Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C68BC27C76 for ; Wed, 25 Jan 2023 09:30:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235069AbjAYJaR (ORCPT ); Wed, 25 Jan 2023 04:30:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45508 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233965AbjAYJaO (ORCPT ); Wed, 25 Jan 2023 04:30:14 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1812314EBA for ; Wed, 25 Jan 2023 01:29:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1674638967; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TjE3MFK73jMeqX5iFxpax2sxTvtsTUXIevN9S/ssTM8=; b=hGuHRKTSdxcNm6h1xJ+cZHURTHNnaMFrP3pjnmedoSRAZinH7QBz3ucSV6EjnSWXOLmrdO uXWHLnDbY+Zz49j34J6/0Z0+H7u+MzI4YLwLlYVAYuH0hzcs0zpOK5ikZ+fPFWCYNogS3I zBLMvMt4D5L2a2phEgkLC43WkURij5k= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-664-YvgrsaHROcKWepMEogk6sw-1; Wed, 25 Jan 2023 04:29:25 -0500 X-MC-Unique: YvgrsaHROcKWepMEogk6sw-1 Received: by mail-wr1-f70.google.com with SMTP id bj7-20020a0560001e0700b002bfb3c6ec00so607072wrb.4 for ; Wed, 25 Jan 2023 01:29:25 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TjE3MFK73jMeqX5iFxpax2sxTvtsTUXIevN9S/ssTM8=; b=nXCuuuQw/RiPanxpSk+OC4/K/Y4L3ehy53b+iMPpfdZFUHSFuBstxcdLAYwxCQnjY8 uQsLhoLLuhht6kxZzrSadYeuVmgAPsZds3I+YRHmH7otTLJI2tu+e/EvGgNNgfLYVxpL oqZarrU4wk4Ca1b94Ji830YDKcm8uVemqjvibHsdXu3Kmpp2EMRBQRYvghHZpH48GEum IHVVOHB+HreCDzNxUyFa1m64LFh0h9NID/6nXW2aIesNbAAPaefYfMv4qrbznV9uyWr2 DZ9BD1VcqpYb/4IUTaxBrskl8smlO6VIyQhy0IgfRdhhkib6/+13XTobgPWQztjpQgRR wHHw== X-Gm-Message-State: AFqh2kohRBqR8w9N78z6DOifDsk2j9QiGWznki+lWlb73hrFThvk9+sg zPVTtxFsqzOK7uRnw9Z6GwcuQRbOBU2jgOjgWszJPG1EZ+aBpJXG9E24mxORuhBAET+pRemUnAp U7fk7RlvM4FSoPGkdcVsQGUcv X-Received: by 2002:adf:fb86:0:b0:2b6:7876:3cd4 with SMTP id a6-20020adffb86000000b002b678763cd4mr25258746wrr.16.1674638963417; Wed, 25 Jan 2023 01:29:23 -0800 (PST) X-Google-Smtp-Source: AMrXdXsLivmPABRiZvHHfGmnyR69nY5+HViCF4rvX0glv7Y5M6gJXrX848D3l9+TwkCsYm87blrEGw== X-Received: by 2002:adf:fb86:0:b0:2b6:7876:3cd4 with SMTP id a6-20020adffb86000000b002b678763cd4mr25258727wrr.16.1674638963093; Wed, 25 Jan 2023 01:29:23 -0800 (PST) Received: from ?IPV6:2003:cb:c705:4c00:486:38e2:8ff8:a135? (p200300cbc7054c00048638e28ff8a135.dip0.t-ipconnect.de. [2003:cb:c705:4c00:486:38e2:8ff8:a135]) by smtp.gmail.com with ESMTPSA id d9-20020adff2c9000000b002be34f87a34sm4166170wrp.1.2023.01.25.01.29.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 25 Jan 2023 01:29:22 -0800 (PST) Message-ID: <716d9e97-b08f-eb0f-101a-be6eaf36f184@redhat.com> Date: Wed, 25 Jan 2023 10:29:20 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Subject: Re: [PATCH v5 23/39] mm: Don't allow write GUPs to shadow stack memory Content-Language: en-US To: "Edgecombe, Rick P" , "fweimer@redhat.com" , "kees@kernel.org" Cc: "bsingharora@gmail.com" , "hpa@zytor.com" , "Syromiatnikov, Eugene" , "peterz@infradead.org" , "rdunlap@infradead.org" , "keescook@chromium.org" , "Eranian, Stephane" , "kirill.shutemov@linux.intel.com" , "dave.hansen@linux.intel.com" , "linux-mm@kvack.org" , "nadav.amit@gmail.com" , "jannh@google.com" , "dethoma@microsoft.com" , "kcc@google.com" , "linux-arch@vger.kernel.org" , "bp@alien8.de" , "andrew.cooper3@citrix.com" , "oleg@redhat.com" , "Yang, Weijiang" , "Lutomirski, Andy" , "hjl.tools@gmail.com" , "jamorris@linux.microsoft.com" , "arnd@arndb.de" , "tglx@linutronix.de" , "Schimpe, Christina" , "mike.kravetz@oracle.com" , "x86@kernel.org" , "linux-doc@vger.kernel.org" , "pavel@ucw.cz" , "john.allen@amd.com" , "rppt@kernel.org" , "mingo@redhat.com" , "corbet@lwn.net" , "linux-kernel@vger.kernel.org" , "linux-api@vger.kernel.org" , "gorcunov@gmail.com" , "akpm@linux-foundation.org" References: <20230119212317.8324-1-rick.p.edgecombe@intel.com> <20230119212317.8324-24-rick.p.edgecombe@intel.com> <87fsc1il73.fsf@oldenburg.str.redhat.com> <6adfa0b5c38a9362f819fcc364e02c37d99a7f4a.camel@intel.com> <5B29D7A0-385A-41E8-AA56-EF726E6906BF@kernel.org> <19ff6ea3b96d027defb548fb6b7f89de17905a4b.camel@intel.com> From: David Hildenbrand Organization: Red Hat In-Reply-To: <19ff6ea3b96d027defb548fb6b7f89de17905a4b.camel@intel.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 25.01.23 00:41, Edgecombe, Rick P wrote: > On Tue, 2023-01-24 at 15:08 -0800, Kees Cook wrote: >>> GDB support for shadow stack is queued up for whenever the kernel >>> interface settles. I believe it just uses ptrace, and not this >>> proc. >>> But yea ptrace poke will still need to use FOLL_FORCE and be able >>> to >>> write through shadow stacks. >> >> I'd prefer to avoid adding more FOLL_FORCE if we can. If gdb can do >> stack manipulations through a ptrace interface then let's leave off >> FOLL_FORCE. > > Ptrace and /proc/self/mem both use FOLL_FORCE. I think ptrace will > always need it or something like it for debugging. > > To jog your memory, this series doesn't change what uses FOLL_FORCE. It > just sets the shadow stack rules to be the same as read-only memory. So > even though shadow stack memory is sort of writable, it's a bit more > locked down and FOLL_FORCE is required to write to it with GUP. > > If we just remove FOLL_FORCE from /proc/self/mem, something will > probably break right? How do we do this? Some sort of opt-in? I don't think removing that is an option. It's another debug interface that has been allowing such access for ever ... Blocking /proc/self/mem access completely for selected processes might be the better alternative. -- Thanks, David / dhildenb