Thread (32 messages) 32 messages, 5 authors, 2023-11-20

Re: [PATCH RFC RFT v2 2/5] fork: Add shadow stack support to clone3()

From: Mark Brown <broonie@kernel.org>
Date: 2023-11-15 18:44:01
Also in: linux-kselftest, lkml 

On Wed, Nov 15, 2023 at 04:20:12PM +0000, Szabolcs.Nagy@arm.com wrote:
The 11/15/2023 12:36, Mark Brown wrote:
quoted
On Wed, Nov 15, 2023 at 12:45:45AM +0000, Edgecombe, Rick P wrote:
quoted
On Tue, 2023-11-14 at 20:05 +0000, Mark Brown wrote:
quoted
quoted
quoted
+               if (size < 8)
+                       return (unsigned long)ERR_PTR(-EINVAL);
quoted
quoted
What is the intention here? The check in map_shadow_stack is to leave
space for the token, but here there is no token.
quoted
It was to ensure that there is sufficient space for at least one entry
on the stack.
end marker token (0) needs it i guess.
x86 doesn't currently have end markers.  Actually, that's a point -
should we add a flag for specifying the use of end markers here?
There's code in my map_shadow_stack() implementation for arm64 which
does that.

otherwise 0 size would be fine: the child may not execute
a call instruction at all.
Well, a size of specifically zero will result in a fallback to implicit
allocation/sizing of the stack as things stand so this is specifically
the case where a size has been specified but is smaller than a single
entry.

quoted
quoted
I think for CLONE_VM we should not require a non-zero size. Speaking of
CLONE_VM we should probably be clear on what the expected behavior is
for situations when a new shadow stack is not usually allocated.
!CLONE_VM || CLONE_VFORK will use the existing shadow stack. Should we
require shadow_stack_size be zero in this case, or just ignore it? I'd
lean towards requiring it to be zero so userspace doesn't pass garbage
in that we have to accommodate later. What we could possibly need to do
around that though, I'm not sure. What do you think?
quoted
Yes, requiring it to be zero in that case makes sense I think.
i think the condition is "no specified separate stack for
the child (stack==0 || stack==sp)".
CLONE_VFORK does not imply that the existing stack will be
used (a stack for the child can be specified, i think both
glibc and musl do this in posix_spawn).
That also works as a check I think, though it requires the arch to check
for the stack==sp case - I hadn't been aware of the posix_spawn() usage,
the above checks Rick suggested just follow the handling for implicit
allocation we have currently.
  


  
Attachments

  

    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help