Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp4710507imm; Mon, 25 Jun 2018 22:28:10 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJHZU0uJgPbYyd9evfLIDumAVQFYNq9gKPjnXMKqzQHojYflfroSefKflEVsjpajnZWBNr8 X-Received: by 2002:a17:902:1025:: with SMTP id b34-v6mr83911pla.112.1529990890435; Mon, 25 Jun 2018 22:28:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529990890; cv=none; d=google.com; s=arc-20160816; b=K+xicP/YKO5R5Dkxm6RxE8xL6UBjphZjGjnawjZ1RQWkWjf1vc3dbBrPvBNC8Fk539 0R2Pl2eTWSUIusyN+3Wsxr+ct0NHAq6vyD38u22P3mOGQAdhwrd6ntyoH0grNVps5nnv 38Ol0qq2xrjdoaIa7MhPd33Xm2Vp5ifUEc/CLwmh/kvJrQ4PJmFbHEsTiMZqMmiKlV47 2nFmDdw/vIOsbFq00m9907uS+IK0VBdaA72n0W5YlPnIKidRemlhiirSuoukZ8s6yrQB oGnTz1h0T/7JfTloKp4/tAMiflmlAXObd/pIIpHE7kiFr3Iq+KQ3kxozfo2u49gHJcsw O7mQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=sl8XzHM7iUNC3BHci6ElrubRuoqf8Kgnwrq5kmEND6E=; b=ixmDgdWEVWDIDnu9EOFlG9jS0/FmibO21Abc1wHWcheKRgfTYvL3Ma1UpKMKwHyk4r LV6uaAdQY2iuND+1CFlGU/VlmwZ2nB4Goj5cjbNq9rve7uz//P8Rc2AjLjUB9C1b0mBV cn3iNRHsb3sspsG0JmJIKYg+Q1WrxpsZpSXdBFt97M46/YuFxhlg+itCgHW3WQeJw0L2 8B2L11p5MUYnhIS3XFwnHbQycRDickph8VVjcO4q/3QrONWhJnQlITj7RJfGm4BhjBn8 MEJQlSg9WwJ5i8hsKmCKPYAWhGsMaHmx1+Av1Ixygt8CkGPXcS/JVS8ZwI4GVFUC8G29 aDIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="rVxUgn/f"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 38-v6si808460pln.92.2018.06.25.22.27.54; Mon, 25 Jun 2018 22:28:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="rVxUgn/f"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751190AbeFZF1N (ORCPT + 99 others); Tue, 26 Jun 2018 01:27:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:55024 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751014AbeFZF1L (ORCPT ); Tue, 26 Jun 2018 01:27:11 -0400 Received: from mail-wm0-f54.google.com (mail-wm0-f54.google.com [74.125.82.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9E4622652D for ; Tue, 26 Jun 2018 05:27:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1529990830; bh=210g3tAP8RcCY/wbGeXHIxlnJ60UQvz2S9guL7f7hns=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=rVxUgn/f6Fh+2bmJYWab5jyyMrM13YX9KO6FgCaXvV7exnaqph9c4kiGi0mPeZ/li X6EU003kQqer20J6NjM5ceesYy0JO0KTK9iBuYqc1iBdWpQ80gtRICIh6p0oFCMA3c V3Wx6gdO43nfNzv7qYUI3td6GQIpMwyQefUu8Yxo= Received: by mail-wm0-f54.google.com with SMTP id u18-v6so291016wmc.1 for ; Mon, 25 Jun 2018 22:27:10 -0700 (PDT) X-Gm-Message-State: APt69E2ePcPICEtruz9BkJpabTL3W80gdYTF7WfWBwhfl1GGVdwNPSeB e1JSYYAXyELl+ZqUgSc1d4WFDGLxUGD8BdOyvxPeSw== X-Received: by 2002:a1c:f20d:: with SMTP id s13-v6mr310300wmc.36.1529990828986; Mon, 25 Jun 2018 22:27:08 -0700 (PDT) MIME-Version: 1.0 References: <20180607143807.3611-1-yu-cheng.yu@intel.com> In-Reply-To: <20180607143807.3611-1-yu-cheng.yu@intel.com> From: Andy Lutomirski Date: Mon, 25 Jun 2018 22:26:57 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 00/10] Control Flow Enforcement - Part (3) To: Yu-cheng Yu , Linux API , Jann Horn , Florian Weimer Cc: LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu wrote: > > This series introduces CET - Shadow stack I think you should add some mitigation against sigreturn-oriented programming. How about creating some special token on the shadow stack that indicates the presence of a signal frame at a particular address when delivering a signal and verifying and popping that token in sigreturn? The token could be literally the address of the signal frame, and you could make this unambiguous by failing sigreturn if CET is on and the signal frame is in executable memory. IOW, it would be a shame if sigreturn() itself became a convenient CET-bypassing gadget. --Andy