| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANXhq0pqoCZXhjMx7DwO6Yc8TMEbG1XE2PUEeF_pOsj8yxLdMQ@mail.gmail.com>
Date: Fri, 14 Mar 2025 16:30:02 +0800
From: Zong Li <zong.li@...ive.com>
To: Deepak Gupta <debug@...osinc.com>
Cc: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>, Andrew Morton <akpm@...ux-foundation.org>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>, Vlastimil Babka <vbabka@...e.cz>,
Lorenzo Stoakes <lorenzo.stoakes@...cle.com>, Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>, Albert Ou <aou@...s.berkeley.edu>,
Conor Dooley <conor@...nel.org>, Rob Herring <robh@...nel.org>,
Krzysztof Kozlowski <krzk+dt@...nel.org>, Arnd Bergmann <arnd@...db.de>,
Christian Brauner <brauner@...nel.org>, Peter Zijlstra <peterz@...radead.org>,
Oleg Nesterov <oleg@...hat.com>, Eric Biederman <ebiederm@...ssion.com>, Kees Cook <kees@...nel.org>,
Jonathan Corbet <corbet@....net>, Shuah Khan <shuah@...nel.org>, Jann Horn <jannh@...gle.com>,
Conor Dooley <conor+dt@...nel.org>, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-mm@...ck.org,
linux-riscv@...ts.infradead.org, devicetree@...r.kernel.org,
linux-arch@...r.kernel.org, linux-doc@...r.kernel.org,
linux-kselftest@...r.kernel.org, alistair.francis@....com,
richard.henderson@...aro.org, jim.shu@...ive.com, andybnac@...il.com,
kito.cheng@...ive.com, charlie@...osinc.com, atishp@...osinc.com,
evan@...osinc.com, cleger@...osinc.com, alexghiti@...osinc.com,
samitolvanen@...gle.com, broonie@...nel.org, rick.p.edgecombe@...el.com
Subject: Re: [PATCH v11 10/27] riscv/mm: Implement map_shadow_stack() syscall
On Mon, Mar 10, 2025 at 11:42 PM Deepak Gupta <debug@...osinc.com> wrote:
>
> As discussed extensively in the changelog for the addition of this
> syscall on x86 ("x86/shstk: Introduce map_shadow_stack syscall") the
> existing mmap() and madvise() syscalls do not map entirely well onto the
> security requirements for shadow stack memory since they lead to windows
> where memory is allocated but not yet protected or stacks which are not
> properly and safely initialised. Instead a new syscall map_shadow_stack()
> has been defined which allocates and initialises a shadow stack page.
>
> This patch implements this syscall for riscv. riscv doesn't require token
> to be setup by kernel because user mode can do that by itself. However to
> provide compatibility and portability with other architectues, user mode
> can specify token set flag.
>
> Signed-off-by: Deepak Gupta <debug@...osinc.com>
> ---
> arch/riscv/kernel/Makefile | 1 +
> arch/riscv/kernel/usercfi.c | 144 ++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 145 insertions(+)
>
> diff --git a/arch/riscv/kernel/Makefile b/arch/riscv/kernel/Makefile
> index 8d186bfced45..3a861d320654 100644
> --- a/arch/riscv/kernel/Makefile
> +++ b/arch/riscv/kernel/Makefile
> @@ -125,3 +125,4 @@ obj-$(CONFIG_ACPI) += acpi.o
> obj-$(CONFIG_ACPI_NUMA) += acpi_numa.o
>
> obj-$(CONFIG_GENERIC_CPU_VULNERABILITIES) += bugs.o
> +obj-$(CONFIG_RISCV_USER_CFI) += usercfi.o
> diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c
> new file mode 100644
> index 000000000000..24022809a7b5
> --- /dev/null
> +++ b/arch/riscv/kernel/usercfi.c
> @@ -0,0 +1,144 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) 2024 Rivos, Inc.
> + * Deepak Gupta <debug@...osinc.com>
> + */
> +
> +#include <linux/sched.h>
> +#include <linux/bitops.h>
> +#include <linux/types.h>
> +#include <linux/mm.h>
> +#include <linux/mman.h>
> +#include <linux/uaccess.h>
> +#include <linux/sizes.h>
> +#include <linux/user.h>
> +#include <linux/syscalls.h>
> +#include <linux/prctl.h>
> +#include <asm/csr.h>
> +#include <asm/usercfi.h>
> +
> +#define SHSTK_ENTRY_SIZE sizeof(void *)
> +
> +/*
> + * Writes on shadow stack can either be `sspush` or `ssamoswap`. `sspush` can happen
> + * implicitly on current shadow stack pointed to by CSR_SSP. `ssamoswap` takes pointer to
> + * shadow stack. To keep it simple, we plan to use `ssamoswap` to perform writes on shadow
> + * stack.
> + */
> +static noinline unsigned long amo_user_shstk(unsigned long *addr, unsigned long val)
> +{
> + /*
> + * Never expect -1 on shadow stack. Expect return addresses and zero
> + */
> + unsigned long swap = -1;
> +
> + __enable_user_access();
> + asm goto(
> + ".option push\n"
> + ".option arch, +zicfiss\n"
> + "1: ssamoswap.d %[swap], %[val], %[addr]\n"
> + _ASM_EXTABLE(1b, %l[fault])
> + RISCV_ACQUIRE_BARRIER
> + ".option pop\n"
> + : [swap] "=r" (swap), [addr] "+A" (*addr)
> + : [val] "r" (val)
> + : "memory"
> + : fault
> + );
> + __disable_user_access();
> + return swap;
> +fault:
> + __disable_user_access();
> + return -1;
> +}
> +
> +/*
> + * Create a restore token on the shadow stack. A token is always XLEN wide
> + * and aligned to XLEN.
> + */
> +static int create_rstor_token(unsigned long ssp, unsigned long *token_addr)
> +{
> + unsigned long addr;
> +
> + /* Token must be aligned */
> + if (!IS_ALIGNED(ssp, SHSTK_ENTRY_SIZE))
> + return -EINVAL;
> +
> + /* On RISC-V we're constructing token to be function of address itself */
> + addr = ssp - SHSTK_ENTRY_SIZE;
> +
> + if (amo_user_shstk((unsigned long __user *)addr, (unsigned long)ssp) == -1)
> + return -EFAULT;
> +
> + if (token_addr)
> + *token_addr = addr;
> +
> + return 0;
> +}
> +
> +static unsigned long allocate_shadow_stack(unsigned long addr, unsigned long size,
> + unsigned long token_offset, bool set_tok)
> +{
> + int flags = MAP_ANONYMOUS | MAP_PRIVATE;
> + struct mm_struct *mm = current->mm;
> + unsigned long populate, tok_loc = 0;
> +
> + if (addr)
> + flags |= MAP_FIXED_NOREPLACE;
> +
> + mmap_write_lock(mm);
> + addr = do_mmap(NULL, addr, size, PROT_READ, flags,
> + VM_SHADOW_STACK | VM_WRITE, 0, &populate, NULL);
> + mmap_write_unlock(mm);
> +
> + if (!set_tok || IS_ERR_VALUE(addr))
> + goto out;
> +
> + if (create_rstor_token(addr + token_offset, &tok_loc)) {
> + vm_munmap(addr, size);
> + return -EINVAL;
> + }
> +
> + addr = tok_loc;
> +
> +out:
> + return addr;
> +}
> +
> +SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags)
> +{
> + bool set_tok = flags & SHADOW_STACK_SET_TOKEN;
> + unsigned long aligned_size = 0;
> +
> + if (!cpu_supports_shadow_stack())
> + return -EOPNOTSUPP;
> +
> + /* Anything other than set token should result in invalid param */
> + if (flags & ~SHADOW_STACK_SET_TOKEN)
> + return -EINVAL;
> +
> + /*
> + * Unlike other architectures, on RISC-V, SSP pointer is held in CSR_SSP and is available
> + * CSR in all modes. CSR accesses are performed using 12bit index programmed in instruction
> + * itself. This provides static property on register programming and writes to CSR can't
> + * be unintentional from programmer's perspective. As long as programmer has guarded areas
> + * which perform writes to CSR_SSP properly, shadow stack pivoting is not possible. Since
> + * CSR_SSP is writeable by user mode, it itself can setup a shadow stack token subsequent
> + * to allocation. Although in order to provide portablity with other architecture (because
> + * `map_shadow_stack` is arch agnostic syscall), RISC-V will follow expectation of a token
> + * flag in flags and if provided in flags, setup a token at the base.
> + */
> +
> + /* If there isn't space for a token */
> + if (set_tok && size < SHSTK_ENTRY_SIZE)
> + return -ENOSPC;
> +
> + if (addr && (addr & (PAGE_SIZE - 1)))
> + return -EINVAL;
> +
> + aligned_size = PAGE_ALIGN(size);
> + if (aligned_size < size)
> + return -EOVERFLOW;
> +
> + return allocate_shadow_stack(addr, aligned_size, size, set_tok);
> +}
>
LGTM.
Reviewed-by: Zong Li <zong.li@...ive.com>
> --
> 2.34.1
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@...ts.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
Powered by blists - more mailing lists