Re: [PATCH v6 19/41] x86/mm: Check shadow stack page fault errors

[PATCH v6 00/41] Shadow stacks for userspace · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 01/41] Documentation/x86: Add CET shadow stack description · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 02/41] x86/shstk: Add Kconfig option for shadow stack · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 03/41] x86/cpufeatures: Add CPU feature flags for shadow stacks · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 04/41] x86/cpufeatures: Enable CET CR4 bit for shadow stack · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 05/41] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 06/41] x86/fpu: Add helper for modifying xstate · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 07/41] x86: Move control protection handler to separate file · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 09/41] x86/mm: Remove _PAGE_DIRTY from kernel RO pages · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 08/41] x86/shstk: Add user control-protection fault handler · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 10/41] x86/mm: Move pmd_write(), pud_write() up in the file · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 11/41] mm: Introduce pte_mkwrite_kernel() · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 11/41] mm: Introduce pte_mkwrite_kernel() · Kees Cook <hidden> · 2023-02-19
Re: [PATCH v6 11/41] mm: Introduce pte_mkwrite_kernel() · David Hildenbrand <hidden> · 2023-02-20
Re: [PATCH v6 11/41] mm: Introduce pte_mkwrite_kernel() · David Hildenbrand <hidden> · 2023-02-20
Re: [PATCH v6 11/41] mm: Introduce pte_mkwrite_kernel() · Deepak Gupta <hidden> · 2023-03-01
[PATCH v6 12/41] s390/mm: Introduce pmd_mkwrite_kernel() · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 12/41] s390/mm: Introduce pmd_mkwrite_kernel() · Kees Cook <hidden> · 2023-02-19
Re: [PATCH v6 12/41] s390/mm: Introduce pmd_mkwrite_kernel() · David Hildenbrand <hidden> · 2023-02-20
Re: [PATCH v6 12/41] s390/mm: Introduce pmd_mkwrite_kernel() · Heiko Carstens <hca@linux.ibm.com> · 2023-02-23
Re: [PATCH v6 12/41] s390/mm: Introduce pmd_mkwrite_kernel() · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-23
[PATCH v6 13/41] mm: Make pte_mkwrite() take a VMA · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 13/41] mm: Make pte_mkwrite() take a VMA · Kees Cook <hidden> · 2023-02-19
Re: [PATCH v6 13/41] mm: Make pte_mkwrite() take a VMA · Michael Ellerman <mpe@ellerman.id.au> · 2023-02-20
Re: [PATCH v6 13/41] mm: Make pte_mkwrite() take a VMA · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-20
Re: [PATCH v6 13/41] mm: Make pte_mkwrite() take a VMA · David Hildenbrand <hidden> · 2023-02-20
Re: [PATCH v6 13/41] mm: Make pte_mkwrite() take a VMA · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-20
Re: [PATCH v6 13/41] mm: Make pte_mkwrite() take a VMA · Deepak Gupta <hidden> · 2023-03-01
[PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · David Hildenbrand <hidden> · 2023-02-20
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-20
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · David Hildenbrand <hidden> · 2023-02-21
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-21
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · Dave Hansen <hidden> · 2023-02-21
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-22
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · David Hildenbrand <hidden> · 2023-02-22
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · Dave Hansen <hidden> · 2023-02-22
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · David Hildenbrand <hidden> · 2023-02-22
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · Kees Cook <kees@kernel.org> · 2023-02-22
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · Dave Hansen <hidden> · 2023-02-22
Re: [PATCH v6 14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY · Kees Cook <hidden> · 2023-02-22
[PATCH v6 15/41] x86/mm: Update ptep/pmdp_set_wrprotect() for _PAGE_SAVED_DIRTY · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 16/41] x86/mm: Start actually marking _PAGE_SAVED_DIRTY · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 17/41] mm: Move VM_UFFD_MINOR_BIT from 37 to 38 · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 18/41] mm: Introduce VM_SHADOW_STACK for shadow stack memory · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 18/41] mm: Introduce VM_SHADOW_STACK for shadow stack memory · David Hildenbrand <hidden> · 2023-02-20
Re: [PATCH v6 18/41] mm: Introduce VM_SHADOW_STACK for shadow stack memory · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-20
Re: [PATCH v6 18/41] mm: Introduce VM_SHADOW_STACK for shadow stack memory · David Hildenbrand <hidden> · 2023-02-21
Re: [PATCH v6 18/41] mm: Introduce VM_SHADOW_STACK for shadow stack memory · Deepak Gupta <hidden> · 2023-02-22
[PATCH v6 19/41] x86/mm: Check shadow stack page fault errors · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 19/41] x86/mm: Check shadow stack page fault errors · David Hildenbrand <hidden> · 2023-02-20
Re: [PATCH v6 19/41] x86/mm: Check shadow stack page fault errors · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-22
Re: [PATCH v6 19/41] x86/mm: Check shadow stack page fault errors · David Hildenbrand <hidden> · 2023-02-23
[PATCH v6 20/41] x86/mm: Teach pte_mkwrite() about stack memory · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 20/41] x86/mm: Teach pte_mkwrite() about stack memory · Kees Cook <hidden> · 2023-02-19
Re: [PATCH v6 20/41] x86/mm: Teach pte_mkwrite() about stack memory · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-20
Re: [PATCH v6 20/41] x86/mm: Teach pte_mkwrite() about stack memory · Deepak Gupta <hidden> · 2023-03-01
[PATCH v6 21/41] mm: Add guard pages around a shadow stack. · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 22/41] mm/mmap: Add shadow stack pages to memory accounting · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 22/41] mm/mmap: Add shadow stack pages to memory accounting · David Hildenbrand <hidden> · 2023-02-20
