an invalid cap pointing into a GCS
page which shouldn't otherwise be on the GCS.  I'll give that some more
thought.

> exist with LAM.  I have not tested yet what happens there.  On AArch64
> and RISC-V, it may be more natural to use the LSB instead of the LSB for
> the mark bit because of its instruction alignment.

The LSB is already taken by the architecture on aarch64, the bottom bits
of the value are used for the token type field with no values/bits
reserved for software use.

> We also have a gap on x86-64 for backtrace generation because the
> interrupted instruction address does not end up on the shadow stack.
> This address is potentially quite interesting for backtrace generation.
> I assume it's currently missing because the kernel does not resume
> execution using a regular return instruction.  It would be really useful
> if it could be pushed to the shadow stack, or recoverable from the
> shadow stack in some other way (e.g., the address of the signal context
> could be pushed instead).  That would need some form of marker as well.

Right, we'd have to manually consume any extra address we put on the
GCS.  I'm not seeing any gagetisation issues with writing an extra value
there that isn't a valid stack cap at the minute but I'll need to think
it through properly - don't know if anyone else has thoughts here?

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