Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp1470766pxy; Thu, 29 Apr 2021 07:46:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxHAxi/mSeH5zqcWEBs+xtfYSTJ83IODpGemAAGqy6z7j7JN6JoWUTZ8c5LLAGoBuCSzq67 X-Received: by 2002:a17:90a:2b09:: with SMTP id x9mr10051878pjc.198.1619707585398; Thu, 29 Apr 2021 07:46:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619707585; cv=none; d=google.com; s=arc-20160816; b=lAdjI96PztXVR1MDHDy6qKV/9idUZ5EfhakzIMZ+yjEElF77IBqHydkYlfGfn6Sbm9 X8ie+Ji5RHsqycJ5UHtIPul4WJKZFx5a9UGqoq0Rc7mxOidXajK0lXZ6GtOu9z54rTIT ZdC6PySt0nMY56nIKNVUWvEgHiWkm/T1vH9fkh0MilGuhO2rhPwFJ0qei3kh3STRPvqy 0ynwnHAAgjx9EiBS4ZmrqK0V2txvHJgvaGD6dRDGY8cuJ0N2Z3IyDUC+pnVYG6poVQb/ JBSY42YfrARH2O2kl3k6FcUjgoLVxjPHukGC8IFGC6fk1swYTXYejz+ZG3vm5BDiwwjt ZTDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=bI7Ty+DuVzOkwzYcKiIyWagVdhDryDeR0iN6TizuD0E=; b=dKkfAUPcxGUOtvHt0dBgjr11OYFzwwDQLRWIhoKWSGeJzCqgCfCg4PaokYpYXVloWP fHMbPcuffKSpYZoevaCL+glGn5KNcFbLFTbIXdYFCZn2EY/3aukAeYWN2jSPHgrLgGRE lWt8OrDFEK2bLgDHakgOK1qTfDW4v8bXK5+q9jflojNtX1GWQPYilDZ+BA/eLaZVlaHV 6AcsO177zaUphJEcuafsK2rc8w9HRtDZosOqs1EP5AAk/orETpuVr2fI/XIHo9r84I4u t8xrnbXHxzlTkgCFrZ8+O2V2vymdGekIvXob2yl68/9RAmdm602+YqrcwXO14qkUo2S3 GMEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HNOLQGob; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id mp21si12679368pjb.147.2021.04.29.07.46.10; Thu, 29 Apr 2021 07:46:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HNOLQGob; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237406AbhD2OpH (ORCPT + 99 others); Thu, 29 Apr 2021 10:45:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:55600 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233135AbhD2OpD (ORCPT ); Thu, 29 Apr 2021 10:45:03 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id BD86E61456 for ; Thu, 29 Apr 2021 14:44:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1619707456; bh=P0/WSeSHefJ1bFNBptJX0+j0jR1O8Fl8GSgrXOuL6UM=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=HNOLQGobI3RtLIJxIjDYdC+Rc56LQ+LcDta43PhlMw4pvrvCAd6oDZdcDFq1aMsUn NqGo2bBrs2GXUBvQcmvw5W9a7ICDkPQpjwKwxkatZBpscZAR6QMwyezNhwlratC2AC HShLp2A2WH1iLV2bezvSqIfPB5ljN+DyuTwt+5cKclA6eQGRRlXCP2tBtDyWp7UHYV rzi69lzzLpic6g2srl8pNk30+4yfQiRbGWXnZ8AEDxoXKNUpg5qYNs/qdQZhSoUw89 weSBuM6qdu5GzciV7kpS+lU5ilqo0dpvjgMoNi1w10g/OzPi6n0k79zC8kzgZbAjWm 4Z19sufXKr++g== Received: by mail-lj1-f177.google.com with SMTP id o16so76701962ljp.3 for ; Thu, 29 Apr 2021 07:44:16 -0700 (PDT) X-Gm-Message-State: AOAM531Uvi7x5Eer8iS7bv0SOJ4Ph6yBM8wA3/urytG5SbU0gWHgg5xI Vu7HJDbvtP5pP/FlD9QHSSUmszthjvxzrCubk+wKiQ== X-Received: by 2002:a2e:9bc7:: with SMTP id w7mr25176951ljj.170.1619707454776; Thu, 29 Apr 2021 07:44:14 -0700 (PDT) MIME-Version: 1.0 References: <20210427204315.24153-1-yu-cheng.yu@intel.com> <20210427204315.24153-26-yu-cheng.yu@intel.com> In-Reply-To: From: Andy Lutomirski Date: Thu, 29 Apr 2021 07:44:03 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: extending ucontext (Re: [PATCH v26 25/30] x86/cet/shstk: Handle signals for shadow stack) To: Cyrill Gorcunov Cc: Andy Lutomirski , Yu-cheng Yu , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , LKML , "open list:DOCUMENTATION" , Linux-MM , Linux API , Arnd Bergmann , Balbir Singh , Borislav Petkov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Dave Martin , Weijiang Yang , Pengfei Xu , Haitao Huang Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 29, 2021 at 12:28 AM Cyrill Gorcunov wrote: > > On Wed, Apr 28, 2021 at 04:03:55PM -0700, Andy Lutomirski wrote: > > On Tue, Apr 27, 2021 at 1:44 PM Yu-cheng Yu wrote: > > > > > > When shadow stack is enabled, a task's shadow stack states must be saved > > > along with the signal context and later restored in sigreturn. However, > > > currently there is no systematic facility for extending a signal context. > > > There is some space left in the ucontext, but changing ucontext is likely > > > to create compatibility issues and there is not enough space for further > > > extensions. > > > > > > Introduce a signal context extension struct 'sc_ext', which is used to save > > > shadow stack restore token address. The extension is located above the fpu > > > states, plus alignment. The struct can be extended (such as the ibt's > > > wait_endbr status to be introduced later), and sc_ext.total_size field > > > keeps track of total size. > > > > I still don't like this. > > > > Here's how the signal layout works, for better or for worse: > > > > The kernel has: > > > > struct rt_sigframe { > > char __user *pretcode; > > struct ucontext uc; > > struct siginfo info; > > /* fp state follows here */ > > }; > > > > This is roughly the actual signal frame. But userspace does not have > > this struct declared, and user code does not know the sizes of the > > fields. So it's accessed in a nonsensical way. The signal handler > > Well, not really. While indeed this is not declared as a part of API > the structure is widely used for rt_sigreturn syscall (and we're using > it inside criu thus any change here will simply break the restore > procedure). Sorry out of time right now, I'll read your mail more > carefully once time permit. I skimmed the CRIU code. You appear to declare struct rt_sigframe, and you use the offset from the start of rt_sigframe to uc. You also use the offset to the /* fp state follows here */ part, but that's unnecessary -- you could just as easily have put the fp state at any other address -- the kernel will happily follow the pointer you supply regardless of where it points. So the only issues I can see are if you write the fp state on top of something else or if you inadvertently fill in the proposed extension part of uc_flags. Right now you seem to be ignoring uc_flags, which I presume means that you are filling it in as zero. Even if the offset of the fp state in the kernel rt_sigframe changes, the kernel should still successfully parse the signal frame you generate. I suppose there is another potential issue: would CRIU have issues if the *save* runs on a kernel that uses this proposed extension mechanism? Are you doing something with the saved state that would get confused? --Andy