Re: [PATCH v6 22/41] mm/mmap: Add shadow stack pages to memory accounting · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-20
Re: [PATCH v6 22/41] mm/mmap: Add shadow stack pages to memory accounting · David Hildenbrand <hidden> · 2023-02-21
Re: [PATCH v6 22/41] mm/mmap: Add shadow stack pages to memory accounting · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-22
[PATCH v6 23/41] mm: Re-introduce vm_flags to do_mmap() · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 24/41] mm: Don't allow write GUPs to shadow stack memory · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 24/41] mm: Don't allow write GUPs to shadow stack memory · David Hildenbrand <hidden> · 2023-02-21
Re: [PATCH v6 24/41] mm: Don't allow write GUPs to shadow stack memory · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-21
[PATCH v6 25/41] x86/mm: Introduce MAP_ABOVE4G · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 25/41] x86/mm: Introduce MAP_ABOVE4G · Kees Cook <hidden> · 2023-02-19
Re: [PATCH v6 25/41] x86/mm: Introduce MAP_ABOVE4G · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-20
[PATCH v6 26/41] mm: Warn on shadow stack memory in wrong vma · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 27/41] x86/mm: Warn if create Write=0,Dirty=1 with raw prot · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 27/41] x86/mm: Warn if create Write=0,Dirty=1 with raw prot · Kees Cook <hidden> · 2023-02-19
Re: [PATCH v6 27/41] x86/mm: Warn if create Write=0,Dirty=1 with raw prot · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-20
[PATCH v6 28/41] x86: Introduce userspace API for shadow stack · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 28/41] x86: Introduce userspace API for shadow stack · Borislav Petkov <bp@alien8.de> · 2023-02-24
Re: [PATCH v6 28/41] x86: Introduce userspace API for shadow stack · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-24
Re: [PATCH v6 28/41] x86: Introduce userspace API for shadow stack · Borislav Petkov <bp@alien8.de> · 2023-02-28
Re: [PATCH v6 28/41] x86: Introduce userspace API for shadow stack · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-28
[PATCH v6 29/41] x86/shstk: Add user-mode shadow stack support · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 29/41] x86/shstk: Add user-mode shadow stack support · Borislav Petkov <bp@alien8.de> · 2023-02-24
Re: [PATCH v6 29/41] x86/shstk: Add user-mode shadow stack support · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-24
Re: [PATCH v6 29/41] x86/shstk: Add user-mode shadow stack support · Borislav Petkov <bp@alien8.de> · 2023-02-24
[PATCH v6 30/41] x86/shstk: Handle thread shadow stack · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 31/41] x86/shstk: Introduce routines modifying shstk · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 32/41] x86/shstk: Handle signals for shadow stack · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 33/41] x86/shstk: Introduce map_shadow_stack syscall · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 33/41] x86/shstk: Introduce map_shadow_stack syscall · Deepak Gupta <hidden> · 2023-02-23
Re: [PATCH v6 33/41] x86/shstk: Introduce map_shadow_stack syscall · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-23
Re: [PATCH v6 33/41] x86/shstk: Introduce map_shadow_stack syscall · Deepak Gupta <hidden> · 2023-02-23
Re: [PATCH v6 33/41] x86/shstk: Introduce map_shadow_stack syscall · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-23
[PATCH v6 34/41] x86/shstk: Support WRSS for userspace · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 35/41] x86: Expose thread features in /proc/$PID/status · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 36/41] x86/shstk: Wire in shadow stack interface · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 38/41] x86/fpu: Add helper for initing features · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 38/41] x86/fpu: Add helper for initing features · Kees Cook <hidden> · 2023-02-19
[PATCH v6 37/41] selftests/x86: Add shadow stack test · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 37/41] selftests/x86: Add shadow stack test · Kees Cook <hidden> · 2023-02-19
Re: [PATCH v6 37/41] selftests/x86: Add shadow stack test · David Hildenbrand <hidden> · 2023-02-21
Re: [PATCH v6 37/41] selftests/x86: Add shadow stack test · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-21
Re: [PATCH v6 37/41] selftests/x86: Add shadow stack test · Borislav Petkov <bp@alien8.de> · 2023-02-23
Re: [PATCH v6 37/41] selftests/x86: Add shadow stack test · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-23
Re: [PATCH v6 37/41] selftests/x86: Add shadow stack test · Borislav Petkov <bp@alien8.de> · 2023-02-24
Re: [PATCH v6 37/41] selftests/x86: Add shadow stack test · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-24
[PATCH v6 39/41] x86: Add PTRACE interface for shadow stack · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 40/41] x86/shstk: Add ARCH_SHSTK_UNLOCK · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
[PATCH v6 41/41] x86/shstk: Add ARCH_SHSTK_STATUS · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2023-02-18
Re: [PATCH v6 00/41] Shadow stacks for userspace · Kees Cook <hidden> · 2023-02-20
Re: [PATCH v6 00/41] Shadow stacks for userspace · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-20
Re: [PATCH v6 00/41] Shadow stacks for userspace · Mike Rapoport <rppt@kernel.org> · 2023-02-20
Re: [PATCH v6 00/41] Shadow stacks for userspace · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-20
Re: [PATCH v6 00/41] Shadow stacks for userspace · John Allen <john.allen@amd.com> · 2023-02-20
Re: [PATCH v6 00/41] Shadow stacks for userspace · Pengfei Xu <hidden> · 2023-02-21
Re: [PATCH v6 00/41] Shadow stacks for userspace · Borislav Petkov <bp@alien8.de> · 2023-02-22
Re: [PATCH v6 00/41] Shadow stacks for userspace · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-02-22

