Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp531544rdb; Thu, 30 Nov 2023 11:01:20 -0800 (PST) X-Google-Smtp-Source: AGHT+IE6g1HY35lo+F07KnttvArs7PWmDjNlWqVdTpWn043rWD3VxsAGPl518PEKVDFIWZesfSix X-Received: by 2002:a05:6a21:a583:b0:186:2389:a73e with SMTP id gd3-20020a056a21a58300b001862389a73emr31789003pzc.55.1701370880405; Thu, 30 Nov 2023 11:01:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701370880; cv=none; d=google.com; s=arc-20160816; b=P95jA1VV2qq0d5+/YiIYOcc40hkOunWFVbBkKrvCxOKMDaOEBWUZN42MsuqWGetLco TDZkVMGV+3dP41Sv/r1NQ98G4l0aWeh8H/72a7IooFzJry3QbV8RfmB9UNsiujOAL4ED Vdg4euX/RRoTPXZYUJcZ7v0AMv/O5t8Vwy5d++nxEbb6F1f/fKPzILTBXlbwIn4OQ6Pp VSbR+lvqSqI4xxMX2eBV7WpWpdlJ84+LXqilbc8zMhYfWxw0k2MzPmfEsVI+5nDohVm6 d7KkBu2Rbacg+BxJ+xQ97mEKK483UfqABPBD+Ptjr/a/50+QSwSyfbKtcjkYMWz6jOU5 nbMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=bly2uWd+XBXEnPu/Aph210P+dXD6+Yu0rBbF84VVY1M=; fh=v8rDv3vOJcWU1Os1Nl+p/FCODCxApvpHiSTI5QAZe4E=; b=smu9P8J26UfYN3wAT9LWgT5ApFXrxfGiqRfedDfAXHjdEsKo6zueLge+fekNZx+5GF OkzVPBGkuF8YUntx1vQuDUohJiOAQcqAsghUmWqiAISZClyTebut8DF8XnglBlJx1U/4 ljK++v+hCBRcM9byr7bY7q9ZRv9xLoXzjg+BVeycNPpLmy49lIEvZ4+h3xAJ6XsKerlb 8EbCfSxsYMsrqudqMoggYKDXRb19BDHYuGZN3+q6tlO0y3h6RbSvS3i9PT84oz4PD6Ow iX7hQJ7jtjXHYa/6NBpIURB1G8yK2BMxz476RY9xfRWPt8n8vGIiR2GCqDH5qyUJ1wnx Xkpg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id dh1-20020a056a00478100b006cddbffdae6si1634242pfb.353.2023.11.30.11.01.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Nov 2023 11:01:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id E98EF852680D; Thu, 30 Nov 2023 11:01:17 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231199AbjK3TBE (ORCPT + 99 others); Thu, 30 Nov 2023 14:01:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40854 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229782AbjK3TBC (ORCPT ); Thu, 30 Nov 2023 14:01:02 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F0D2194 for ; Thu, 30 Nov 2023 11:01:06 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E862DC433C8; Thu, 30 Nov 2023 19:01:00 +0000 (UTC) Date: Thu, 30 Nov 2023 19:00:58 +0000 From: Catalin Marinas To: Mark Brown Cc: "Rick P. Edgecombe" , Deepak Gupta , Szabolcs Nagy , "H.J. Lu" , Florian Weimer , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Valentin Schneider , Christian Brauner , Shuah Khan , linux-kernel@vger.kernel.org, Will Deacon , Kees Cook , jannh@google.com, linux-kselftest@vger.kernel.org, linux-api@vger.kernel.org, David Hildenbrand Subject: Re: [PATCH RFT v4 0/5] fork: Support shadow stacks in clone3() Message-ID: References: <20231128-clone3-shadow-stack-v4-0-8b28ffe4f676@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231128-clone3-shadow-stack-v4-0-8b28ffe4f676@kernel.org> X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Thu, 30 Nov 2023 11:01:18 -0800 (PST) Hi Mark, Thanks for putting this together and sorry it took me some time to catch up (well, still not fully, so rather more questions below). On Tue, Nov 28, 2023 at 06:22:38PM +0000, Mark Brown wrote: > Since clone3() is readily extensible let's add support for specifying a > shadow stack when creating a new thread or process in a similar manner > to how the normal stack is specified, keeping the current implicit > allocation behaviour if one is not specified either with clone3() or > through the use of clone(). Unlike normal stacks only the shadow stack > size is specified, similar issues to those that lead to the creation of > map_shadow_stack() apply. My hope when looking at the arm64 patches was that we can completely avoid the kernel allocation/deallocation of the shadow stack since it doesn't need to do this for the normal stack either. Could someone please summarise why we dropped the shadow stack pointer after v1? IIUC there was a potential security argument but I don't think it was a very strong one. Also what's the threat model for this feature? I thought it's mainly mitigating stack corruption. If some rogue code can do syscalls, we have bigger problems than clone3() taking a shadow stack pointer. My (probably wrong) mental model was that libc can do an mmap() for normal stack, a map_shadow_stack() for the shadow one and invoke clone3() with both these pointers and sizes. There is an overhead of an additional syscall but if some high-performance app needs to spawn threads quickly, it would most likely do some pooling. I'm not against clone3() getting a shadow_stack_size argument but asking some more questions. If we won't pass a pointer as well, is there any advantage in expanding this syscall vs a specific prctl() option? Do we need a different size per thread or do all threads have the same shadow stack size? A new RLIMIT doesn't seem to map well though, it is more like an upper limit rather than a fixed/default size (glibc I think uses it for thread stacks but bionic or musl don't AFAIK). Another dumb question on arm64 - is GCSPR_EL0 writeable by the user? If yes, can the libc wrapper for threads allocate a shadow stack via map_shadow_stack() and set it up in the thread initialisation handler before invoking the thread function? Thanks. -- Catalin