| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7109dfcc6df5a610dcfe35a77bb7a84f8932485b.camel@intel.com> Date: Fri, 1 Nov 2024 21:50:27 +0000 From: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com> To: "debug@...osinc.com" <debug@...osinc.com>, "Liam.Howlett@...cle.com" <Liam.Howlett@...cle.com>, "dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>, "bp@...en8.de" <bp@...en8.de>, "lorenzo.stoakes@...cle.com" <lorenzo.stoakes@...cle.com>, "hpa@...or.com" <hpa@...or.com>, "mingo@...hat.com" <mingo@...hat.com>, "tglx@...utronix.de" <tglx@...utronix.de>, "x86@...nel.org" <x86@...nel.org>, "vbabka@...e.cz" <vbabka@...e.cz>, "arnd@...db.de" <arnd@...db.de>, "akpm@...ux-foundation.org" <akpm@...ux-foundation.org> CC: "linux-mm@...ck.org" <linux-mm@...ck.org>, "broonie@...nel.org" <broonie@...nel.org>, "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org> Subject: Re: [PATCH RFC/RFT v2 2/2] kernel: converge common shadow stack flow agnostic to arch On Wed, 2024-10-16 at 14:57 -0700, Deepak Gupta wrote: > -/* > - * VM_SHADOW_STACK will have a guard page. This helps userspace protect > - * itself from attacks. The reasoning is as follows: > - * > - * The shadow stack pointer(SSP) is moved by CALL, RET, and INCSSPQ. The > - * INCSSP instruction can increment the shadow stack pointer. It is the > - * shadow stack analog of an instruction like: > - * > - * addq $0x80, %rsp > - * > - * However, there is one important difference between an ADD on %rsp > - * and INCSSP. In addition to modifying SSP, INCSSP also reads from the > - * memory of the first and last elements that were "popped". It can be > - * thought of as acting like this: > - * > - * READ_ONCE(ssp); // read+discard top element on stack > - * ssp += nr_to_pop * 8; // move the shadow stack > - * READ_ONCE(ssp-8); // read+discard last popped stack element > - * > - * The maximum distance INCSSP can move the SSP is 2040 bytes, before > - * it would read the memory. Therefore a single page gap will be enough > - * to prevent any operation from shifting the SSP to an adjacent stack, > - * since it would have to land in the gap at least once, causing a > - * fault. > - */ I want to take a deeper look at this series once I can apply and test it, but can we maybe make this comment more generic and keep it? I think it is similar reasoning for arm (?), is there anything situation like this for risc-v? Or rather, why does risc-v have the guard gaps?
Powered by blists - more mailing lists