From: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
Date: 2023-02-22 23:07:55
Also in: linux-api, linux-arch, linux-mm, lkml

On Mon, 2023-02-20 at 13:57 +0100, David Hildenbrand wrote:

quoted

   
+     /*
+      * When a page becomes COW it changes from a shadow stack
permission
+      * page (Write=0,Dirty=1) to (Write=0,Dirty=0,SavedDirty=1),
which is simply
+      * read-only to the CPU. When shadow stack is enabled, a RET
would
+      * normally pop the shadow stack by reading it with a "shadow
stack
+      * read" access. However, in the COW case the shadow stack
memory does
+      * not have shadow stack permissions, it is read-only. So it
will
+      * generate a fault.
+      *
+      * For conventionally writable pages, a read can be serviced
with a
+      * read only PTE, and COW would not have to happen. But for
shadow
+      * stack, there isn't the concept of read-only shadow stack
memory.
+      * If it is shadow stack permission, it can be modified via
CALL and
+      * RET instructions. So COW needs to happen before any memory
can be
+      * mapped with shadow stack permissions.
+      *
+      * Shadow stack accesses (read or write) need to be serviced
with
+      * shadow stack permission memory, so in the case of a shadow
stack
+      * read access, treat it as a WRITE fault so both COW will
happen and
+      * the write fault path will tickle maybe_mkwrite() and map
the memory
+      * shadow stack.
+      */

Again, I suggest dropping all details about COW from this comment
and 
from the patch description. It's just one such case that can happen.

Hi David,

I was just trying to edit this one to drop COW details, but I think in
this case, one of the major reasons for the code *is* actually COW. We
are not working around the whole inadvertent shadow stack memory piece
here, but something else: Making sure shadow stack memory is faulted in
and doing COW if required to make this possible. I came up with this,
does it seem better?


/*
 * For conventionally writable pages, a read can be serviced with a
 *
read only PTE. But for shadow stack, there isn't a concept of
 * read-
only shadow stack memory. If it a PTE has the shadow stack
 *
permission, it can be modified via CALL and RET instructions. So
 * core
MM needs to fault in a writable PTE and do things it already
 * does for
write faults.
 *
 * Shadow stack accesses (read or write) need to be
serviced with
 * shadow stack permission memory, so in the case of a
shadow stack
 * read access, treat it as a WRITE fault so both any
required COW will
 * happen and the write fault path will tickle
maybe_mkwrite() and map
 * the memory shadow stack.
 */



Thanks,
Rick

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help