Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and... | linux-doc

[RFC PATCH v3 00/24] Control Flow Enforcement: Shadow Stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 08/24] mm: Introduce VM_SHSTK for shadow stack memory · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 03/24] x86/fpu/xstate: Enable XSAVES system states · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 10/24] x86/mm: Introduce _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 09/24] x86/mm: Change _PAGE_DIRTY to _PAGE_DIRTY_HW · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 02/24] x86/fpu/xstate: Change some names to separate XSAVES system and user states · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 23/24] x86/cet/shstk: Add arch_prctl functions for Shadow Stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Andy Lutomirski <luto@amacapital.net> · 2018-08-30
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Yu-cheng Yu <hidden> · 2018-08-31
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Andy Lutomirski <luto@kernel.org> · 2018-08-31
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Yu-cheng Yu <hidden> · 2018-09-14
[RFC PATCH v3 14/24] mm: Handle shadow stack page fault · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 18/24] x86/cet/shstk: User-mode shadow stack support · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 18/24] x86/cet/shstk: User-mode shadow stack support · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 18/24] x86/cet/shstk: User-mode shadow stack support · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 20/24] x86/cet/shstk: Signal handling for shadow stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 15/24] mm: Handle THP/HugeTLB shadow stack page fault · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 07/24] x86/cet/shstk: Add Kconfig option for user-mode shadow stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 17/24] mm: Introduce do_mmap_locked() · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 13/24] x86/mm: Shadow stack page fault error checking · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Peter Zijlstra <peterz@infradead.org> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Peter Zijlstra <peterz@infradead.org> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-09-14
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-09-14
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-09-14
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-09-14
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Andy Lutomirski <luto@amacapital.net> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Andy Lutomirski <luto@amacapital.net> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Andy Lutomirski <luto@kernel.org> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Randy Dunlap <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-31
[RFC PATCH v3 11/24] drm/i915/gvt: Update _PAGE_DIRTY to _PAGE_DIRTY_BITS · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 06/24] x86/cet: Control protection exception handler · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 06/24] x86/cet: Control protection exception handler · Jann Horn <jannh@google.com> · 2018-08-31
Re: [RFC PATCH v3 06/24] x86/cet: Control protection exception handler · Yu-cheng Yu <hidden> · 2018-08-31
[RFC PATCH v3 04/24] x86/fpu/xstate: Add XSAVES system states for shadow stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 05/24] Documentation/x86: Add CET description · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 05/24] Documentation/x86: Add CET description · Pavel Machek <hidden> · 2018-08-30
Re: [RFC PATCH v3 05/24] Documentation/x86: Add CET description · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 05/24] Documentation/x86: Add CET description · Yu-cheng Yu <hidden> · 2018-09-14
Re: [RFC PATCH v3 05/24] Documentation/x86: Add CET description · Randy Dunlap <hidden> · 2018-09-03
[RFC PATCH v3 24/24] x86/cet/shstk: Add Shadow Stack instructions to opcode map · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 16/24] mm: Update can_follow_write_pte/pmd for shadow stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 01/24] x86/cpufeatures: Add CPUIDs for Control-flow Enforcement Technology (CET) · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 22/24] x86/cet/shstk: Handle thread shadow stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 21/24] x86/cet/shstk: ELF header parsing of Shadow Stack · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 00/24] Control Flow Enforcement: Shadow Stack · Balbir Singh <bsingharora@gmail.com> · 2018-09-02
Re: [RFC PATCH v3 00/24] Control Flow Enforcement: Shadow Stack · Yu-cheng Yu <hidden> · 2018-09-04

Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW

From: Jann Horn <jannh@google.com>
Date: 2018-08-30 16:24:17
Also in: linux-api, linux-arch, linux-mm, lkml

On Thu, Aug 30, 2018 at 6:09 PM Dave Hansen [off-list ref] wrote:

On 08/30/2018 08:49 AM, Jann Horn wrote:

quoted

@@ -1203,7 +1203,28 @@ static inline pte_t ptep_get_and_clear_full(struct mm_struct *mm,
 static inline void ptep_set_wrprotect(struct mm_struct *mm,
                                      unsigned long addr, pte_t *ptep)
 {
+       pte_t pte;
+
        clear_bit(_PAGE_BIT_RW, (unsigned long *)&ptep->pte);
+       pte = *ptep;
+
+       /*
+        * Some processors can start a write, but ending up seeing
+        * a read-only PTE by the time they get to the Dirty bit.
+        * In this case, they will set the Dirty bit, leaving a
+        * read-only, Dirty PTE which looks like a Shadow Stack PTE.
+        *
+        * However, this behavior has been improved and will not occur
+        * on processors supporting Shadow Stacks.  Without this
+        * guarantee, a transition to a non-present PTE and flush the
+        * TLB would be needed.
+        *
+        * When change a writable PTE to read-only and if the PTE has
+        * _PAGE_DIRTY_HW set, we move that bit to _PAGE_DIRTY_SW so
+        * that the PTE is not a valid Shadow Stack PTE.
+        */
+       pte = pte_move_flags(pte, _PAGE_DIRTY_HW, _PAGE_DIRTY_SW);
+       set_pte_at(mm, addr, ptep, pte);
 }

I don't understand why it's okay that you first atomically clear the
RW bit, then atomically switch from DIRTY_HW to DIRTY_SW. Doesn't that
mean that between the two atomic writes, another core can incorrectly
see a shadow stack?

Good point.

This could result in a spurious shadow-stack fault, or allow a
shadow-stack write to the page in the transient state.

But, the shadow-stack permissions are more restrictive than what could
be in the TLB at this point, so I don't think there's a real security
implication here.

How about this:

Three threads (A, B, C) run with the same CR3.

1. a dirty+writable PTE is placed directly in front of B's shadow stack.
   (this can happen, right? or is there a guard page?)
2. C's TLB caches the dirty+writable PTE.
3. A performs some syscall that triggers ptep_set_wrprotect().
4. A's syscall calls clear_bit().
5. B's TLB caches the transient shadow stack.
[now C has write access to B's transiently-extended shadow stack]
6. B recurses into the transiently-extended shadow stack
7. C overwrites the transiently-extended shadow stack area.
8. B returns through the transiently-extended shadow stack, giving
    the attacker instruction pointer control in B.
9. A's syscall broadcasts a TLB flush.

Sure, it's not exactly an easy race and probably requires at least
some black timing magic to exploit, if it's exploitable at all - but
still. This seems suboptimal.

The only trouble is handling the spurious shadow-stack fault.  The
alternative is to go !Present for a bit, which we would probably just
handle fine in the existing page fault code.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help