Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp279446imm; Wed, 11 Jul 2018 02:13:56 -0700 (PDT) X-Google-Smtp-Source: AAOMgpd2dwNQeX78P6mSgRsjevOJ7e9KsTiQM4ZdW7g4qhPind8q+gAtV2WDrt8E4vdLsN0vUMM1 X-Received: by 2002:a17:902:28a6:: with SMTP id f35-v6mr27844900plb.110.1531300436449; Wed, 11 Jul 2018 02:13:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531300436; cv=none; d=google.com; s=arc-20160816; b=Qf/zpgKBVZSAKL5dU510qV7ZKHMhBgTY4mpW1eYSm/IYjIE5khBoP+EyyEcjFRk+DR v5nzboy84m0/y84XxbjwLAIkwwQCGY5SLFy5BHQiVdePmrHc8efxvMddpqnPDiTj1saS 6hJGE4F5ze1lJwhTgkxv/9nrH1OKRgAxkbez9t08pHFPKZAF2mcUxQJwDfpQTsD8T7Q4 0WjSxLF1IwOzGMJ6XT1qdMboESt/5Fgt50Oxn8TOg2Ehh+69hLmKJhMdb8ve3Xk7b9Nc HDeB2ZUxvEBYS+2HKX5ANJnsClzEifzBukIDUkKeNdYeVSpO7ulNz2WUtA3/cq4cOncd JgTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=V70Dcordknmgk0HmEDzEZsFCiABvqy1N1KLguVpmJu0=; b=KFQTxUiWqlFUyOwcmJNdJLnM9jBdGLXVnaNmu6PMT7ZZDF6D6RVS4wEcjDZAkpSrqJ wni+RtRuRXVHJB4wj5wehA+IQvjyUV7E/DQhulPslnSs5YxPMfnMLnAs3nXms4+tvCJg DP3e8G3aqIk8XpA+jmliXCZBuXclAO6uGf2yrvbBSq6mAtBm4O0UUeTUIztFBTcP2wxt BHn7ab9P0EhBcxr8syXCHB3bv46L9VLDxRx1PMB0C5z/3zd/mays/wvfddoC2/zD09rd VDhvob73NP5N4YJ0NECsYZSI0GP2R6Y/UEASTy+WctreD65oM1l8bPn6CVGKLnsAy/cf wvdw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=ghTyBpie; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j33-v6si12466797pgm.584.2018.07.11.02.13.19; Wed, 11 Jul 2018 02:13:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=ghTyBpie; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732350AbeGKJQA (ORCPT + 99 others); Wed, 11 Jul 2018 05:16:00 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:36642 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726398AbeGKJQA (ORCPT ); Wed, 11 Jul 2018 05:16:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=V70Dcordknmgk0HmEDzEZsFCiABvqy1N1KLguVpmJu0=; b=ghTyBpieehW3H6dhM9eWLkGm4 Y5kwyjCkKgajb1nYaNmrSKbLo+KgK173ssnAuRTcMlWE7LOVOuU0099RbDGVw06mtdBX+12hoEDC4 LHdh+lJhyU+1cFT7Y64sQZI1nf6MRker7qg20w4PEwhC8SXqhr6TqpgKAsmYBkZxsouqR99qyhdjm rZRs2/bnvUNOz/UcePQDftQcGgUzAMSlWrRueQ/xRAmRy8+xz0xsohCWPNJ+7q99UzJrm/luyxWng 5rKlOy2t+tTu7OmmBx62doqfZi0vwJQEuBPyabtSVAuSCXtUsTox2IxEaojgi41iddE9EPnSFU/ag j7Bk/2Ufw==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net) by bombadil.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1fdBAo-0005ex-37; Wed, 11 Jul 2018 09:12:34 +0000 Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 8ABDC20291063; Wed, 11 Jul 2018 11:12:32 +0200 (CEST) Date: Wed, 11 Jul 2018 11:12:32 +0200 From: Peter Zijlstra To: Dave Hansen Cc: Yu-cheng Yu , x86@kernel.org, "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , "Ravi V. Shankar" , Vedvyas Shanbhogue Subject: Re: [RFC PATCH v2 15/27] mm/mprotect: Prevent mprotect from changing shadow stack Message-ID: <20180711091232.GU2476@hirez.programming.kicks-ass.net> References: <20180710222639.8241-1-yu-cheng.yu@intel.com> <20180710222639.8241-16-yu-cheng.yu@intel.com> <04800c52-1f86-c485-ba7c-2216d8c4966f@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <04800c52-1f86-c485-ba7c-2216d8c4966f@linux.intel.com> User-Agent: Mutt/1.10.0 (2018-05-17) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 10, 2018 at 04:10:08PM -0700, Dave Hansen wrote: > On 07/10/2018 03:26 PM, Yu-cheng Yu wrote: > > Signed-off-by: Yu-cheng Yu > > This still needs a changelog, even if you think it's simple. > > --- a/mm/mprotect.c > > +++ b/mm/mprotect.c > > @@ -446,6 +446,15 @@ static int do_mprotect_pkey(unsigned long start, size_t len, > > error = -ENOMEM; > > if (!vma) > > goto out; > > + > > + /* > > + * Do not allow changing shadow stack memory. > > + */ > > + if (vma->vm_flags & VM_SHSTK) { > > + error = -EINVAL; > > + goto out; > > + } > > + > > I think this is a _bit_ draconian. Why shouldn't we be able to use > protection keys with a shadow stack? Or, set it to PROT_NONE? Right, and then there's also madvise() and some of the other accessors. Why do we need to disallow this? AFAICT the worst that can happen is that a process wrecks itself, so what?