Thread (98 messages) 98 messages, 13 authors, 2018-06-26

Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack

From: Andy Lutomirski <luto@kernel.org>
Date: 2018-06-07 21:01:39
Also in: linux-arch, linux-mm, lkml 

On Thu, Jun 7, 2018 at 1:33 PM Yu-cheng Yu [off-list ref] wrote:
On Thu, 2018-06-07 at 11:48 -0700, Andy Lutomirski wrote:
quoted
On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu [off-list ref] wrote:
quoted
The following operations are provided.

ARCH_CET_STATUS:
        return the current CET status

ARCH_CET_DISABLE:
        disable CET features

ARCH_CET_LOCK:
        lock out CET features

ARCH_CET_EXEC:
        set CET features for exec()

ARCH_CET_ALLOC_SHSTK:
        allocate a new shadow stack

ARCH_CET_PUSH_SHSTK:
        put a return address on shadow stack

ARCH_CET_ALLOC_SHSTK and ARCH_CET_PUSH_SHSTK are intended only for
the implementation of GLIBC ucontext related APIs.
Please document exactly what these all do and why.  I don't understand
what purpose ARCH_CET_LOCK and ARCH_CET_EXEC serve.  CET is opt in for
each ELF program, so I think there should be no need for a magic
override.
CET is initially enabled if the loader has CET capability.  Then the
loader decides if the application can run with CET.  If the application
cannot run with CET (e.g. a dependent library does not have CET), then
the loader turns off CET before passing to the application.  When the
loader is done, it locks out CET and the feature cannot be turned off
anymore until the next exec() call.
Why is the lockout necessary?  If user code enables CET and tries to
run code that doesn't support CET, it will crash.  I don't see why we
need special code in the kernel to prevent a user program from calling
arch_prctl() and crashing itself.  There are already plenty of ways to
do that :)

When the next exec() is called, CET
feature is turned on/off based on the values set by ARCH_CET_EXEC.
And why do we need ARCH_CET_EXEC?

For background, I really really dislike adding new state that persists
across exec().  It's nice to get as close to a clean slate as possible
after exec() so that programs can run in a predictable environment.
exec() is also a security boundary, and anything a task can do to
affect itself after exec() needs to have its security implications
considered very carefully.  (As a trivial example, you should not be
able to use cetcmd ... sudo [malicious options here] to cause sudo to
run with CET off and then try to exploit it via the malicious options.

If a shutoff is needed for testing, how about teaching ld.so to parse
LD_CET=no or similar and protect it the same way as LD_PRELOAD is
protected.  Or just do LD_PRELOAD=/lib/libdoesntsupportcet.so.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help