| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZsYqfJ3V_-ljqlwq@arm.com>
Date: Wed, 21 Aug 2024 18:57:16 +0100
From: Catalin Marinas <catalin.marinas@....com>
To: Mark Brown <broonie@...nel.org>
Cc: Will Deacon <will@...nel.org>, Jonathan Corbet <corbet@....net>,
Andrew Morton <akpm@...ux-foundation.org>,
Marc Zyngier <maz@...nel.org>,
Oliver Upton <oliver.upton@...ux.dev>,
James Morse <james.morse@....com>,
Suzuki K Poulose <suzuki.poulose@....com>,
Arnd Bergmann <arnd@...db.de>, Oleg Nesterov <oleg@...hat.com>,
Eric Biederman <ebiederm@...ssion.com>,
Shuah Khan <shuah@...nel.org>,
"Rick P. Edgecombe" <rick.p.edgecombe@...el.com>,
Deepak Gupta <debug@...osinc.com>, Ard Biesheuvel <ardb@...nel.org>,
Szabolcs Nagy <Szabolcs.Nagy@....com>, Kees Cook <kees@...nel.org>,
"H.J. Lu" <hjl.tools@...il.com>,
Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
Florian Weimer <fweimer@...hat.com>,
Christian Brauner <brauner@...nel.org>,
Thiago Jung Bauermann <thiago.bauermann@...aro.org>,
Ross Burton <ross.burton@....com>,
linux-arm-kernel@...ts.infradead.org, linux-doc@...r.kernel.org,
kvmarm@...ts.linux.dev, linux-fsdevel@...r.kernel.org,
linux-arch@...r.kernel.org, linux-mm@...ck.org,
linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-riscv@...ts.infradead.org
Subject: Re: [PATCH v10 25/40] arm64/ptrace: Expose GCS via ptrace and core
files
On Thu, Aug 01, 2024 at 01:06:52PM +0100, Mark Brown wrote:
> @@ -1440,6 +1441,51 @@ static int tagged_addr_ctrl_set(struct task_struct *target, const struct
> }
> #endif
>
> +#ifdef CONFIG_ARM64_GCS
> +static int gcs_get(struct task_struct *target,
> + const struct user_regset *regset,
> + struct membuf to)
> +{
> + struct user_gcs user_gcs;
> +
> + if (target == current)
> + gcs_preserve_current_state();
> +
> + user_gcs.features_enabled = target->thread.gcs_el0_mode;
> + user_gcs.features_locked = target->thread.gcs_el0_locked;
> + user_gcs.gcspr_el0 = target->thread.gcspr_el0;
If it's not the current thread, I guess the task was interrupted,
scheduled out (potentially on another CPU) and its GCSPR_EL0 saved.
> +
> + return membuf_write(&to, &user_gcs, sizeof(user_gcs));
> +}
> +
> +static int gcs_set(struct task_struct *target, const struct
> + user_regset *regset, unsigned int pos,
> + unsigned int count, const void *kbuf, const
> + void __user *ubuf)
> +{
> + int ret;
> + struct user_gcs user_gcs;
> +
> + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &user_gcs, 0, -1);
> + if (ret)
> + return ret;
> +
> + if (user_gcs.features_enabled & ~PR_SHADOW_STACK_SUPPORTED_STATUS_MASK)
> + return -EINVAL;
> +
> + /* Do not allow enable via ptrace */
> + if ((user_gcs.features_enabled & PR_SHADOW_STACK_ENABLE) &&
> + !(target->thread.gcs_el0_mode & PR_SHADOW_STACK_ENABLE))
> + return -EBUSY;
> +
> + target->thread.gcs_el0_mode = user_gcs.features_enabled;
> + target->thread.gcs_el0_locked = user_gcs.features_locked;
> + target->thread.gcspr_el0 = user_gcs.gcspr_el0;
As in the previous thread, I thought we need to restore GCSPR_EL0
unconditionally.
I don't particularly like that this register becomes some scrap one that
threads can use regardless of GCS. Not sure we have a simple solution.
We could track three states: GCS never enabled, GCS enabled and GCS
disabled after being enabled. It's probably not worth it.
On ptrace() access to the shadow stack, we rely on the barrier in the
context switch code if stopping a thread. If other threads are running
on other CPUs, it's racy anyway even for normal accesses, so I don't
think we need to do anything more for ptrace.
--
Catalin
Powered by blists - more mailing lists