Received: by 2002:a05:7412:a9a2:b0:e2:908c:2ebd with SMTP id o34csp619735rdh; Thu, 26 Oct 2023 10:54:15 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE8038NDDUR1qWPmxVVzlxktEmOyFL/it4O3s7lZXkEOmpoH2MUznQYfzDCLIDL7ZbrAWgx X-Received: by 2002:a81:dc0a:0:b0:5a7:b53f:c304 with SMTP id h10-20020a81dc0a000000b005a7b53fc304mr145357ywj.37.1698342855441; Thu, 26 Oct 2023 10:54:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698342855; cv=none; d=google.com; s=arc-20160816; b=lsMJ5acGHYSz+oRAikY95K3b6HLg+RELsynN2RCqpjIq6I4ggeRNuAIyBR6fvNGIo+ mPueNPuWYkbfJBORme4TAFJA396zZRS/VaH0bFResMSKjxfNMdDi3EafsSlyLHCM4+bc B5sv86ur3Wgi08fGWDM94XvqwR+3iGLY/eyb4qvSgsMBowIrJ+lqYsTCwjM1Jx41MTSD PxKkrdEZb+OAtSa6QT7N0wMCKlbefqxMhD1ni0+cmp9ohCvlD2nIMcDZ8huDEbckUcOy MN82s/i5IcEdk8B9EIVuG+pHIUsNmcuaE2d9JasDeaGilz6Fyzh++6yqxwITZGzprHaY bfsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=E6OzakOmXzEiyaTaomWE0RodEqig3oiWlm6cwBDKMKo=; fh=KrYUgO7InHDTP+aWlH2tGS2B+3uud2QVDJwApTI6TIQ=; b=RqII5U2etFqXSf3/Q8up1AsVvHR4U3Jq5QWQtEsQCOtZ7r0eGXuEAqOqQ6GdgL5uic cJadfxBo52niaOXJ4g6F/iESnH+fKADqNseDuFDkAqxgUl8kF7LIWUpXPBZCXBOk+3nb buK4CS0DPjUOr7ivIn/ku8tbVbeMZmvusw9zY0Lpu5geBlFWumPF0tpfMqCtIAx8XGxZ gbDxpQwWtYIRibtF5l8TvvW8KdOv5yyh2Um0raoaOOgQ11TlONBUdWUqqRk0doHXOBEk DE0FheFfL6P6hGf54l2fJUF1J0QfHuH3hQFbwkF692QoLKzwk+lmSt4nNf8hBmBLd1MA XZuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=OGFdh8AU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id bg24-20020a05690c031800b005af5ba5ca42si1551587ywb.284.2023.10.26.10.54.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Oct 2023 10:54:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=OGFdh8AU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 331D5828CC1F; Thu, 26 Oct 2023 10:54:12 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230330AbjJZRxt (ORCPT + 99 others); Thu, 26 Oct 2023 13:53:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36458 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229649AbjJZRxs (ORCPT ); Thu, 26 Oct 2023 13:53:48 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E742A90; Thu, 26 Oct 2023 10:53:46 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CE63CC433C8; Thu, 26 Oct 2023 17:53:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1698342826; bh=SZ0M7biq3ctrIFy2BWuggF9UsMOeq6C1UVNJ4cOuuUg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=OGFdh8AURIfxMKoMX5B2YfL/20hAhEtWjX2wiIpH3DeD6X5z+BJkIuSGsBEkoXoDw hSpM7YlvMC1N/mQY2Ran98Bm9cp+OrvOnwS93xXhhwCJec299N3itFbocP0LIr02rz MQZDfvJk3VjKM9ORdXx+4GNckAZyURx3DnYagBKOdYfNoLUIVgxQqAP0zr68ivzube 44DMSl38ad0QvL2sJgCaGATcQYf20Yi/8cuaP+I37HCvsY5dpMiMQWcMNBlzSk6wrI UkTzD5yGKKUdytgm+vKcsqYOVTjJEhgQ2+JiTd6ZXQtHFk8YW5nMCIWXFsQLIELMy/ +r4b/tW5x+sqg== Date: Thu, 26 Oct 2023 18:53:37 +0100 From: Mark Brown To: "Edgecombe, Rick P" Cc: "dietmar.eggemann@arm.com" , "keescook@chromium.org" , "Szabolcs.Nagy@arm.com" , "brauner@kernel.org" , "shuah@kernel.org" , "debug@rivosinc.com" , "mgorman@suse.de" , "dave.hansen@linux.intel.com" , "fweimer@redhat.com" , "linux-kernel@vger.kernel.org" , "vincent.guittot@linaro.org" , "hjl.tools@gmail.com" , "rostedt@goodmis.org" , "mingo@redhat.com" , "tglx@linutronix.de" , "vschneid@redhat.com" , "catalin.marinas@arm.com" , "bristot@redhat.com" , "will@kernel.org" , "hpa@zytor.com" , "peterz@infradead.org" , "jannh@google.com" , "bp@alien8.de" , "bsegall@google.com" , "linux-kselftest@vger.kernel.org" , "linux-api@vger.kernel.org" , "x86@kernel.org" , "juri.lelli@redhat.com" Subject: Re: [PATCH RFC RFT 2/5] fork: Add shadow stack support to clone3() Message-ID: <807a8142-7a8e-4563-9859-8e928156d7e5@sirena.org.uk> References: <20231023-clone3-shadow-stack-v1-0-d867d0b5d4d0@kernel.org> <20231023-clone3-shadow-stack-v1-2-d867d0b5d4d0@kernel.org> <8b0c9332-ba56-4259-a71f-9789d28391f1@sirena.org.uk> <2ec0be71ade109873445a95f3f3c107711bb0943.camel@intel.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="q+DyIvg4AWqTL3GB" Content-Disposition: inline In-Reply-To: <2ec0be71ade109873445a95f3f3c107711bb0943.camel@intel.com> X-Cookie: I'm also against BODY-SURFING!! X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Thu, 26 Oct 2023 10:54:12 -0700 (PDT) --q+DyIvg4AWqTL3GB Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 26, 2023 at 05:10:47PM +0000, Edgecombe, Rick P wrote: > On Mon, 2023-10-23 at 19:32 +0100, Mark Brown wrote: > > Right.