Thread (39 messages) 39 messages, 3 authors, 2021-02-15

Re: [PATCH v20 25/25] mm: Introduce PROT_SHSTK for shadow stack

From: Kees Cook <hidden>
Date: 2021-02-10 19:47:22
Also in: linux-api, linux-arch, linux-mm, lkml

On Wed, Feb 10, 2021 at 09:57:03AM -0800, Yu-cheng Yu wrote:
There are three possible options to create a shadow stack allocation API:
an arch_prctl, a new syscall, or adding PROT_SHSTK to mmap()/mprotect().
Each has its advantages and compromises.

An arch_prctl() is the least intrusive.  However, the existing x86
arch_prctl() takes only two parameters.  Multiple parameters must be
passed in a memory buffer.  There is a proposal to pass more parameters in
registers [1], but no active discussion on that.

A new syscall minimizes compatibility issues and offers an extensible frame
work to other architectures, but this will likely result in some overlap of
mmap()/mprotect().

The introduction of PROT_SHSTK to mmap()/mprotect() takes advantage of
existing APIs.  The x86-specific PROT_SHSTK is translated to VM_SHSTK and
a shadow stack mapping is created without reinventing the wheel.  There are
potential pitfalls though.  The most obvious one would be using this as a
bypass to shadow stack protection.  However, the attacker would have to get
to the syscall first.

Since arch_calc_vm_prot_bits() is modified, I have moved arch_vm_get_page
_prot() and arch_calc_vm_prot_bits() to x86/include/asm/mman.h.
This will be more consistent with other architectures.
This portion of the patch seems logically separate from the PROT_SHSTK
implementation. Can you please separate it into its own patch?
[1] https://lore.kernel.org/lkml/20200828121624.108243-1-hjl.tools@gmail.com/ (local)

Signed-off-by: Yu-cheng Yu <redacted>
With that done:

Reviewed-by: Kees Cook <redacted>

-- 
Kees Cook
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help