Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5785514imm; Tue, 12 Jun 2018 13:19:28 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLDYINagiTOslyr7eFpgPU2RE56hpMjJyYr8VkrEpI80ZIKKRALbhoZKbEhxSirqQgY2VVn X-Received: by 2002:a63:b147:: with SMTP id g7-v6mr1518727pgp.379.1528834768703; Tue, 12 Jun 2018 13:19:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528834768; cv=none; d=google.com; s=arc-20160816; b=JVHdFeZeltq4647oCTT18b+Pv3xDjlcPi1SYVV0oUjRXyvH1kNsQ2Hhd8X+P3te+PL uBEcU0TRagYQv4XgFmMpar2ArodTl3Kch+ByFM9BrMn/qeJbp95HcG/rwztsUi93eUZK lTfGHuYBJ42TZ5CdlvQPhKhnIqnj+YoEh5N7qtg/6REs5GzphtRNuZ0ocVhvxWpAmKkJ 4jEQhhF70O13Te9RNq3J64taxqnPqY57NuQAGeVvv+rGkd92X2q952PMWUY5btfD2hFp UTCkviKLZiIoFccQgcgI+0rTOsikVoiDpvP8/VUkonbt/Q5QjgUVQhlesUPf0N8Y5a62 IGZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :arc-authentication-results; bh=PXvgawnMj8506HYaqTCJqldG4+wvX3Wd7VjzFWTPLJI=; b=g4n9fvlo5ytwtcF26FsUsMzVdJ7WYegPQzWQIAfubrLcQ8SRsHdO7naqiyavIJ749J MsgTvTJ4tSAEiwXgrHqF0r46oJ/akepeBOq5deuLZxc4eHBBm/+7JKbP2AFVhp6ItE7Z CE2pT3az/0UwJviwpXgi4dTjHjaCTeo2JZjC0PMQzMQ9jxua0O3JHE0ciQJp+zbh5aUy y5vWLjP/3gzw3NU0omgPNp4Cf4icH+e1F2nUIaSPMZk363ylsu9U18LqwTm3vs5W+pC7 tc64+nkG1lbxm9kOaWr0uNkrfGxeElZuFckOLLDXZSlCHDw3xSQjWT41KlhGKX5s5Ny7 H6Rg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d11-v6si720203pgn.563.2018.06.12.13.19.13; Tue, 12 Jun 2018 13:19:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933609AbeFLUSt (ORCPT + 99 others); Tue, 12 Jun 2018 16:18:49 -0400 Received: from mga18.intel.com ([134.134.136.126]:40916 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932823AbeFLUSr (ORCPT ); Tue, 12 Jun 2018 16:18:47 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Jun 2018 13:18:46 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,216,1526367600"; d="scan'208";a="236601496" Received: from 2b52.sc.intel.com (HELO [143.183.136.147]) ([143.183.136.147]) by fmsmga005.fm.intel.com with ESMTP; 12 Jun 2018 13:18:46 -0700 Message-ID: <1528834538.9849.13.camel@2b52.sc.intel.com> Subject: Re: [PATCH 00/10] Control Flow Enforcement - Part (3) From: Yu-cheng Yu To: Andy Lutomirski Cc: bsingharora@gmail.com, LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Date: Tue, 12 Jun 2018 13:15:38 -0700 In-Reply-To: <1528824280.9447.30.camel@2b52.sc.intel.com> References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <1528815820.8271.16.camel@2b52.sc.intel.com> <1528820489.9324.14.camel@2b52.sc.intel.com> <1528824280.9447.30.camel@2b52.sc.intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2018-06-12 at 10:24 -0700, Yu-cheng Yu wrote: > On Tue, 2018-06-12 at 09:31 -0700, Andy Lutomirski wrote: > > On Tue, Jun 12, 2018 at 9:24 AM Yu-cheng Yu wrote: > > > > > > On Tue, 2018-06-12 at 09:00 -0700, Andy Lutomirski wrote: > > > > On Tue, Jun 12, 2018 at 8:06 AM Yu-cheng Yu wrote: > > > > > > > > > > On Tue, 2018-06-12 at 20:56 +1000, Balbir Singh wrote: > > > > > > > > > > > > On 08/06/18 00:37, Yu-cheng Yu wrote: > > > > > > > This series introduces CET - Shadow stack > > > > > > > > > > > > > > At the high level, shadow stack is: > > > > > > > > > > > > > > Allocated from a task's address space with vm_flags VM_SHSTK; > > > > > > > Its PTEs must be read-only and dirty; > > > > > > > Fixed sized, but the default size can be changed by sys admin. > > > > > > > > > > > > > > For a forked child, the shadow stack is duplicated when the next > > > > > > > shadow stack access takes place. > > > > > > > > > > > > > > For a pthread child, a new shadow stack is allocated. > > > > > > > > > > > > > > The signal handler uses the same shadow stack as the main program. > > > > > > > > > > > > > > > > > > > Even with sigaltstack()? > > > > > > > > > > > > > > > > > > Balbir Singh. > > > > > > > > > > Yes. > > > > > > > > > > > > > I think we're going to need some provision to add an alternate signal > > > > stack to handle the case where the shadow stack overflows. > > > > > > The shadow stack stores only return addresses; its consumption will not > > > exceed a percentage of (program stack size + sigaltstack size) before > > > those overflow. When that happens, there is usually very little we can > > > do. So we set a default shadow stack size that supports certain nested > > > calls and allow sys admin to adjust it. > > > > > > > Of course there's something you can do: add a sigaltstack-like stack > > switching mechanism. Have a reserve shadow stack and, when a signal > > is delivered (possibly guarded by other conditions like "did the > > shadow stack overflow"), switch to a new shadow stack and maybe write > > a special token to the new shadow stack that says "signal delivery > > jumped here and will restore to the previous shadow stack and > > such-and-such address on return". > > If (shstk size == (stack size + sigaltstack size)), then shstk will not > overflow before program stack overflows and sigaltstack also overflows. > > Let me think about this. The reserve shadow stack will help only when the shstk overflows but signal stack/sigaltstack still has room and we can deliver a signal. If the shstk is large enough to cover any nested calls that will overflow both the program stack and sigaltstack then we don't need a reserve shstk. We can estimate how big the shstk needs to be; in the worst case it should not be greater than (program stack size + sigaltstack size). The default shstk size we choose pass all signal tests in GLIBC. In case there is a need to increase it for a very large RLIMIT_STACK or very large sigaltstack, the sys admin can increase the default shstk size. Yu-cheng