=A0 We're already adding the cost of the extra map_shadow_stack() > > so > > it doesn't seem that out of scope.=A0 We could also allow clone3() to > > be > > used for allocation, potentially removing the ability to specify the > > address entirely and only specifying the size.=A0 I did consider that > > option but it felt awkward in the API, though equally the whole > > shadow > > stack allocation thing is a bit that way.=A0 That would avoid concerns > > about placing and validating tokens entirely but gives less control > > to > > userspace. > There is also cost in the form of extra complexity. Not to throw FUD, > but GUP has been the source of thorny problems. And here we would be > doing it around security races. We're probably helped that shadow stack > is only private/anonymous memory, so maybe it's enough of a normal case > to not worry about it. > Still, there is some extra complexity, and I'm not sure if we really > need it. The justification seems to mostly be that it's not as flexible > as normal stacks with clone3. I definitely agree on the complexity, trying to valdiate a token is going to be more code doing fiddly things and there's always the risk that something will change around it and invalidate assumptions the code makes. Particularly given my inability to test x86 I'm certainly way more happy pushing this series forward implementing size only than I am doing token validation. > I don't understand why doing size-only is awkward. Just because it > doesn't match the regular stack clone3 semantics? Basically, yes - we don't allocate userpace pages in clone3() for the normal stack and we do offer userspace control over where to place things. There was some grumbling about this in the current ABI from the arm64 side, though the limited control of the size is more of the issue really. I'm not sure placement control is essential but the other bit of it is the freeing of the shadow stack, especially if userspace is doing stack switches the current behaviour where we free the stack when the thread is exiting doesn't feel great exactly. It's mainly an issue for programs that pivot stacks which isn't the common case but it is a general sharp edge. > > This also doesn't do anything to stop anyone trying to allocate sub > > page > > shadow stacks if they're trying to save memory with all the lack of > > overrun protection that implies, though that seems to me to be much > > more > > of a deliberate decision that people might make, a token would > > prevent > > that too unless write access to the shadow stack is enabled. > Sorry, I'm not following. Sub-page shadow stacks? If someone decides to allocate a page of shadow stack then point thread A at the first half of the page and thread B at the second half of the page nothing would stop them. There are obvious issues with this but I can see someone trying to do it in a system that creates lots of threads and has memory constraints. > > > > +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0/* > > > > +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 * This doesn't valid= ate that the addresses are > > > > mapped > > > > +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 * VM_SHADOW_STACK, j= ust that they're mapped at > > > > all. > > > > +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 */ > > > It just checks the range, right? > > Yes, same check as for the normal stack. > What looked wrong is that the comment says that it checks if the > addresses are mapped, but the code just does access_ok(). It's a minor > thing in any case. Oh, I see, yes. --q+DyIvg4AWqTL3GB Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmU6p6AACgkQJNaLcl1U h9A3Pwf8Cx/yHRC+zQt/rkwSj4HCvlwTPerplXmFQCQIJbiMf9oFaplULq2JmsMf S7lCREV/wMKQp1Un90F2iD/bXWYS651zMAVyRlXbh634djAnhskeZTUvaY9b/mbw XEUzmNy1dpC/iXuwaRs2tEklKHafXECgZtFl5pAh0E9QyeDRHOz34ufb4CLZmzq8 SuPL/3JX/DbzUGJAgArtSeNahcye2wD6nbokdyxa4R/ytUCFQET9eAqvOhx8v1eY K2OuWJqVL+NA4s2d4PeYqsLQ025iH7trmG30AoDllM2WH9sVlRwqPzWWnRb9FZjC NFKUl2laCh1gdAk1KF6MASZLdehqPQ== =wVjo -----END PGP SIGNATURE----- --q+DyIvg4AWqTL3GB--