Thread (90 messages) 90 messages, 8 authors, 2024-03-14

Re: [musl] Re: [PATCH v8 00/38] arm64/gcs: Provide support for GCS in userspace

From: "dalias@libc.org" <dalias@libc.org>
Date: 2024-02-21 14:57:45
Also in: kvmarm, linux-arch, linux-arm-kernel, linux-fsdevel, linux-kselftest, linux-mm, linux-riscv, lkml

On Wed, Feb 21, 2024 at 01:53:10PM +0000, Mark Brown wrote:
On Tue, Feb 20, 2024 at 08:27:37PM -0500, dalias@libc.org wrote:
quoted
On Wed, Feb 21, 2024 at 12:35:48AM +0000, Edgecombe, Rick P wrote:
quoted
quoted
(INCSSP, RSTORSSP, etc). These are a collection of instructions that
allow limited control of the SSP. When shadow stack gets disabled,
these suddenly turn into #UD generating instructions. So any other
threads executing those instructions when shadow stack got disabled
would be in for a nasty surprise.
quoted
This is the kernel's problem if that's happening. It should be
trapping these and returning immediately like a NOP if shadow stack
has been disabled, not generating SIGILL.
I'm not sure that's going to work out well, all it takes is some code
that's looking at the shadow stack and expecting something to happen as
a result of the instructions it's executing and we run into trouble.  A
lot of things won't notice and will just happily carry on but I expect
there are going to be things that care.  We also end up with an
additional state for threads that have had shadow stacks transparently
disabled, that's managable but still.
I said NOP but there's no reason it strictly needs to be a NOP. It
could instead do something reasonable to convey the state of racing
with shadow stack being disabled.
quoted
quoted
quoted
The place where it's really needed to be able to allocate the shadow
stack synchronously under userspace control, in order to harden
normal
applications that aren't doing funny things, is in pthread_create
without a caller-provided stack.
quoted
quoted
Yea most apps don't do anything too tricky. Mostly shadow stack "just
works". But it's no excuse to just crash for the others.
quoted
One thing to note here is that, to enable this, we're going to need
some way to detect "new enough kernel that shadow stack semantics are
all right". If there are kernels that have shadow stack support but
with problems that make it unsafe to use (this sounds like the case),
we can't turn it on without a way to avoid trying to use it on those.
If we have this automatic conversion of pages to shadow stack then we
should have an API for enabling it, userspace should be able to use the
presence of that API to determine if the feature is there.
Yes, or if a new prctl is needed to make disabling safe (see above)
that could probably be used.

Rich
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help