Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2374117pxk; Mon, 14 Sep 2020 11:32:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyJ+FTEmIUnbphlvc5oQhauB2cBG9bqlFUqJkDxtKqqJJ13g73DSvRFXy5LXY/0D0W5ys5G X-Received: by 2002:a17:906:cc99:: with SMTP id oq25mr4070193ejb.292.1600108354691; Mon, 14 Sep 2020 11:32:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600108354; cv=none; d=google.com; s=arc-20160816; b=eLX+hihJK+310lwsaUZSP29unhTAw/AqbtKjE0nfYEWNwgaPtFBBVj0iELbXkg0Zbo pOiR6yFqd9GPKJQ1Rp6MbCA3/twbKJqP9T8ndmW4zhKH7cx+NVWezGHz421w9gzrzMGH 2Htaw13isjf6ppRHl3CDK8uDv8avMFb0xpseOzCRrOA5QAl75jpkix9P9fus495vJo5d s/kAnoCaahj0EAE72sh6/TIqe5mJtHKZnfy5znMhbaG/lKsikrYlwSXzicQ5h2ltgwnk O4E73z06+WkafLAu3f0xKfPXR/N0ord7Po2zBSfv2HapsF0uFNbNYTXeiDgDI53PFRtX /xdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=luKAhDUKqv3hT98OAF9Z4kBy2g6qPGxzl1pHpmzU/JI=; b=k12f4pXTG1XCMfkkcQlQ+lCmPglZBCRaA3UE4Gi0gYtW9HsOzIUv5n7fnXHIHX8Xbe t7MVJpTeZC5TI/aWeB33aYHzW59B8HuwXCrxnaF7lOFcFwaiLm7cvwnY2vVQ0PN2ouTh ZYza6ZKzuv55y0LEWcjX8ODh9H5QN5gveKteot4vDqyO1jUqvp8cgNsWKPONyCVhSMcv HFs95jqrYoSL5OOWLeW8d1cbD5vK03Z353yCbmQxWC/QwoP84fQj4/wTmUYimMjI5Wxv 8DOi46IYDS5MsVttY6ibrZayxXJXFFfItXrlCSMrJraj6oFOjOcANuNVneE5jTDvlMaD gEUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=D4P7AEng; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bu5si7919843ejb.750.2020.09.14.11.32.11; Mon, 14 Sep 2020 11:32:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=D4P7AEng; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726046AbgINSbj (ORCPT + 99 others); Mon, 14 Sep 2020 14:31:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:50046 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726019AbgINSbP (ORCPT ); Mon, 14 Sep 2020 14:31:15 -0400 Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 720A82193E for ; Mon, 14 Sep 2020 18:31:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600108274; bh=TWMzqZoZNralDEd5I14l94VOUCKWS0bUz/b6Q4OWmsg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=D4P7AEngB+S1f31yQcalYo1zCNFyveknGKD9Hj70JfD4ABuAiXlotcEedmXFm7ic5 hyF+FdjUZ/Pv8vmvFKWoUUv8UKd7aD5CEBujLlrbWQz6oxj49Y/+V5ZJ8vRVNdjlUU Hf9ohxCwkyBAIRMBxwyvi8S9wNjMHJEHhe3JffZo= Received: by mail-wr1-f47.google.com with SMTP id x14so638986wrl.12 for ; Mon, 14 Sep 2020 11:31:14 -0700 (PDT) X-Gm-Message-State: AOAM5302FwML59CUw14sf00HRad7Bd5z3jzceN9Kc9QdChNOJqeCdybE Q/m8LXG5j4iVp7Vui/JqdDfPW4oaGsl8MAR4vgkpjA== X-Received: by 2002:a5d:5111:: with SMTP id s17mr17179124wrt.70.1600108272961; Mon, 14 Sep 2020 11:31:12 -0700 (PDT) MIME-Version: 1.0 References: <086c73d8-9b06-f074-e315-9964eb666db9@intel.com> <0e9996bc-4c1b-cc99-9616-c721b546f857@intel.com> <4f2dfefc-b55e-bf73-f254-7d95f9c67e5c@intel.com> <20200901102758.GY6642@arm.com> <32005d57-e51a-7c7f-4e86-612c2ff067f3@intel.com> <46dffdfd-92f8-0f05-6164-945f217b0958@intel.com> <6e1e22a5-1b7f-2783-351e-c8ed2d4893b8@intel.com> <5979c58d-a6e3-d14d-df92-72cdeb97298d@intel.com> <08c91835-8486-9da5-a7d1-75e716fc5d36@intel.com> <41aa5e8f-ad88-2934-6d10-6a78fcbe019b@intel.com> In-Reply-To: <41aa5e8f-ad88-2934-6d10-6a78fcbe019b@intel.com> From: Andy Lutomirski Date: Mon, 14 Sep 2020 11:31:01 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack To: Dave Hansen Cc: Yu-cheng Yu , Andy Lutomirski , Dave Martin , "H.J. Lu" , Florian Weimer , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , LKML , "open list:DOCUMENTATION" , Linux-MM , linux-arch , Linux API , Arnd Bergmann , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Weijiang Yang Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Sep 14, 2020, at 7:50 AM, Dave Hansen wrote: > > =EF=BB=BFOn 9/11/20 3:59 PM, Yu-cheng Yu wrote: > ... >> Here are the changes if we take the mprotect(PROT_SHSTK) approach. >> Any comments/suggestions? > > I still don't like it. :) > > I'll also be much happier when there's a proper changelog to accompany > this which also spells out the alternatives any why they suck so much. > Let=E2=80=99s take a step back here. Ignoring the precise API, what exactly= is a shadow stack from the perspective of a Linux user program? The simplest answer is that it=E2=80=99s just memory that happens to have certain protections. This enables all kinds of shenanigans. A program could map a memfd twice, once as shadow stack and once as non-shadow-stack, and change its control flow. Similarly, a program could mprotect its shadow stack, modify it, and mprotect it back. In some threat models, though could be seen as a WRSS bypass. (Although if an attacker can coerce a process to call mprotect(), the game is likely mostly over anyway.) But we could be more restrictive, or perhaps we could allow user code to opt into more restrictions. For example, we could have shadow stacks be special memory that cannot be written from usermode by any means other than ptrace() and friends, WRSS, and actual shadow stack usage. What is the goal? No matter what we do, the effects of calling vfork() are going to be a bit odd with SHSTK enabled. I suppose we could disallow this, but that seems likely to cause its own issues.