On Mon, Oct 28, 2019 at 04:35:33PM +0000, Mark Rutland wrote: > On Fri, Oct 25, 2019 at 01:49:21PM -0700, Sami Tolvanen wrote: > > To keep the address of the currently active shadow stack out of > > memory, the arm64 implementation clears this field when it loads x18 > > and saves the current value before a context switch. The generic code > > doesn't expect the arch code to necessarily do so, but does allow it. > > This requires us to use __scs_base() when accessing the base pointer > > and to reset it in idle tasks before they're reused, hence > > scs_task_reset(). > > Ok. That'd be worth a comment somewhere, since it adds a number of > things which would otherwise be unnecessary. > > IIUC this assumes an adversary who knows the address of a task's > thread_info, and has an arbitrary-read (to extract the SCS base from > thead_info) and an arbitrary-write (to modify the SCS area). > > Assuming that's the case, I don't think this buys much. If said > adversary controls two userspace threads A and B, they only need to wait > until A is context-switched out or in userspace, and read A's SCS base > using B. > > Given that, I'd rather always store the SCS base in the thread_info, and > simplify the rest of the code manipulating it. I'd like to keep this as-is since it provides a temporal protection. Having arbitrary kernel read and write at arbitrary time is a very powerful attack primitive, and is, IMO, not very common. Many attacks tend to be chains of bugs that give attackers narrow visibility in to the kernel at specific moments. I would say this design is more about stopping "current" from dumping thread_info (as there are many more opportunities for current to see its own thread_info compared to arbitrary addresses or another task's thread_info). As such, I think it's a reasonable precaution to take. -- Kees Cook
