Re: [PATCH v28 09/32] x86/mm: Introduce _PAGE_COW

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 17, 2021, at 1:24 PM, Borislav Petkov wrote:
> On Tue, Aug 17, 2021 at 01:13:09PM -0700, Andy Lutomirski wrote:
> > > If special kernel code using shadow stack management insns needs
> > > to modify a shadow stack, then it can check whether a page is
> > > pte/pmd_shstk() but that code is special anyway.
> > > 
> > > Hell, a shadow stack page is (Write=0, Dirty=1) so calling it writable
> > >                  ^^^^^^^
> > > is simply wrong.
> > 
> > But it *is* writable using WRUSS, and it’s also writable by CALL,
> 
> Well, if we have to be precise, CALL doesn't write it directly - it
> causes for shadow stack to be written as part of CALL's execution. Yeah
> yeah, potato potato.

Potahto.

> 
> > WRSS, etc.
> 
> Thus the "special kernel code" thing above. I've left it in instead of
> snipping it.
> 

WRSS can be used from user mode depending on the configuration.

> > Now if the mm code tries to write protect it and expects sensible
> > semantics, the results could be interesting. At the very least,
> > someone would need to validate that RET reading a read only shadow
> > stack page does the right thing.
> 
> Huh?
> 
> A shadow stack page is RO (W=0).

Double-you shmouble-you.  You can't write it with MOV, but you can write it from user code and from kernel code.  As far as the mm is concerned, I think it should be considered writable.

Although... anyone who tries to copy_to_user() it is going to be a bit surprised.  Hmm.

> 
> -- 
> Regards/Gruss,
>     Boris.
> 
> https://people.kernel.org/tglx/notes-about-netiquette
> 




[Index of Archives]     [Linux Kernel]     [Kernel Newbies]     [x86 Platform Driver]     [Netdev]     [Linux Wireless]     [Netfilter]     [Bugtraq]     [Linux Filesystems]     [Yosemite Discussion]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]

  Powered by Linux