Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp1204673rdb; Fri, 1 Dec 2023 09:30:56 -0800 (PST) X-Google-Smtp-Source: AGHT+IF5Yr7NJAoFopgztxKwv189vNqTX7NhWNZUqrRSd3Kr37ftGImwT+se8x4ZgnKhGVJeaT1m X-Received: by 2002:a05:6870:ad07:b0:1fb:217:5203 with SMTP id nt7-20020a056870ad0700b001fb02175203mr571787oab.53.1701451856504; Fri, 01 Dec 2023 09:30:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701451856; cv=none; d=google.com; s=arc-20160816; b=AnRMCiHb4o8y3R+4IhNH9vnv/tUBj8ysj6kuAFw2XAtZJjskGZDTgFshwzkv6QkyhA OlCRCYTh/42g+8d8EWRm5lCCs54lIwMd2QtbAQROhu+uY+8lgLyTkaiaWz4cKPCxLGHR H+p9K+hiG4pA0B2Y85oYX9nG73wVWfiWefgMHlPco/qSgyBhSIMTTkt8VWWYJdX2suqZ 7+2BuG7a/EAmPhpLaiqcpdG/InSWp4RthIXHmrjvAQFUOvdtkQaD2yD03cdoTRKc74bb bRqyd81hg37lm/h0WnZAI07nsBs75Gv71g9YUGSVcNumeRS9rxSnzRPKJ4KfIo4yDQBn ionw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Wq0vNUMPD+hlIEL66yURTvollc9ySNRtRk6/CpimZsI=; fh=v8rDv3vOJcWU1Os1Nl+p/FCODCxApvpHiSTI5QAZe4E=; b=kABwsdA8p7fvRriNGOAtQ7aouvhwdtQ17HMrCIGaM/roqUiU/k6tlcpFFFUv6o4Hn9 kkhiQZ7LRZMCypDIunx1ru5t370XMQtX7ftRSweUs5rVL3az0rUD6G/TG/BuqcMECtel /rtSR5b2/GAheo4fypjfDnEd+VSlct5xXPEoI1ExtDXBRHZzM6cTUEyVU5wzx8VB77N8 61vM/R0CTOg4ITfOUCyiL95lupWdsVFOVQRxLV629lQS5Yioj0RCgC7dQ2B1xu52pJaT PtYtnAzHmur2C0nFUfcBC8wTbK/ddg7psVZwKaS6waVYZOMvUG9t2020HgcUjIUgyM5c w0iA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6]) by mx.google.com with ESMTPS id gi3-20020a0568703b8300b001fa4cf87019si1446731oab.153.2023.12.01.09.30.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Dec 2023 09:30:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) client-ip=2620:137:e000::3:6; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id B12FF8039DE7; Fri, 1 Dec 2023 09:30:45 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229837AbjLARa2 (ORCPT + 99 others); Fri, 1 Dec 2023 12:30:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53740 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230186AbjLARaZ (ORCPT ); Fri, 1 Dec 2023 12:30:25 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21C6710F4 for ; Fri, 1 Dec 2023 09:30:31 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 46A19C433C8; Fri, 1 Dec 2023 17:30:25 +0000 (UTC) Date: Fri, 1 Dec 2023 17:30:22 +0000 From: Catalin Marinas To: Mark Brown Cc: "Rick P. Edgecombe" , Deepak Gupta , Szabolcs Nagy , "H.J. Lu" , Florian Weimer , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Valentin Schneider , Christian Brauner , Shuah Khan , linux-kernel@vger.kernel.org, Will Deacon , Kees Cook , jannh@google.com, linux-kselftest@vger.kernel.org, linux-api@vger.kernel.org, David Hildenbrand Subject: Re: [PATCH RFT v4 0/5] fork: Support shadow stacks in clone3() Message-ID: References: <20231128-clone3-shadow-stack-v4-0-8b28ffe4f676@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Fri, 01 Dec 2023 09:30:45 -0800 (PST) Thanks all for the clarification. On Thu, Nov 30, 2023 at 09:51:04PM +0000, Mark Brown wrote: > On Thu, Nov 30, 2023 at 07:00:58PM +0000, Catalin Marinas wrote: > > My hope when looking at the arm64 patches was that we can completely > > avoid the kernel allocation/deallocation of the shadow stack since it > > doesn't need to do this for the normal stack either. Could someone > > please summarise why we dropped the shadow stack pointer after v1? IIUC > > there was a potential security argument but I don't think it was a very > > strong one. Also what's the threat model for this feature? I thought > > it's mainly mitigating stack corruption. If some rogue code can do > > syscalls, we have bigger problems than clone3() taking a shadow stack > > pointer. > > As well as preventing/detecting corruption of the in memory stack shadow > stacks are also ensuring that any return instructions are unwinding a > prior call instruction, and that the returns are done in opposite order > to the calls. This forces usage of the stack - any value we attempt to > RET to is going to be checked against the top of the shadow stack which > makes chaining returns together as a substitute for branches harder. > > The concern Rick raised was that allowing user to pick the exact shadow > stack pointer would allow userspace to corrupt or reuse the stack of an > existing thread by starting a new thread with the shadow stack pointing > into the existing shadow stack of that thread. While in isolation > that's not too much more than what userspace could just do directly > anyway it might compose with other issues to something more "interesting" > (eg, I'd be a bit concerned about overlap with pkeys/POE though I've not > thought through potential uses in detail). Another concern I had was that map_shadow_stack() currently takes a flags arg (though only one flag) while the clone/clone3() allocate the shadow stack with an implicit configuration (other than size). Would map_shadow_stack() ever get new flags that we may also need to set on the default thread shadow stack (e.g. a new permission type)? At that point it would be better if clone3() allowed a shadow stack pointer so that any specific attributes would be limited to map_shadow_stack(). If that's only theoretical, I'm fine to go ahead with a size-only argument for clone3(). We could also add the pointer now and allocate the stack if NULL or reuse it if not, maybe with some prctl to allow this. It might be overengineering and we'd never use such feature though. > > I'm not against clone3() getting a shadow_stack_size argument but asking > > some more questions. If we won't pass a pointer as well, is there any > > advantage in expanding this syscall vs a specific prctl() option? Do we > > need a different size per thread or do all threads have the same shadow > > stack size? A new RLIMIT doesn't seem to map well though, it is more > > like an upper limit rather than a fixed/default size (glibc I think uses > > it for thread stacks but bionic or musl don't AFAIK). > > I don't know what the userspace patterns are likely to be here, it's > possible a single value for each process might be fine but I couldn't > say that confidently. I agree that a RLIMIT does seem like a poor fit. Szabolcs clarified that there are cases where we need the size per thread. > As well as the actual configuration of the size the other thing that we > gain is that as well as relying on heuristics to determine if we need to > allocate a new shadow stack for the new thread we allow userspace to > explicitly request a new shadow stack. But the reverse is not true - we can't use clone3() to create a thread without a shadow stack AFAICT. > > Another dumb question on arm64 - is GCSPR_EL0 writeable by the user? If > > yes, can the libc wrapper for threads allocate a shadow stack via > > map_shadow_stack() and set it up in the thread initialisation handler > > before invoking the thread function? > > No, GCSPR_EL0 can only be changed by EL0 through BL, RET and the > new GCS instructions (push/pop and stack switch). Push is optional - > userspace has to explicitly request that it be enabled and this could be > prevented through seccomp or some other LSM. The stack switch > instructions require a token at the destination address which must > either be written by a higher EL or will be written in the process of > switching away from a stack so you can switch back. Unless I've missed > one every mechanism for userspace to update GCSPR_EL0 will do a GCS > memory access so providing guard pages have been allocated wrapping to a > different stack will be prevented. > > We would need a syscall to allow GCSPR_EL0 to be written. Good point, I thought I must be missing something. -- Catalin