| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250921-arm64-gcs-exit-token-v1-0-45cf64e648d5@kernel.org>
Date: Sun, 21 Sep 2025 14:21:34 +0100
From: Mark Brown <broonie@...nel.org>
To: Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>, Christian Brauner <brauner@...nel.org>,
Adhemerval Zanella Netto <adhemerval.zanella@...aro.org>,
Shuah Khan <shuah@...nel.org>
Cc: Rick Edgecombe <rick.p.edgecombe@...el.com>,
Deepak Gupta <debug@...osinc.com>, Wilco Dijkstra <wilco.dijkstra@....com>,
Carlos O'Donell <codonell@...hat.com>, Florian Weimer <fweimer@...hat.com>,
Szabolcs Nagy <nsz@...t70.net>, Rich Felker <dalias@...c.org>,
libc-alpha@...rceware.org, linux-arm-kernel@...ts.infradead.org,
linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
Mark Brown <broonie@...nel.org>
Subject: [PATCH RFC 0/3] arm64/gcs: Allow reuse of user managed shadow
stacks
During the discussion of the clone3() support for shadow stacks concerns
were raised from the glibc side that since it is not possible to reuse
the allocated shadow stack[1]. This means that the benefit of being able
to manage allocations is greatly reduced, for example it is not possible
to integrate the shadow stacks into the glibc thread stack cache. The
stack can be inspected but otherwise it would have to be unmapped and
remapped before it could be used again, it's not clear that this is
better than managing things in the kernel.
In that discussion I suggested that we could enable reuse by writing a
token to the shadow stack of exiting threads, mirroring how the
userspace stack pivot instructions write a token to the outgoing stack.
As mentioned by Florian[2] glibc already unwinds the stack and exits the
thread from the start routine which would integrate nicely with this,
the shadow stack pointer will be at the same place as it was when the
thread started.
This would not write a token if the thread doesn't exit cleanly, that
seems viable to me - users should probably handle this by double
checking that a token is present after waiting for the thread.
This is tagged as a RFC since I put it together fairly quickly to
demonstrate the proposal and the suggestion hasn't had much response
either way from the glibc developers. At the very least we don't
currently handle scheduling during exit(), or distinguish why the thread
is exiting. I've also not done anything about x86.
[1] https://marc.info/?l=glibc-alpha&m=175821637429537&w=2
[2] https://marc.info/?l=glibc-alpha&m=175733266913483&w=2
Signed-off-by: Mark Brown <broonie@...nel.org>
---
Mark Brown (3):
arm64/gcs: Support reuse of GCS for exited threads
kselftest/arm64: Validate PR_SHADOW_STACK_EXIT_TOKEN in basic-gcs
kselftest/arm64: Add PR_SHADOW_STACK_EXIT_TOKEN to gcs-locking
arch/arm64/include/asm/gcs.h | 3 +-
arch/arm64/mm/gcs.c | 25 ++++-
include/uapi/linux/prctl.h | 1 +
tools/testing/selftests/arm64/gcs/basic-gcs.c | 121 ++++++++++++++++++++++++
tools/testing/selftests/arm64/gcs/gcs-locking.c | 23 +++++
tools/testing/selftests/arm64/gcs/gcs-util.h | 3 +-
6 files changed, 173 insertions(+), 3 deletions(-)
---
base-commit: 0b67d4b724b4afed2690c21bef418b8a803c5be2
change-id: 20250919-arm64-gcs-exit-token-82c3c2570aad
prerequisite-change-id: 20231019-clone3-shadow-stack-15d40d2bf536
Best regards,
--
Mark Brown <broonie@...nel.org>
Powered by blists - more mailing lists