Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp38353imm; Thu, 30 Aug 2018 13:46:41 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZr9Zr3gBkj8FiERDPShvYdRYRjQ+xtsdk7VyNSc3Ws93IlxdRoYCa+iiE5hSMGRToDY3r3 X-Received: by 2002:a65:5304:: with SMTP id m4-v6mr11534526pgq.250.1535662001007; Thu, 30 Aug 2018 13:46:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535662000; cv=none; d=google.com; s=arc-20160816; b=hIG7T32jYXcfk9tZ486yM8s2+kn5Q6vQZYsaIMPl5iQB5Nf1SOf5OhHjr0tzFtNBXv se6XmmPsiJJRePLw2qg8QgbfTLZBHyqaeJfHFcNoJRXEjim28+aHQEKorSJJXzd0uIUR cmT/aWH7AfUTh1hnV1UGHTMRpht/eE8aXeaamE4wXvj6Rfhjxll6QZt1JmxdZQnvcXFc /ndNrThyxttonDCzw6vE2v0K+FsO5Bcr5bBjUss9Abqs1Cg227NMStat3D4j0h5DDmcv /S4Nq0yT12TBAGChDbCEhBP2jzfiIdUQYDT4hWkT+PTfDZVEF+vgHtB0tJnNTTyjRC/V h9aA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=IP30Y1YhjynsIjlW5YIr2azX4Y9nlVjraWdcjhS3RFg=; b=Z7iDEmE3OG7046xudL7U7kh4UbQHRp5A72MrfjOGHmkfc6Rdi4MyzQfeG2JDriyjRD JbeudSVDSC5jstP6SfDj8h5AdGC6HX5Okgxs6rS5T3SD2cSthMDbxsDvRyNLKv6up30B OltOFsyWUGZaYEuGq7l/BzR2WAvIzGFs2sHQBxoC6Dz8gD/PMrdmsrDyWaTM1uKgNlwm B0aJrsjjEtEdhsHJC5aRoKyFjPSCbLfUTw3lxmLUqmraE8fyAPylnYzXeRf/9dOa5LT+ yma15kb5DV8oI6iztvEoO72Hi2QU5L+FnXTmxETCXdlF8fIYMGWVzQOwMqfGFr53gwsy USMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UEFAtDXb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j2-v6si7292337pfc.102.2018.08.30.13.46.24; Thu, 30 Aug 2018 13:46:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UEFAtDXb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727363AbeHaAtL (ORCPT + 99 others); Thu, 30 Aug 2018 20:49:11 -0400 Received: from mail-oi0-f65.google.com ([209.85.218.65]:44302 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727170AbeHaAtK (ORCPT ); Thu, 30 Aug 2018 20:49:10 -0400 Received: by mail-oi0-f65.google.com with SMTP id l82-v6so17884345oih.11 for ; Thu, 30 Aug 2018 13:45:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IP30Y1YhjynsIjlW5YIr2azX4Y9nlVjraWdcjhS3RFg=; b=UEFAtDXbGd4VPyHxaw6oDLz0N3WEQBZHluX5MN9Wwt5OA/Xe80i5CCB5ZreWrEQnfT KHIf5ZROXkN653XoB83aYym4VTCvpd9U5ywV/L8dWL3TZB4CK4VeR5yA6qAbt+A1EnJe ZnvyvsReLBsmae7z3IRRKNYPoonLag6ua8MDc3qCCZ2u3KqhEMZVDAs6HeZocNTTxO9s ZD/5pm+9vxRa/gxrheOcLitnUFac1M6pxa5l9hWt8pTy1ldnuMMBTDFkiftV6pdF+9HC 9qsmS/N7gYXZJSvox6hsx2UhQ5LYw3ggKxfqA1lcz+RdYO0CsKeFxTnvE52MbPjMUGkX eYoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IP30Y1YhjynsIjlW5YIr2azX4Y9nlVjraWdcjhS3RFg=; b=uMLiz5XWIEFLZNUIPlEGr5v+VPo/JGXKo57DfHsIKt1Nd7llMcXLoeNcTR/d0HwjdH iWqcKzvT1podYbJjgTimEMnPACpy7mHygHWpu8Q8h/67oHrF+AUKSa3FPfbuRz4J7Mas d8wUOxd+KJjfnfh+Tv+DYuv+QNNFCIVruucADAxvL10H/UFEZ3OXKplfjbsk7v3GkbJi Y6RN4kxNW0CC2pAO1ypsR7/s0Y7v0VuqhaFNAZi98dNqptnvJJkB3VQNuAdofYovnAXH dZoawVxqIVtet1GBUVn+8Ro3tnsO9V8rwt0Ae3NPcAfIyZyKtL7r2LhLAI8rgWh0qJim X2aQ== X-Gm-Message-State: APzg51DsZMxVCG/Vet7no2Mg8aBmeXdqPJwRb08BjSkojiTsFstjxd9j A16bi8JaX7iuHQ4ABGGh6QflJyAR93iwf8pr0OXdmg== X-Received: by 2002:aca:4784:: with SMTP id u126-v6mr4328731oia.229.1535661910290; Thu, 