| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dbc210a3-7653-444a-9dcc-b8d4ea92bd9b@sirena.org.uk>
Date: Wed, 17 Jul 2024 16:28:27 +0100
From: Mark Brown <broonie@...nel.org>
To: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
Cc: "fweimer@...hat.com" <fweimer@...hat.com>,
"sroettger@...gle.com" <sroettger@...gle.com>,
"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
"ross.burton@....com" <ross.burton@....com>,
"suzuki.poulose@....com" <suzuki.poulose@....com>,
"Szabolcs.Nagy@....com" <Szabolcs.Nagy@....com>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
"linux-riscv@...ts.infradead.org" <linux-riscv@...ts.infradead.org>,
"Schimpe, Christina" <christina.schimpe@...el.com>,
"kvmarm@...ts.linux.dev" <kvmarm@...ts.linux.dev>,
"corbet@....net" <corbet@....net>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"catalin.marinas@....com" <catalin.marinas@....com>,
"kees@...nel.org" <kees@...nel.org>,
"oliver.upton@...ux.dev" <oliver.upton@...ux.dev>,
"palmer@...belt.com" <palmer@...belt.com>,
"debug@...osinc.com" <debug@...osinc.com>,
"aou@...s.berkeley.edu" <aou@...s.berkeley.edu>,
"shuah@...nel.org" <shuah@...nel.org>,
"arnd@...db.de" <arnd@...db.de>, "maz@...nel.org" <maz@...nel.org>,
"oleg@...hat.com" <oleg@...hat.com>,
"thiago.bauermann@...aro.org" <thiago.bauermann@...aro.org>,
"Pandey, Sunil K" <sunil.k.pandey@...el.com>,
"james.morse@....com" <james.morse@....com>,
"ebiederm@...ssion.com" <ebiederm@...ssion.com>,
"brauner@...nel.org" <brauner@...nel.org>,
"will@...nel.org" <will@...nel.org>,
"hjl.tools@...il.com" <hjl.tools@...il.com>,
"linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>,
"paul.walmsley@...ive.com" <paul.walmsley@...ive.com>,
"ardb@...nel.org" <ardb@...nel.org>,
"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>
Subject: Re: [PATCH v9 05/39] arm64/gcs: Document the ABI for Guarded Control
Stacks
On Tue, Jul 16, 2024 at 06:50:12PM +0000, Edgecombe, Rick P wrote:
> On Wed, 2024-07-10 at 19:27 +0100, Mark Brown wrote:
> > On Wed, Jul 10, 2024 at 12:36:21PM +0200, Florian Weimer wrote:
> > > We also have a gap on x86-64 for backtrace generation because the
> > > interrupted instruction address does not end up on the shadow stack.
> > > This address is potentially quite interesting for backtrace generation.
> > > I assume it's currently missing because the kernel does not resume
> > > execution using a regular return instruction. It would be really useful
> > > if it could be pushed to the shadow stack, or recoverable from the
> > > shadow stack in some other way (e.g., the address of the signal context
> > > could be pushed instead). That would need some form of marker as well.
> > Right, we'd have to manually consume any extra address we put on the
> > GCS. I'm not seeing any gagetisation issues with writing an extra value
> > there that isn't a valid stack cap at the minute but I'll need to think
> > it through properly - don't know if anyone else has thoughts here?
> Shadow stack has one main usage (security) and another less proven, but
> interesting usage for backtracing. I'm wary of adding things to the shadow stack
> as they come up in an ad-hoc fashion, especially for the fuzzier usage. Do you
> have a handle on everything the tracing usage would need?
Yeah, the current instruction pointer seems fairly straightforward to
idiomatically fit in there but going beyond that gets tricker.
> But besides that I've wondered if there could be a security benefit to adding
> some fields of the sigframe (RIP being the prime one) to the shadow stack, or a
> cryptographic hash of the sigframe.
One trick with trying to actually validate anything extra we put in
there from the sigframe would be that one of the things a signal handler
can do is modify the signal context - for the specific case of RIP
that'd be an issue for rseq for example.
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists