Re: [PATCH v6 19/41] x86/mm: Check shadow stack page fault errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 23.02.23 00:07, Edgecombe, Rick P wrote:
On Mon, 2023-02-20 at 13:57 +0100, David Hildenbrand wrote:
+ /*
+      * When a page becomes COW it changes from a shadow stack
permission
+      * page (Write=0,Dirty=1) to (Write=0,Dirty=0,SavedDirty=1),
which is simply
+      * read-only to the CPU. When shadow stack is enabled, a RET
would
+      * normally pop the shadow stack by reading it with a "shadow
stack
+      * read" access. However, in the COW case the shadow stack
memory does
+      * not have shadow stack permissions, it is read-only. So it
will
+      * generate a fault.
+      *
+      * For conventionally writable pages, a read can be serviced
with a
+      * read only PTE, and COW would not have to happen. But for
shadow
+      * stack, there isn't the concept of read-only shadow stack
memory.
+      * If it is shadow stack permission, it can be modified via
CALL and
+      * RET instructions. So COW needs to happen before any memory
can be
+      * mapped with shadow stack permissions.
+      *
+      * Shadow stack accesses (read or write) need to be serviced
with
+      * shadow stack permission memory, so in the case of a shadow
stack
+      * read access, treat it as a WRITE fault so both COW will
happen and
+      * the write fault path will tickle maybe_mkwrite() and map
the memory
+      * shadow stack.
+      */

Again, I suggest dropping all details about COW from this comment
and
from the patch description. It's just one such case that can happen.

Hi David,

Hi Rick,


I was just trying to edit this one to drop COW details, but I think in
this case, one of the major reasons for the code *is* actually COW. We
are not working around the whole inadvertent shadow stack memory piece
here, but something else: Making sure shadow stack memory is faulted in
and doing COW if required to make this possible. I came up with this,
does it seem better?

Regarding the fault handling I completely agree. We have to treat a read like a write event. And as read-only shadow stack PTEs don't exist, we have to tell the MM to create a writable one for us.



/*
  * For conventionally writable pages, a read can be serviced with a
  *
read only PTE. But for shadow stack, there isn't a concept of
  * read-
only shadow stack memory. If it a PTE has the shadow stack
  *
permission, it can be modified via CALL and RET instructions. So
  * core
MM needs to fault in a writable PTE and do things it already
  * does for
write faults.
  *
  * Shadow stack accesses (read or write) need to be
serviced with
  * shadow stack permission memory, so in the case of a
shadow stack
  * read access, treat it as a WRITE fault so both any
required COW will
  * happen and the write fault path will tickle
maybe_mkwrite() and map
  * the memory shadow stack.
  */

That sounds good! I'd rewrite the last part slightly.

"
Shadow stack accesses (read or write) need to be serviced with
shadow stack permission memory, which always include write permissions. So in the case of a shadow stack read access, treat it as a WRITE fault. This will make sure that MM will prepare everything (e.g., break COW) such that maybe_mkwrite() can create a proper shadow stack PTE.
"

--
Thanks,

David / dhildenb





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux