On Fri, May 03, 2024 at 07:38:18PM +0000, Edgecombe, Rick P wrote: > +Some more shadow stack folks from other archs. We are discussing how uretprobes > work with shadow stack. > > Context: > https://lore.kernel.org/lkml/ZjU4ganRF1Cbiug6@krava/ > > On Fri, 2024-05-03 at 21:18 +0200, Jiri Olsa wrote: > > > > hack below seems to fix it for the current uprobe setup, > > we need similar fix for the uretprobe syscall trampoline setup > > It seems like a reasonable direction. > > Security-wise, applications cannot do this on themselves, or it is an otherwise > privileged thing right? when uretprobe is created, kernel overwrites the return address on user stack to point to user space trampoline, so the setup is in kernel hands with the hack below on top of this patchset I'm no longer seeing shadow stack app crash on uretprobe.. I'll try to polish it and send out next week, any suggestions are welcome ;-) thanks, jirka --- diff --git a/arch/x86/include/asm/shstk.h b/arch/x86/include/asm/shstk.h index 42fee8959df7..d374305a6851 100644 --- a/arch/x86/include/asm/shstk.h +++ b/arch/x86/include/asm/shstk.h @@ -21,6 +21,8 @@ unsigned long shstk_alloc_thread_stack(struct task_struct *p, unsigned long clon void shstk_free(struct task_struct *p); int setup_signal_shadow_stack(struct ksignal *ksig); int restore_signal_shadow_stack(void); +void uprobe_change_stack(unsigned long addr); +void uprobe_push_stack(unsigned long addr); #else static inline long shstk_prctl(struct task_struct *task, int option, unsigned long arg2) { return -EINVAL; } diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 59e15dd8d0f8..804c446231d9 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -577,3 +577,24 @@ long shstk_prctl(struct task_struct *task, int option, unsigned long arg2) return wrss_control(true); return -EINVAL; } + +void uprobe_change_stack(unsigned long addr) +{ + unsigned long ssp; + + ssp = get_user_shstk_addr(); + write_user_shstk_64((u64 __user *)ssp, (u64)addr); +} + +void uprobe_push_stack(unsigned long addr) +{ + unsigned long ssp; + + ssp = get_user_shstk_addr(); + ssp -= SS_FRAME_SIZE; + write_user_shstk_64((u64 __user *)ssp, (u64)addr); + + fpregs_lock_and_load(); + wrmsrl(MSR_IA32_PL3_SSP, ssp); + fpregs_unlock(); +} diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c index 81e6ee95784d..259457838020 100644 --- a/arch/x86/kernel/uprobes.c +++ b/arch/x86/kernel/uprobes.c @@ -416,6 +416,7 @@ SYSCALL_DEFINE0(uretprobe) regs->r11 = regs->flags; regs->cx = regs->ip; + uprobe_push_stack(r11_cx_ax[2]); return regs->ax; sigill: @@ -1191,8 +1192,10 @@ arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs return orig_ret_vaddr; nleft = copy_to_user((void __user *)regs->sp, &trampoline_vaddr, rasize); - if (likely(!nleft)) + if (likely(!nleft)) { + uprobe_change_stack(trampoline_vaddr); return orig_ret_vaddr; + } if (nleft != rasize) { pr_err("return address clobbered: pid=%d, %%sp=%#lx, %%ip=%#lx\n",