Re: [PATCH v6 19/41] x86/mm: Check shadow stack page fault errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2023-02-20 at 13:57 +0100, David Hildenbrand wrote:
> >    
> > +     /*
> > +      * When a page becomes COW it changes from a shadow stack
> > permission
> > +      * page (Write=0,Dirty=1) to (Write=0,Dirty=0,SavedDirty=1),
> > which is simply
> > +      * read-only to the CPU. When shadow stack is enabled, a RET
> > would
> > +      * normally pop the shadow stack by reading it with a "shadow
> > stack
> > +      * read" access. However, in the COW case the shadow stack
> > memory does
> > +      * not have shadow stack permissions, it is read-only. So it
> > will
> > +      * generate a fault.
> > +      *
> > +      * For conventionally writable pages, a read can be serviced
> > with a
> > +      * read only PTE, and COW would not have to happen. But for
> > shadow
> > +      * stack, there isn't the concept of read-only shadow stack
> > memory.
> > +      * If it is shadow stack permission, it can be modified via
> > CALL and
> > +      * RET instructions. So COW needs to happen before any memory
> > can be
> > +      * mapped with shadow stack permissions.
> > +      *
> > +      * Shadow stack accesses (read or write) need to be serviced
> > with
> > +      * shadow stack permission memory, so in the case of a shadow
> > stack
> > +      * read access, treat it as a WRITE fault so both COW will
> > happen and
> > +      * the write fault path will tickle maybe_mkwrite() and map
> > the memory
> > +      * shadow stack.
> > +      */
> 
> Again, I suggest dropping all details about COW from this comment
> and 
> from the patch description. It's just one such case that can happen.

Hi David,

I was just trying to edit this one to drop COW details, but I think in
this case, one of the major reasons for the code *is* actually COW. We
are not working around the whole inadvertent shadow stack memory piece
here, but something else: Making sure shadow stack memory is faulted in
and doing COW if required to make this possible. I came up with this,
does it seem better?


/*
 * For conventionally writable pages, a read can be serviced with a
 *
read only PTE. But for shadow stack, there isn't a concept of
 * read-
only shadow stack memory. If it a PTE has the shadow stack
 *
permission, it can be modified via CALL and RET instructions. So
 * core
MM needs to fault in a writable PTE and do things it already
 * does for
write faults.
 *
 * Shadow stack accesses (read or write) need to be
serviced with
 * shadow stack permission memory, so in the case of a
shadow stack
 * read access, treat it as a WRITE fault so both any
required COW will
 * happen and the write fault path will tickle
maybe_mkwrite() and map
 * the memory shadow stack.
 */



Thanks,
Rick





[Index of Archives]     [Linux Kernel]     [Kernel Newbies]     [x86 Platform Driver]     [Netdev]     [Linux Wireless]     [Netfilter]     [Bugtraq]     [Linux Filesystems]     [Yosemite Discussion]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]

  Powered by Linux