Re: [PATCH v5 23/39] mm: Don't allow write GUPs to shadow stack memory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On January 25, 2023 1:29:20 AM PST, David Hildenbrand <david@xxxxxxxxxx> wrote:
>On 25.01.23 00:41, Edgecombe, Rick P wrote:
>> On Tue, 2023-01-24 at 15:08 -0800, Kees Cook wrote:
>>>> GDB support for shadow stack is queued up for whenever the kernel
>>>> interface settles. I believe it just uses ptrace, and not this
>>>> proc.
>>>> But yea ptrace poke will still need to use FOLL_FORCE and be able
>>>> to
>>>> write through shadow stacks.
>>> 
>>> I'd prefer to avoid adding more FOLL_FORCE if we can. If gdb can do
>>> stack manipulations through a ptrace interface then let's leave off
>>> FOLL_FORCE.
>> 
>> Ptrace and /proc/self/mem both use FOLL_FORCE. I think ptrace will
>> always need it or something like it for debugging.
>> 
>> To jog your memory, this series doesn't change what uses FOLL_FORCE. It
>> just sets the shadow stack rules to be the same as read-only memory. So
>> even though shadow stack memory is sort of writable, it's a bit more
>> locked down and FOLL_FORCE is required to write to it with GUP.
>> 
>> If we just remove FOLL_FORCE from /proc/self/mem, something will
>> probably break right? How do we do this? Some sort of opt-in?
>
>I don't think removing that is an option. It's another debug interface that has been allowing such access for ever ...
>
>Blocking /proc/self/mem access completely for selected processes might be the better alternative.
>

Yeah, this would be nice. Kind of like being undumpable or no_new_privs.



-- 
Kees Cook





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux