On Tue, Mar 16, 2021 at 08:10:49AM -0700, Yu-cheng Yu wrote: > To deliver a signal, create a shadow stack restore token and put the token > and the signal restorer address on the shadow stack. For sigreturn, verify > the token and restore from it the shadow stack pointer. > > A shadow stack restore token marks a restore point of the shadow stack, and > the address in a token must point directly above the token, which is within > the same shadow stack. This is distinctively different from other pointers > on the shadow stack; those pointers point to executable code area. > > In sigreturn, restoring from a token ensures the target address is the > location pointed by the token. > > Introduce WRUSS, which is a kernel-mode instruction but writes directly to > user shadow stack. It is used to construct the user signal stack as > described above. > > Currently there is no systematic facility for extending a signal context. > Introduce a signal context extension 'struct sc_ext', which is used to save > shadow stack restore token address and WAIT_ENDBR status. WAIT_ENDBR will > be introduced later in the Indirect Branch Tracking (IBT) series, but add > that into sc_ext now to keep the struct stable in case the IBT series is > applied later. > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> > Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> > --- > arch/x86/ia32/ia32_signal.c | 17 +++ > arch/x86/include/asm/cet.h | 8 ++ > arch/x86/include/asm/fpu/internal.h | 10 ++ > arch/x86/include/asm/special_insns.h | 32 ++++++ > arch/x86/include/uapi/asm/sigcontext.h | 9 ++ > arch/x86/kernel/cet.c | 152 +++++++++++++++++++++++++ > arch/x86/kernel/fpu/signal.c | 100 ++++++++++++++++ > arch/x86/kernel/signal.c | 10 ++ > 8 files changed, 338 insertions(+) The commit message lacks structure in explaining what the problem/missing functionality is and why this is solved the way it is, with stack tokens. Here's a good example how to structure it properly: https://git.kernel.org/tip/323950a8a98b492ac2fa168e8e4c0becfb4554dd Also, this patch does a couple of things at once and it needs splitting for easier review. Thx. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette
