Re: [PATCH v24 17/30] mm: Add guard pages around a shadow stack.
From: Kirill A. Shutemov <hidden>
Date: 2021-04-09 15:23:00
Also in:
linux-arch, linux-doc, linux-mm, lkml
On Thu, Apr 01, 2021 at 03:10:51PM -0700, Yu-cheng Yu wrote:
quoted hunk ↗ jump to hunk
INCSSP(Q/D) increments shadow stack pointer and 'pops and discards' the first and the last elements in the range, effectively touches those memory areas. The maximum moving distance by INCSSPQ is 255 * 8 = 2040 bytes and 255 * 4 = 1020 bytes by INCSSPD. Both ranges are far from PAGE_SIZE. Thus, putting a gap page on both ends of a shadow stack prevents INCSSP, CALL, and RET from going beyond. Signed-off-by: Yu-cheng Yu <redacted> Cc: Kees Cook <redacted> Cc: Kirill A. Shutemov <redacted> --- v24: - Instead changing vm_*_gap(), create x86-specific versions. arch/x86/include/asm/page_types.h | 17 +++++++++++++++ arch/x86/mm/mmap.c | 36 +++++++++++++++++++++++++++++++ include/linux/mm.h | 4 ++++ 3 files changed, 57 insertions(+)diff --git a/arch/x86/include/asm/page_types.h b/arch/x86/include/asm/page_types.h index a506a411474d..3a5529bcfd76 100644 --- a/arch/x86/include/asm/page_types.h +++ b/arch/x86/include/asm/page_types.h@@ -73,6 +73,23 @@ bool pfn_range_is_mapped(unsigned long start_pfn, unsigned long end_pfn); extern void initmem_init(void); +/* + * Shadow stack pointer is moved by CALL, RET, and INCSSP(Q/D). INCSSPQ + * moves shadow stack pointer up to 255 * 8 = ~2 KB (~1KB for INCSSPD) and + * touches the first and the last element in the range, which triggers a + * page fault if the range is not in a shadow stack. Because of this, + * creating 4-KB guard pages around a shadow stack prevents these + * instructions from going beyond. + */ +#define SHADOW_STACK_GUARD_GAP PAGE_SIZE
The define is only used within arch/x86/mm/mmap.c. Maybe move it there? Otherwise: Reviewed-by: Kirill A. Shutemov <redacted> -- Kirill A. Shutemov