On Thu, Jan 19, 2023 at 01:22:50PM -0800, Rick Edgecombe wrote: > From: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> > > When shadow stack is in use, Write=0,Dirty=1 PTE are preserved for > shadow stack. Copy-on-write PTEs then have Write=0,Cow=1. > > When a PTE goes from Write=1,Dirty=1 to Write=0,Cow=1, it could > become a transient shadow stack PTE in two cases: > > 1. Some processors can start a write but end up seeing a Write=0 PTE by > the time they get to the Dirty bit, creating a transient shadow stack > PTE. However, this will not occur on processors supporting shadow > stack, and a TLB flush is not necessary. > > 2. When _PAGE_DIRTY is replaced with _PAGE_COW non-atomically, a transient > shadow stack PTE can be created as a result. Thus, prevent that with > cmpxchg. > > In the case of pmdp_set_wrprotect(), for nopmd configs the ->pmd operated > on does not exist and the logic would need to be different. Although the > extra functionality will normally be optimized out when user shadow > stacks are not configured, also exclude it in the preprocessor stage so > that it will still compile. User shadow stack is not supported there by > Linux anyway. Leave the cpu_feature_enabled() check so that the > functionality also gets disabled based on runtime detection of the > feature. > > Similarly, compile it out in ptep_set_wrprotect() due to a clang warning > on i386. Like above, the code path should get optimized out on i386 > since shadow stack is not supported on 32 bit kernels, but this makes > the compiler happy. > > Dave Hansen, Jann Horn, Andy Lutomirski, and Peter Zijlstra provided many > insights to the issue. Jann Horn provided the cmpxchg solution. > > Tested-by: Pengfei Xu <pengfei.xu@xxxxxxxxx> > Tested-by: John Allen <john.allen@xxxxxxx> > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> -- Kees Cook
