Thread (73 messages) 73 messages, 9 authors, 2018-09-14

Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW

From: Yu-cheng Yu <hidden>
Date: 2018-08-30 17:58:43
Also in: linux-arch, linux-doc, linux-mm, lkml

On Thu, 2018-08-30 at 10:33 -0700, Dave Hansen wrote:
On 08/30/2018 10:26 AM, Yu-cheng Yu wrote:
quoted
We don't have the guard page now, but there is a shadow stack
token
there, which cannot be used as a return address.
The overall concern is that we could overflow into a page that we
did
not intend.  Either another actual shadow stack or something that a
page
that the attacker constructed, like the transient scenario Jann
described.
A task could go beyond the bottom of its shadow stack by doing either
'ret' or 'incssp'.  If it is the 'ret' case, the token prevents it.
 If it is the 'incssp' case, a guard page cannot prevent it entirely,
right?

Yu-cheng
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help