Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp1605347pxm; Thu, 3 Mar 2022 23:09:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJzAd3CIzDLFsvJpYRgntTnI6ltAEDBWCZm6E1RLEH8V6eT5ufI+aJ/pIS+CcFANBy0xqxRE X-Received: by 2002:a17:907:6286:b0:6da:6e24:5e43 with SMTP id nd6-20020a170907628600b006da6e245e43mr8668409ejc.449.1646377741467; Thu, 03 Mar 2022 23:09:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646377741; cv=none; d=google.com; s=arc-20160816; b=B85QUfO/1ByjFXfj+aspIACcSSiuMC6ZgW2k/3sAnrGqxDjWYYUQvdxi/nXr8Goj7J cy5D7RXKof7nqDmLbav8m74CJwYeBl7ylN9YFBsRBbcfVLloeIL7eUfhgwqcG1crCpdd DBX196BuuZ9hHW65+D5WzArdzCJ4ZdDr6SOVvMPY95gT2RvaW/CfQIMr/kayS5WAUhO1 39Yh71g0SUWFfBpQjJSRHZvse6YTcFVp4fB1vHxdh14208zDSj53iYIeQEEbvFvteeAD LiXmBprN03iEYUCLNxA9rNrgQxe3D4mLsRs0ewP2pG4I3iEtQVLTN8y1wgqWG/LCuPUL lusA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=NCIsaygwkFmM7igwMYDK7b93LAc0HVu4puRKofUnWP0=; b=SOf/AG2rtE0SzdtYx76x1YF8bdCkFh+/NgbotqeMPRLpIPZHGCvw2Hro7TB+aB3qLG glT8ysd0PEItD/SH5i95ypBKPZQpVxun3gCmN9lg3B0kIY8y66H0c2GO13i0TAm7j1gl 5Md0cRzQd4Un2G/4j2dUfGDRz9EQU7GGfbS+FUwhBuy2dkH96EeWwybnWW7ILWJEMZBO wjcJ6HMjS6KDeHiFc974tUe7COLqlV25i5MUMWySVS/pi/puwXgKclduKHpba5K7IKSL 7i2EXdgFAktV/QnFkKhfXXbZfFZ0i4EWCAUri8QwQvBke2iweZd80ET9MnJZng7klrV/ Sukg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=X8uZsrLg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n20-20020a05640205d400b004132b55c34bsi2663360edx.375.2022.03.03.23.08.38; Thu, 03 Mar 2022 23:09:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=X8uZsrLg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236243AbiCCTn6 (ORCPT + 99 others); Thu, 3 Mar 2022 14:43:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33600 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236688AbiCCTnW (ORCPT ); Thu, 3 Mar 2022 14:43:22 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D80F18F22E; Thu, 3 Mar 2022 11:42:07 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8B3F461BC4; Thu, 3 Mar 2022 19:41:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0B140C340EF; Thu, 3 Mar 2022 19:41:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1646336479; bh=HnIl+skYzj5iayObsog4Gwt5/mfT/IRPSSfVgeKmYz4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=X8uZsrLg1wS1ue15JXjIfxZfrIa5F6ODclaaSFiZyVkfNfMcHMXT3ZbuxvxL7Onx8 Jg3ctOHPmPbwyxM14NsFAMoQZDC94faFO3AnXRrbYnP5vExv6Pp6sqnuEEjRneOQi3 LYeiFVb5PPd9pZVQPx3LC5YuaO19KOL1EPs/TBf1MVY9gntS+Br+wUj2CKKhM1ENU0 IMfniBvcYagWlGE9YWSjJDj8z9mSsmy1ktQBYlVWdLbcK+stdWxDtvFncBv2sMDXAR PVmhc2UjgnYwP6/OD9BYsNZcmOKoLeuX5rTxEML3bz6tggMoY63Qjg//nwj605iKyU /9ENWwMajevMA== Date: Thu, 3 Mar 2022 21:40:57 +0200 From: Mike Rapoport To: Andy Lutomirski Cc: Rick P Edgecombe , Cyrill Gorcunov , Balbir Singh , "H. Peter Anvin" , Eugene Syromiatnikov , "Peter Zijlstra (Intel)" , Randy Dunlap , Kees Cook , Dmitry Safonov <0x7f454c46@gmail.com>, Dave Hansen , "Kirill A. Shutemov" , "Eranian, Stephane" , "linux-mm@kvack.org" , Adrian Reber , Florian Weimer , Nadav Amit , Jann Horn , Andrei Vagin , "linux-arch@vger.kernel.org" , "kcc@google.com" , Borislav Petkov , Oleg Nesterov , "H.J. Lu" , Pavel Machek , "linux-doc@vger.kernel.org" , Arnd Bergmann , "Moreira, Joao" , Thomas Gleixner , Mike Kravetz , the arch/x86 maintainers , Weijiang Yang , Dave Martin , "john.allen@amd.com" , Ingo Molnar , Dave Hansen , Jonathan Corbet , Linux Kernel Mailing List , Linux API , "Shankar, Ravi V" Subject: Re: [PATCH 00/35] Shadow stacks for userspace Message-ID: References: <357664de-b089-4617-99d1-de5098953c80@www.fastmail.com> <8e36f20723ca175db49ed3cc73e42e8aa28d2615.camel@intel.com> <9d664c91-2116-42cc-ef8d-e6d236de43d0@kernel.org> <5a792e77-0072-4ded-9f89-e7fcc7f7a1d6@www.fastmail.com> <05df964f-552e-402e-981c-a8bea11c555c@www.fastmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <05df964f-552e-402e-981c-a8bea11c555c@www.fastmail.com> X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 28, 2022 at 02:55:30PM -0800, Andy Lutomirski wrote: > > > On Mon, Feb 28, 2022, at 1:30 PM, Mike Rapoport wrote: > > On Mon, Feb 28, 2022 at 12:30:41PM -0800, Andy Lutomirski wrote: > >> > >> > >> On Mon, Feb 28, 2022, at 12:27 PM, Mike Rapoport wrote: > >> > On Wed, Feb 09, 2022 at 06:37:53PM -0800, Andy Lutomirski wrote: > >> >> On 2/8/22 18:18, Edgecombe, Rick P wrote: > >> >> > On Tue, 2022-02-08 at 20:02 +0300, Cyrill Gorcunov wrote: > >> >> > > >> > > >> > Even with the current shadow stack interface Rick proposed, CRIU can restore > >> > the victim using ptrace without any additional knobs, but we loose an > >> > important ability to "self-cure" the victim from the parasite in case > >> > anything goes wrong with criu control process. > >> > > >> > Moreover, the issue with backward compatibility is not with ptrace but with > >> > sigreturn and it seems that criu is not its only user. > >> > >> So we need an ability for a tracer to cause the tracee to call a function > >> and to return successfully. Apparently a gdb branch can already do this > >> with shstk, and my PTRACE_CALL_FUNCTION_SIGFRAME should also do the > >> trick. I don't see why we need a sigretur-but-dont-verify -- we just > >> need this mechanism to create a frame such that sigreturn actually works. > > > > If I understand correctly, PTRACE_CALL_FUNCTION_SIGFRAME() injects a frame > > into the tracee and makes the tracee call sigreturn. > > I.e. the tracee is stopped and this is used pretty much as PTRACE_CONT or > > PTRACE_SYSCALL. > > > > In such case this defeats the purpose of sigreturn in CRIU because it is > > called asynchronously by the tracee when the tracer is about to detach or > > even already detached. > > The intent of PTRACE_CALL_FUNCTION_SIGFRAME is push a signal frame onto > the stack and call a function. That function should then be able to call > sigreturn just like any normal signal handler. Ok, let me reiterate. We have a seized and stopped tracee, use PTRACE_CALL_FUNCTION_SIGFRAME to push a signal frame onto the tracee's stack so that sigreturn could use that frame, then set the tracee %rip to the function we'd like to call and then we PTRACE_CONT the tracee. Tracee continues to execute the parasite code that calls sigreturn to clean up and restore the tracee process. PTRACE_CALL_FUNCTION_SIGFRAME also pushes a restore token to the shadow stack, just like setup_rt_frame() does, so that sys_rt_sigreturn() won't bail out at restore_signal_shadow_stack(). The only thing that CRIU actually needs is to push a restore token to the shadow stack, so for us a ptrace call that does that would be ideal. -- Sincerely yours, Mike.