Thread (73 messages) 73 messages, 9 authors, 2018-09-14

Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW

From: Yu-cheng Yu <hidden>
Date: 2018-08-30 20:57:04
Also in: linux-arch, linux-doc, linux-mm, lkml

On Thu, 2018-08-30 at 22:44 +0200, Jann Horn wrote:
On Thu, Aug 30, 2018 at 10:25 PM Yu-cheng Yu [off-list ref]
wrote:
...
quoted
In the flow you described, if C writes to the overflow page before
B
gets in with a 'call', the return address is still correct for
B.  To
make an attack, C needs to write again before the TLB flush.  I
agree
that is possible.

Assume we have a guard page, can someone in the short window do
recursive calls in B, move ssp to the end of the guard page, and
trigger the same again?  He can simply take the incssp route.
I don't understand what you're saying. If the shadow stack is
between
guard pages, you should never be able to move SSP past that area's
guard pages without an appropriate shadow stack token (not even with
INCSSP, since that has a maximum range of PAGE_SIZE/2), and
therefore,
it shouldn't matter whether memory outside that range is incorrectly
marked as shadow stack. Am I missing something?
INCSSP has a range of 256, but we can do multiple of that.
But I realize the key is not to have the transient SHSTK page at all.
The guard page is !pte_write() and even we have flaws in
ptep_set_wrprotect(), there will not be any transient SHSTK pages. I
will add guard pages to both ends.

Still thinking how to fix ptep_set_wrprotect().

Yu-cheng
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help