Re: [PATCH v2 15/39] x86/mm: Check Shadow Stack page fault errors
From: Peter Zijlstra <peterz@infradead.org>
Date: 2022-10-14 10:07:53
Also in:
linux-arch, linux-doc, linux-mm, lkml
On Thu, Sep 29, 2022 at 03:29:12PM -0700, Rick Edgecombe wrote:
The architecture has concepts of both shadow stack reads and shadow stack writes. Any shadow stack access to non-shadow stack memory will generate a fault with the shadow stack error code bit set. This means that, unlike normal write protection, the fault handler needs to create a type of memory that can be written to (with instructions that generate shadow stack writes), even to fulfill a read access. So in the case of COW memory, the COW needs to take place even with a shadow stack read. Otherwise the page will be left (shadow stack) writable in userspace. So to trigger the appropriate behavior, set FAULT_FLAG_WRITE for shadow stack accesses, even if the access was a shadow stack read.
That ^ should be moved into the comment below
- Clarify reasoning for FAULT_FLAG_WRITE for all shadow stack accesses
quoted hunk ↗ jump to hunk
@@ -1300,6 +1314,13 @@ void do_user_addr_fault(struct pt_regs *regs, perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address); + /* + * In order to fullfull a shadow stack access, the page needs + * to be made (shadow stack) writable. So treat all shadow stack + * accesses as writes. + */
Because that's impenetrable.
+ if (error_code & X86_PF_SHSTK) + flags |= FAULT_FLAG_WRITE; if (error_code & X86_PF_WRITE) flags |= FAULT_FLAG_WRITE; if (error_code & X86_PF_INSTR) -- 2.17.1