30 Aug 2018 13:45:10 -0700 (PDT) MIME-Version: 1.0 References: <20180830143904.3168-1-yu-cheng.yu@intel.com> <20180830143904.3168-13-yu-cheng.yu@intel.com> <079a55f2-4654-4adf-a6ef-6e480b594a2f@linux.intel.com> <1535649960.26689.15.camel@intel.com> <33d45a12-513c-eba2-a2de-3d6b630e928e@linux.intel.com> <1535651666.27823.6.camel@intel.com> <1535660494.28258.36.camel@intel.com> In-Reply-To: <1535660494.28258.36.camel@intel.com> From: Jann Horn Date: Thu, 30 Aug 2018 22:44:43 +0200 Message-ID: Subject: Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW To: yu-cheng.yu@intel.com Cc: Dave Hansen , "the arch/x86 maintainers" , "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , kernel list , linux-doc@vger.kernel.org, Linux-MM , linux-arch , Linux API , Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Florian Weimer , hjl.tools@gmail.com, Jonathan Corbet , keescook@chromiun.org, Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , ravi.v.shankar@intel.com, vedvyas.shanbhogue@intel.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 30, 2018 at 10:25 PM Yu-cheng Yu wrote: > > On Thu, 2018-08-30 at 19:59 +0200, Jann Horn wrote: > > On Thu, Aug 30, 2018 at 7:58 PM Yu-cheng Yu > > wrote: > > > > > > > > > On Thu, 2018-08-30 at 10:33 -0700, Dave Hansen wrote: > > > > > > > > On 08/30/2018 10:26 AM, Yu-cheng Yu wrote: > > > > > > > > > > > > > > > We don't have the guard page now, but there is a shadow stack > > > > > token > > > > > there, which cannot be used as a return address. > > > > The overall concern is that we could overflow into a page that > > > > we > > > > did > > > > not intend. Either another actual shadow stack or something > > > > that a > > > > page > > > > that the attacker constructed, like the transient scenario Jann > > > > described. > > > > > > > A task could go beyond the bottom of its shadow stack by doing > > > either > > > 'ret' or 'incssp'. If it is the 'ret' case, the token prevents > > > it. > > > If it is the 'incssp' case, a guard page cannot prevent it > > > entirely, > > > right? > > I mean the other direction, on "call". > > In the flow you described, if C writes to the overflow page before B > gets in with a 'call', the return address is still correct for B. To > make an attack, C needs to write again before the TLB flush. I agree > that is possible. > > Assume we have a guard page, can someone in the short window do > recursive calls in B, move ssp to the end of the guard page, and > trigger the same again? He can simply take the incssp route. I don't understand what you're saying. If the shadow stack is between guard pages, you should never be able to move SSP past that area's guard pages without an appropriate shadow stack token (not even with INCSSP, since that has a maximum range of PAGE_SIZE/2), and therefore, it shouldn't matter whether memory outside that range is incorrectly marked as shadow stack. Am I missing something?