Thread (107 messages) 107 messages, 7 authors, 2020-04-08
STALE2276d
Revisions (26)
  1. v6 [diff vs current]
  2. v7 [diff vs current]
  3. v8 [diff vs current]
  4. v9 current
  5. v10 [diff vs current]
  6. v11 [diff vs current]
  7. v12 [diff vs current]
  8. v13 [diff vs current]
  9. v14 [diff vs current]
  10. v14 [diff vs current]
  11. v15 [diff vs current]
  12. v16 [diff vs current]
  13. v17 [diff vs current]
  14. v18 [diff vs current]
  15. v19 [diff vs current]
  16. v20 [diff vs current]
  17. v21 [diff vs current]
  18. v22 [diff vs current]
  19. v23 [diff vs current]
  20. v24 [diff vs current]
  21. v25 [diff vs current]
  22. v26 [diff vs current]
  23. v27 [diff vs current]
  24. v28 [diff vs current]
  25. v29 [diff vs current]
  26. v30 [diff vs current]

[RFC PATCH v9 07/27] Add guard pages around a Shadow Stack.

From: Yu-cheng Yu <hidden>
Date: 2020-02-05 18:22:30
Also in: linux-arch, linux-doc, linux-mm, lkml
Subsystem: memory management - core, the rest · Maintainers: Andrew Morton, David Hildenbrand, Linus Torvalds

INCSSPD/INCSSPQ instruction is used to unwind a Shadow Stack (SHSTK).  It
performs 'pop and discard' of the first and last element from SHSTK in the
range specified in the operand.  The maximum value of the operand is 255,
and the maximum moving distance of the SHSTK pointer is 255 * 4 for
INCSSPD, 255 * 8 for INCSSPQ.

Since SHSTK has a fixed size, creating a guard page above prevents
INCSSP/RET from moving beyond.  Likewise, creating a guard page below
prevents CALL from underflowing the SHSTK.

Signed-off-by: Yu-cheng Yu <redacted>
---
 include/linux/mm.h | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index b5145fbe102e..75de07674649 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2464,9 +2464,15 @@ static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * m
 static inline unsigned long vm_start_gap(struct vm_area_struct *vma)
 {
 	unsigned long vm_start = vma->vm_start;
+	unsigned long gap = 0;
 
-	if (vma->vm_flags & VM_GROWSDOWN) {
-		vm_start -= stack_guard_gap;
+	if (vma->vm_flags & VM_GROWSDOWN)
+		gap = stack_guard_gap;
+	else if (vma->vm_flags & VM_SHSTK)
+		gap = PAGE_SIZE;
+
+	if (gap != 0) {
+		vm_start -= gap;
 		if (vm_start > vma->vm_start)
 			vm_start = 0;
 	}
@@ -2476,9 +2482,15 @@ static inline unsigned long vm_start_gap(struct vm_area_struct *vma)
 static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
 {
 	unsigned long vm_end = vma->vm_end;
+	unsigned long gap = 0;
+
+	if (vma->vm_flags & VM_GROWSUP)
+		gap = stack_guard_gap;
+	else if (vma->vm_flags & VM_SHSTK)
+		gap = PAGE_SIZE;
 
-	if (vma->vm_flags & VM_GROWSUP) {
-		vm_end += stack_guard_gap;
+	if (gap != 0) {
+		vm_end += gap;
 		if (vm_end < vma->vm_end)
 			vm_end = -PAGE_SIZE;
 	}
-- 
2.21.0
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help