On Mon, Oct 03, 2022 at 03:49:18PM -0700, Andy Lutomirski wrote: > On 10/3/22 11:39, Kees Cook wrote: > > On Thu, Sep 29, 2022 at 03:29:19PM -0700, Rick Edgecombe wrote: > > > [...] > > > Still allow FOLL_FORCE to write through shadow stack protections, as it > > > does for read-only protections. > > > > As I asked in the cover letter: why do we need to add this for shstk? It > > was a mistake for general memory. :P > > For debuggers, which use FOLL_FORCE, quite intentionally, to modify text. > And once a debugger has ptrace write access to a target, shadow stacks > provide exactly no protection -- ptrace can modify text and all registers. i.e. via ptrace? Yeah, I grudgingly accept the ptrace need for FOLL_FORCE. > But /proc/.../mem may be a different story, and I'd be okay with having > FOLL_PROC_MEM for legacy compatibility via /proc/.../mem and not allowing > that to access shadow stacks. This does seem like it may not be very > useful, though. I *really* don't like the /mem use of FOLL_FORCE, though. I think the rationale has been "using PTRACE_POKE is too slow". Again, I can live with it, I was just hoping we could avoid expanding that questionable behavior, especially since it's a bypass of WRSS. -- Kees Cook
