Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp338imm; Thu, 30 Aug 2018 13:59:31 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYsJCc+DHMKHEHyV3J7F03MlqFHxEo8MVRDre5W0G084hE5I5d7KoVZJMaSUDmhpGDQUbli X-Received: by 2002:a17:902:c6:: with SMTP id a64-v6mr12016165pla.180.1535662771656; Thu, 30 Aug 2018 13:59:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535662771; cv=none; d=google.com; s=arc-20160816; b=VdlIrSuA7XeuYMzX2OqY8cfLplMV9+Tk7jEqu4S13JsDlzivRDkADHYN0r4uFzyjb7 4GgJLBxqwkLLybAJDThYOP/pnE5vAG5VYlv4QyQiKqogmJ/FAnmEEEbB/sscCkOHXAUa RsIOSmJwdt+uXncJgi3ZQt7Tbe5HLK/bXaQTkWuR3b+IceXlNIW0Ysi0Mdv9Wzyla9nY wMSpoYy6hpnU+uD2KKCo+GWarNEnfWQwHh2INjaV9pxEeYVzyJHNbzPdP8T7281TTNqY CZr+FfLRkK8jrtHW7gDzsPO4SQftZwKyeQt3jpHsdts2Rg4RWKccjUlA/6KddSTqZFz3 hViw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :arc-authentication-results; bh=m7d00840wsq3kzZbTyB87Q/JSzNehbLNlnjCzLsFJGk=; b=nnTk9+MsWO20rfGRT7n9bLILu7VcyvQhW6yD/7aWd2KbHdbpdRqT9qD8d4kzvdnG0R vs52fseZ/mwmfeht1ZWAZHXsfMi1caJ5plsWb79kRGmgIGUKJb+Ad3rJgp0i2v8R/YM9 GBuctUpKzEhE7luIX6GwpHilyyYQo3vZ8AYIhH562HJqq4B+GiewJqtP3SoECP0vXryg HRmAPBP4bS28ZxWJGZLqOnF/TjBGfhW3xLTEqeOnDGzfInGiDVo0RUOqNIHPb0eUd37m 7Uw9tqIlUwfbPy0Rt54cU/8IV35tHWRaYp6aQY+pe3y0AO15A2rEhkCYzx4/D2JJVQyl FzGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f40-v6si7796707plb.504.2018.08.30.13.59.15; Thu, 30 Aug 2018 13:59:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727525AbeHaBBD (ORCPT + 99 others); Thu, 30 Aug 2018 21:01:03 -0400 Received: from mga18.intel.com ([134.134.136.126]:3121 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726690AbeHaBBD (ORCPT ); Thu, 30 Aug 2018 21:01:03 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Aug 2018 13:57:01 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,308,1531810800"; d="scan'208";a="253278023" Received: from 2b52.sc.intel.com ([143.183.136.52]) by orsmga005.jf.intel.com with ESMTP; 30 Aug 2018 13:57:00 -0700 Message-ID: <1535662366.28781.6.camel@intel.com> Subject: Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW From: Yu-cheng Yu To: Jann Horn Cc: Dave Hansen , the arch/x86 maintainers , "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , kernel list , linux-doc@vger.kernel.org, Linux-MM , linux-arch , Linux API , Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Florian Weimer , hjl.tools@gmail.com, Jonathan Corbet , keescook@chromiun.org, Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , ravi.v.shankar@intel.com, vedvyas.shanbhogue@intel.com Date: Thu, 30 Aug 2018 13:52:46 -0700 In-Reply-To: References: <20180830143904.3168-1-yu-cheng.yu@intel.com> <20180830143904.3168-13-yu-cheng.yu@intel.com> <079a55f2-4654-4adf-a6ef-6e480b594a2f@linux.intel.com> <1535649960.26689.15.camel@intel.com> <33d45a12-513c-eba2-a2de-3d6b630e928e@linux.intel.com> <1535651666.27823.6.camel@intel.com> <1535660494.28258.36.camel@intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-08-30 at 22:44 +0200, Jann Horn wrote: > On Thu, Aug 30, 2018 at 10:25 PM Yu-cheng Yu > wrote: ... > > In the flow you described, if C writes to the overflow page before > > B > > gets in with a 'call', the return address is still correct for > > B.  To > > make an attack, C needs to write again before the TLB flush.  I > > agree > > that is possible. > > > > Assume we have a guard page, can someone in the short window do > > recursive calls in B, move ssp to the end of the guard page, and > > trigger the same again?  He can simply take the incssp route. > I don't understand what you're saying. If the shadow stack is > between > guard pages, you should never be able to move SSP past that area's > guard pages without an appropriate shadow stack token (not even with > INCSSP, since that has a maximum range of PAGE_SIZE/2), and > therefore, > it shouldn't matter whether memory outside that range is incorrectly > marked as shadow stack. Am I missing something? INCSSP has a range of 256, but we can do multiple of that. But I realize the key is not to have the transient SHSTK page at all. The guard page is !pte_write() and even we have flaws in ptep_set_wrprotect(), there will not be any transient SHSTK pages. I will add guard pages to both ends. Still thinking how to fix ptep_set_wrprotect(). Yu-cheng