Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp152609imm; Thu, 30 Aug 2018 10:31:48 -0700 (PDT) X-Google-Smtp-Source: ANB0VdY/EU29Bs1qIDg7mYdeUUb1aIRBoR/WC1yVBQ+SobxhbEnYc+Y/mGfeA9QHLqBylyDkzn2W X-Received: by 2002:a63:4283:: with SMTP id p125-v6mr10693376pga.142.1535650308137; Thu, 30 Aug 2018 10:31:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535650308; cv=none; d=google.com; s=arc-20160816; b=lgj+C8VuvbSPyRe40Rehaca1pYn5wYz47cIB9/A7/BJVMyKJKoxnmaThTL44D4tOf5 x4Z6tkd1x5tQKjQmWwX+5c8tABVQzxqW2uzmmWoxIfGbVK2Cty8L0spGD6CO3oFe6qKZ YnK0EEBnq1JRmW0dFKBypEehfmh/o6CIHzS1bng5buq4oGMIXvEh867F3+B8X7hBwdz2 rKIU8SAMzEBvtlikPOWXrgwhLRCkrQeKEhzxs4+FjFCnZBQgRGTNQrO44kSgtwoye9/k zyKAAwO1A7isY3dgWchc7D1gWsVy+WH1bUZkpgWoJEn85ZVtsMFABGF1FjzXanclCXW3 MJRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :arc-authentication-results; bh=6H/nzFgmDAEK38QQbc8B/FnvJP2ryIeGK5q2clt6ccI=; b=H9maTUvzqzgumiOqrtxBrZSO0D3Ia32Q7fTeOJwRhw5LbOXJ5pR438KeFQxhDwI/fF Nz047PueE61Getd7q/4wwEWW0N/bctvOn04iAq2Fh0aCBaq/BTkM1wMe1GoqjNbKUnUa Yu9jKQKOB7wGPzcBIoi95T+tc8gTfnDmMP48i+NGBC1kL5Ozq+TILPgk9A1SPsD8gu0W MNkKKzjDB5P1UEucgvmtBdL0qwIsGTIk14jhsZ5kuNVH/VudV8OKTHbcCVegF7GwUuJZ 2+xvgInC01rf29Lu6tjOzoAW/KeLJQGuoDmtDbmYUeDm9xtvjE88dnL0FhDBqsuKWigt lquA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l134-v6si7062553pga.196.2018.08.30.10.31.32; Thu, 30 Aug 2018 10:31:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727233AbeH3Vdk (ORCPT + 99 others); Thu, 30 Aug 2018 17:33:40 -0400 Received: from mga09.intel.com ([134.134.136.24]:38823 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726235AbeH3Vdk (ORCPT ); Thu, 30 Aug 2018 17:33:40 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Aug 2018 10:30:27 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,307,1531810800"; d="scan'208";a="86311975" Received: from 2b52.sc.intel.com ([143.183.136.52]) by orsmga001.jf.intel.com with ESMTP; 30 Aug 2018 10:30:15 -0700 Message-ID: <1535649960.26689.15.camel@intel.com> Subject: Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW From: Yu-cheng Yu To: Dave Hansen , Jann Horn Cc: the arch/x86 maintainers , "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , kernel list , linux-doc@vger.kernel.org, Linux-MM , linux-arch , Linux API , Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Florian Weimer , hjl.tools@gmail.com, Jonathan Corbet , keescook@chromiun.org, Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , ravi.v.shankar@intel.com, vedvyas.shanbhogue@intel.com Date: Thu, 30 Aug 2018 10:26:00 -0700 In-Reply-To: References: <20180830143904.3168-1-yu-cheng.yu@intel.com> <20180830143904.3168-13-yu-cheng.yu@intel.com> <079a55f2-4654-4adf-a6ef-6e480b594a2f@linux.intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-08-30 at 10:19 -0700, Dave Hansen wrote: > On 08/30/2018 09:23 AM, Jann Horn wrote: > > > > Three threads (A, B, C) run with the same CR3. > > > > 1. a dirty+writable PTE is placed directly in front of B's shadow > > stack. > >    (this can happen, right? or is there a guard page?) > > 2. C's TLB caches the dirty+writable PTE. > > 3. A performs some syscall that triggers ptep_set_wrprotect(). > > 4. A's syscall calls clear_bit(). > > 5. B's TLB caches the transient shadow stack. > > [now C has write access to B's transiently-extended shadow stack] > > 6. B recurses into the transiently-extended shadow stack > > 7. C overwrites the transiently-extended shadow stack area. > > 8. B returns through the transiently-extended shadow stack, giving > >     the attacker instruction pointer control in B. > > 9. A's syscall broadcasts a TLB flush. > Heh, that's a good point.  The shadow stack permissions are *not* > strictly reduced because a page getting marked as shadow-stack has > *increased* permissions when being used as a shadow stack.  Fun. > > For general hardening, it seems like we want to ensure that there's > a > guard page at the bottom of the shadow stack.  Yu-cheng, do we have > a > guard page? We don't have the guard page now, but there is a shadow stack token there, which cannot be used as a return address. Yu-cheng