Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3163990rwb; Mon, 3 Oct 2022 10:33:11 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5OprGNVnWv6rbqAo3rzZ7YTs7oInx+p1djX7yjhKKfVQFn6BG4RWhkXy9BLTWPY6rNFEQ+ X-Received: by 2002:a17:902:e548:b0:178:87d2:f29f with SMTP id n8-20020a170902e54800b0017887d2f29fmr22364293plf.142.1664818391375; Mon, 03 Oct 2022 10:33:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664818391; cv=none; d=google.com; s=arc-20160816; b=ScewS0R1tuoeBeunjs7rSAm5Drl+NNhL0jbAZmIpHNh4GIpKnqlRf8bU66ZPfrLT+G /RcFAw5p583QJq9SB0ipzg1HnauYztVsNWQ3FdZD5ohKB/sZI9NwZWWdqhi/Qm7Y4tdc Rd7x9z859klK6snHzBnsIStLkGVIwSA8huD0AhmT7/7cbFwvfKACRVnK+JOPE/mdyH9j Zbd6Ez7YUGMiAuEzzLFi8MbBkmDNaFDgX3ZFkBOiMnuZISGfHWnEoikAkhdt6jl99AC+ y+r6XctkFeIO0x6rB6OC4sn+Js9iDpeCc6p3gaFgTe4vj9NkoTxjl5aYlftod08+nXPl UAgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=aXZU5Aj6YsvWXsitBdXXflaJiNNG45fO0UR9crXv66M=; b=Vpyc4kpNZQ845L/RWEstVm39K3v8gtNXLnt4SvSK6XgBw/lffJ5jZ8fYU0JPn4bpIw GuRlNsB/u0VwzG8GAIdar0e4SRCYcxrfXweaxjm51/y8ORr0oJpmi9i/QpemwQs3eldt aDFyD4oAIiW1KytQrgyrIP+8dvCpAwqOrOkrasKNKrbpE1snsulGOtVpYXi6hDr78/zo JcTHZG24S+dm2+AF6iuw+EdPBkW3AxdddQo60RyDX8steNH/1p+PbjINWjjHad2KTdI2 7eOKoCEmqVSydSHTxXzTUoRF3icKwFDiq2RPYU0rQD7g97QJjahirzO4GJAdOY21jn+N NILQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=JDD6RdGS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j63-20020a638042000000b00452446ee1d9si1712210pgd.182.2022.10.03.10.32.54; Mon, 03 Oct 2022 10:33:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=JDD6RdGS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229898AbiJCR0O (ORCPT + 99 others); Mon, 3 Oct 2022 13:26:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36118 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229779AbiJCRZp (ORCPT ); Mon, 3 Oct 2022 13:25:45 -0400 Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2101338A2E for ; Mon, 3 Oct 2022 10:25:41 -0700 (PDT) Received: by mail-io1-xd2b.google.com with SMTP id 64so8601740iov.13 for ; Mon, 03 Oct 2022 10:25:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date; bh=aXZU5Aj6YsvWXsitBdXXflaJiNNG45fO0UR9crXv66M=; b=JDD6RdGS1X/0oc37WFA58H5j2nrAKksFyEOlTgYZcvKnTWUVhQ1SQnNoUiLrd+KrnV 8lq7ZTFxk7M6lh86aQ9Cz24Xs0rdnUApg2fMCQ9K2hoztWXNkN4uw31zvPVr5sUg2Tbk ZL7qWFsWfAn+wHbzMAzdfg3eBpQSbiwqnUFUFipjelqARDYVUUCI6UdANuCUUgof4xxE oY68vV+yG7wrJuJMKlZjTSYCKiLdWnqmh9n9FmjnWbXRTBNsaeci4bign2dCGdVZYSut dc1uKbLOPh1yNvNPwSV8aA3ls3Eny5jnkD2cB1fcj+00ZfiD+gaawJw4KPvKqCHKnPdY fptg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=aXZU5Aj6YsvWXsitBdXXflaJiNNG45fO0UR9crXv66M=; b=gtNPLLdoruwvtqxNYTfSuApO70OSs4ohgJBqNLItod7qH2lL5UuPEaGYkzUimKqpw4 XJ7SiAaDgiR5DCoY35b99cRC/8B+/g+KSSodqYbRzyiNSBs10Ai77dgbW0EsNgG7J9ZY 9ES4/TrWsqMbuzEWAa4C1Uaokh9XOPMy35VQQ7ECpfAdSBmMrczO24I3JCzAljr8qTaa rfNKJYaiMlucTSDrLp9xZsmdJyjc6paGAyBcfmWOdvl8s6AvON6wMjBRPEkWcNvafzEH Xv9dYymhWcPIemPbtf0cJafzYTfO27fAeUyElTAg4rCP9d7on10MTOWk+kCFqhHfNmez JryA== X-Gm-Message-State: ACrzQf1ByaADwNAuaQpvDl9m9mEzi9tMCc14E9HgdeGhGFMZcSjIVA3D 36OSf6pgxIK1tlSlF9R54teIf9wq7wTxRAe5t5DBlQ== X-Received: