On Tue, Aug 17, 2021, at 1:24 PM, Borislav Petkov wrote: > On Tue, Aug 17, 2021 at 01:13:09PM -0700, Andy Lutomirski wrote: > > > If special kernel code using shadow stack management insns needs > > > to modify a shadow stack, then it can check whether a page is > > > pte/pmd_shstk() but that code is special anyway. > > > > > > Hell, a shadow stack page is (Write=0, Dirty=1) so calling it writable > > > ^^^^^^^ > > > is simply wrong. > > > > But it *is* writable using WRUSS, and it’s also writable by CALL, > > Well, if we have to be precise, CALL doesn't write it directly - it > causes for shadow stack to be written as part of CALL's execution. Yeah > yeah, potato potato. Potahto. > > > WRSS, etc. > > Thus the "special kernel code" thing above. I've left it in instead of > snipping it. > WRSS can be used from user mode depending on the configuration. > > Now if the mm code tries to write protect it and expects sensible > > semantics, the results could be interesting. At the very least, > > someone would need to validate that RET reading a read only shadow > > stack page does the right thing. > > Huh? > > A shadow stack page is RO (W=0). Double-you shmouble-you. You can't write it with MOV, but you can write it from user code and from kernel code. As far as the mm is concerned, I think it should be considered writable. Although... anyone who tries to copy_to_user() it is going to be a bit surprised. Hmm. > > -- > Regards/Gruss, > Boris. > > https://people.kernel.org/tglx/notes-about-netiquette >
