Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and... | linux-doc

[RFC PATCH v3 00/24] Control Flow Enforcement: Shadow Stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 08/24] mm: Introduce VM_SHSTK for shadow stack memory · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 03/24] x86/fpu/xstate: Enable XSAVES system states · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 10/24] x86/mm: Introduce _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 09/24] x86/mm: Change _PAGE_DIRTY to _PAGE_DIRTY_HW · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 02/24] x86/fpu/xstate: Change some names to separate XSAVES system and user states · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 23/24] x86/cet/shstk: Add arch_prctl functions for Shadow Stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Andy Lutomirski <luto@amacapital.net> · 2018-08-30
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Yu-cheng Yu <hidden> · 2018-08-31
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Andy Lutomirski <luto@kernel.org> · 2018-08-31
Re: [RFC PATCH v3 19/24] x86/cet/shstk: Introduce WRUSS instruction · Yu-cheng Yu <hidden> · 2018-09-14
[RFC PATCH v3 14/24] mm: Handle shadow stack page fault · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 18/24] x86/cet/shstk: User-mode shadow stack support · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 18/24] x86/cet/shstk: User-mode shadow stack support · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 18/24] x86/cet/shstk: User-mode shadow stack support · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 20/24] x86/cet/shstk: Signal handling for shadow stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 15/24] mm: Handle THP/HugeTLB shadow stack page fault · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 07/24] x86/cet/shstk: Add Kconfig option for user-mode shadow stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 17/24] mm: Introduce do_mmap_locked() · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 13/24] x86/mm: Shadow stack page fault error checking · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Jann Horn <jannh@google.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Peter Zijlstra <peterz@infradead.org> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Peter Zijlstra <peterz@infradead.org> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-09-14
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-09-14
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-09-14
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-09-14
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Andy Lutomirski <luto@amacapital.net> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Andy Lutomirski <luto@amacapital.net> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Andy Lutomirski <luto@kernel.org> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-31
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Randy Dunlap <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW · Dave Hansen <dave.hansen@linux.intel.com> · 2018-08-31
[RFC PATCH v3 11/24] drm/i915/gvt: Update _PAGE_DIRTY to _PAGE_DIRTY_BITS · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 06/24] x86/cet: Control protection exception handler · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 06/24] x86/cet: Control protection exception handler · Jann Horn <jannh@google.com> · 2018-08-31
Re: [RFC PATCH v3 06/24] x86/cet: Control protection exception handler · Yu-cheng Yu <hidden> · 2018-08-31
[RFC PATCH v3 04/24] x86/fpu/xstate: Add XSAVES system states for shadow stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 05/24] Documentation/x86: Add CET description · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 05/24] Documentation/x86: Add CET description · Pavel Machek <hidden> · 2018-08-30
Re: [RFC PATCH v3 05/24] Documentation/x86: Add CET description · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 05/24] Documentation/x86: Add CET description · Yu-cheng Yu <hidden> · 2018-09-14
Re: [RFC PATCH v3 05/24] Documentation/x86: Add CET description · Randy Dunlap <hidden> · 2018-09-03
[RFC PATCH v3 24/24] x86/cet/shstk: Add Shadow Stack instructions to opcode map · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 16/24] mm: Update can_follow_write_pte/pmd for shadow stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 01/24] x86/cpufeatures: Add CPUIDs for Control-flow Enforcement Technology (CET) · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 22/24] x86/cet/shstk: Handle thread shadow stack · Yu-cheng Yu <hidden> · 2018-08-30
[RFC PATCH v3 21/24] x86/cet/shstk: ELF header parsing of Shadow Stack · Yu-cheng Yu <hidden> · 2018-08-30
Re: [RFC PATCH v3 00/24] Control Flow Enforcement: Shadow Stack · Balbir Singh <bsingharora@gmail.com> · 2018-09-02
Re: [RFC PATCH v3 00/24] Control Flow Enforcement: Shadow Stack · Yu-cheng Yu <hidden> · 2018-09-04

Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW

From: Jann Horn <jannh@google.com>
Date: 2018-08-30 21:47:46
Also in: linux-api, linux-arch, linux-mm, lkml

On Thu, Aug 30, 2018 at 11:01 PM Jann Horn [off-list ref] wrote:

On Thu, Aug 30, 2018 at 10:57 PM Yu-cheng Yu [off-list ref] wrote:

quoted

On Thu, 2018-08-30 at 22:44 +0200, Jann Horn wrote:

quoted

On Thu, Aug 30, 2018 at 10:25 PM Yu-cheng Yu [off-list ref]
wrote:

...

quoted

In the flow you described, if C writes to the overflow page before
B
gets in with a 'call', the return address is still correct for
B.  To
make an attack, C needs to write again before the TLB flush.  I
agree
that is possible.

Assume we have a guard page, can someone in the short window do
recursive calls in B, move ssp to the end of the guard page, and
trigger the same again?  He can simply take the incssp route.

I don't understand what you're saying. If the shadow stack is
between
guard pages, you should never be able to move SSP past that area's
guard pages without an appropriate shadow stack token (not even with
INCSSP, since that has a maximum range of PAGE_SIZE/2), and
therefore,
it shouldn't matter whether memory outside that range is incorrectly
marked as shadow stack. Am I missing something?

INCSSP has a range of 256, but we can do multiple of that.
But I realize the key is not to have the transient SHSTK page at all.
The guard page is !pte_write() and even we have flaws in
ptep_set_wrprotect(), there will not be any transient SHSTK pages. I
will add guard pages to both ends.

Still thinking how to fix ptep_set_wrprotect().

cmpxchg loop? Or is that slow?

Something like this:

static inline void ptep_set_wrprotect(struct mm_struct *mm,
                                      unsigned long addr, pte_t *ptep)
{
        pte_t pte = READ_ONCE(*ptep), new_pte;

        /* ... your comment about not needing a TLB shootdown here ... */
        do {
                pte = pte_wrprotect(pte);
                /* note: relies on _PAGE_DIRTY_HW < _PAGE_DIRTY_SW */
                /* dirty direct bit-twiddling; you can probably write
this in a nicer way */
                pte.pte |= (pte.pte & _PAGE_DIRTY_HW) >>
_PAGE_BIT_DIRTY_HW << _PAGE_BIT_DIRTY_SW;
                pte.pte &= ~_PAGE_DIRTY_HW;
                pte = cmpxchg(ptep, pte, new_pte);
        } while (pte != new_pte);
}

I think this has the advantage of not generating weird spurious pagefaults.
It's not compatible with Xen PV, but I'm guessing that this whole
feature isn't going to support Xen PV anyway? So you could switch
between two implementations of ptep_set_wrprotect using the pvop
mechanism or so - one for environments that support shadow stacks, one
for all other environments.
Or is there some arcane reason why cmpxchg doesn't work here the way I
think it should?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help