by 2002:a05:6602:2ccd:b0:6a1:c561:50ca with SMTP id j13-20020a0566022ccd00b006a1c56150camr9365034iow.154.1664817939741; Mon, 03 Oct 2022 10:25:39 -0700 (PDT) MIME-Version: 1.0 References: <20220929222936.14584-1-rick.p.edgecombe@intel.com> <202210030946.CB90B94C11@keescook> In-Reply-To: <202210030946.CB90B94C11@keescook> From: Jann Horn Date: Mon, 3 Oct 2022 19:25:03 +0200 Message-ID: Subject: Re: [PATCH v2 00/39] Shadowstacks for userspace To: Kees Cook Cc: Rick Edgecombe , x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jonathan Corbet , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V . Shankar" , Weijiang Yang , "Kirill A . Shutemov" , joao.moreira@intel.com, John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 3, 2022 at 7:04 PM Kees Cook wrote: > On Thu, Sep 29, 2022 at 03:28:57PM -0700, Rick Edgecombe wrote: > > This is an overdue followup to the =E2=80=9CShadow stacks for userspace= =E2=80=9D CET series. > > Thanks for all the comments on the first version [0]. They drove a dece= nt > > amount of changes for v2. Since it has been awhile, I=E2=80=99ll try to= summarize the > > areas that got major changes since last time. Smaller changes are liste= d in > > each patch. > > Thanks for the write-up! > > > [...] > > GUP > > --- > > Shadow stack memory is generally treated as writable by the ker= nel, but > > it behaves differently then other writable memory with respect = to GUP. > > FOLL_WRITE will not GUP shadow stack memory unless FOLL_FORCE i= s also > > set. Shadow stack memory is writable from the perspective of be= ing > > changeable by userspace, but it is also protected memory from > > userspace=E2=80=99s perspective. So preventing it from being wr= itable via > > FOLL_WRITE help=E2=80=99s make it harder for userspace to arbit= rarily write to > > it. However, like read-only memory, FOLL_FORCE can still write = through > > it. This means shadow stacks can be written to via things like > > =E2=80=9C/proc/self/mem=E2=80=9D. Apps that want extra security= will have to prevent > > access to kernel features that can write with FOLL_FORCE. > > This seems like a problem to me -- the point of SS is that there cannot b= e > a way to write to them without specific instruction sequences. The fact > that /proc/self/mem bypasses memory protections was an old design mistake > that keeps leading to surprising behaviors. It would be much nicer to > draw the line somewhere and just say that FOLL_FORCE doesn't work on > VM_SHADOW_STACK. Why must FOLL_FORCE be allowed to write to SS? But once you have FOLL_FORCE, you can also just write over stuff like executable code instead of writing over the stack. I don't think allowing FOLL_FORCE writes over shadow stacks from /proc/$pid/mem is making things worse in any way, and it's probably helpful for stuff like debuggers. If you don't want /proc/$pid/mem to be able to do stuff like that, then IMO the way to go is to change when /proc/$pid/mem uses FOLL_FORCE, or to limit overall write access to /proc/$pid/mem.