| Message ID | 20200205181935.3712-7-yu-cheng.yu@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Control-flow Enforcement: Shadow Stack | expand |
On Wed, Feb 05, 2020 at 10:19:14AM -0800, Yu-cheng Yu wrote: > A Shadow Stack (SHSTK) PTE must be read-only and have _PAGE_DIRTY set. > However, read-only and Dirty PTEs also exist for copy-on-write (COW) pages. > These two cases are handled differently for page faults and a new VM flag > is necessary for tracking SHSTK VMAs. > > v9: > - Add VM_SHSTK case to arch_vma_name(). > - Revise the commit log to explain why a new VM flag is needed. > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> Reviewed-by: Kees Cook <keescook@chromium.org> -Kees > --- > arch/x86/mm/mmap.c | 2 ++ > fs/proc/task_mmu.c | 3 +++ > include/linux/mm.h | 8 ++++++++ > 3 files changed, 13 insertions(+) > > diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c > index aae9a933dfd4..482813b4c659 100644 > --- a/arch/x86/mm/mmap.c > +++ b/arch/x86/mm/mmap.c > @@ -165,6 +165,8 @@ const char *arch_vma_name(struct vm_area_struct *vma) > { > if (vma->vm_flags & VM_MPX) > return "[mpx]"; > + else if (vma->vm_flags & VM_SHSTK) > + return "[shadow stack]"; > return NULL; > } > > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c > index 9442631fd4af..590b58ee008a 100644 > --- a/fs/proc/task_mmu.c > +++ b/fs/proc/task_mmu.c > @@ -687,6 +687,9 @@ static void show_smap_vma_flags(struct seq_file *m, struct vm_area_struct *vma) > [ilog2(VM_PKEY_BIT4)] = "", > #endif > #endif /* CONFIG_ARCH_HAS_PKEYS */ > +#ifdef CONFIG_X86_INTEL_SHADOW_STACK_USER > + [ilog2(VM_SHSTK)] = "ss", > +#endif > }; > size_t i; > > diff --git a/include/linux/mm.h b/include/linux/mm.h > index cfaa8feecfe8..b5145fbe102e 100644 > --- a/include/linux/mm.h > +++ b/include/linux/mm.h > @@ -298,11 +298,13 @@ extern unsigned int kobjsize(const void *objp); > #define VM_HIGH_ARCH_BIT_2 34 /* bit only usable on 64-bit architectures */ > #define VM_HIGH_ARCH_BIT_3 35 /* bit only usable on 64-bit architectures */ > #define VM_HIGH_ARCH_BIT_4 36 /* bit only usable on 64-bit architectures */ > +#define VM_HIGH_ARCH_BIT_5 37 /* bit only usable on 64-bit architectures */ > #define VM_HIGH_ARCH_0 BIT(VM_HIGH_ARCH_BIT_0) > #define VM_HIGH_ARCH_1 BIT(VM_HIGH_ARCH_BIT_1) > #define VM_HIGH_ARCH_2 BIT(VM_HIGH_ARCH_BIT_2) > #define VM_HIGH_ARCH_3 BIT(VM_HIGH_ARCH_BIT_3) > #define VM_HIGH_ARCH_4 BIT(VM_HIGH_ARCH_BIT_4) > +#define VM_HIGH_ARCH_5 BIT(VM_HIGH_ARCH_BIT_5) > #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */ > > #ifdef CONFIG_ARCH_HAS_PKEYS > @@ -340,6 +342,12 @@ extern unsigned int kobjsize(const void *objp); > # define VM_MPX VM_NONE > #endif > > +#ifdef CONFIG_X86_INTEL_SHADOW_STACK_USER > +# define VM_SHSTK VM_HIGH_ARCH_5 > +#else > +# define VM_SHSTK VM_NONE > +#endif > + > #ifndef VM_GROWSUP > # define VM_GROWSUP VM_NONE > #endif > -- > 2.21.0 >
On 2/5/20 10:19 AM, Yu-cheng Yu wrote: > A Shadow Stack (SHSTK) PTE must be read-only and have _PAGE_DIRTY set. > However, read-only and Dirty PTEs also exist for copy-on-write (COW) pages. > These two cases are handled differently for page faults and a new VM flag > is necessary for tracking SHSTK VMAs. > > v9: > - Add VM_SHSTK case to arch_vma_name(). > - Revise the commit log to explain why a new VM flag is needed. To be honest, a flag is not strictly *needed*. It is certainly convenient and straightforward, but it's far from being truly necessary.
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c index aae9a933dfd4..482813b4c659 100644 --- a/arch/x86/mm/mmap.c +++ b/arch/x86/mm/mmap.c @@ -165,6 +165,8 @@ const char *arch_vma_name(struct vm_area_struct *vma) { if (vma->vm_flags & VM_MPX) return "[mpx]"; + else if (vma->vm_flags & VM_SHSTK) + return "[shadow stack]"; return NULL; } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 9442631fd4af..590b58ee008a 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -687,6 +687,9 @@ static void show_smap_vma_flags(struct seq_file *m, struct vm_area_struct *vma) [ilog2(VM_PKEY_BIT4)] = "", #endif #endif /* CONFIG_ARCH_HAS_PKEYS */ +#ifdef CONFIG_X86_INTEL_SHADOW_STACK_USER + [ilog2(VM_SHSTK)] = "ss", +#endif }; size_t i; diff --git a/include/linux/mm.h b/include/linux/mm.h index cfaa8feecfe8..b5145fbe102e 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -298,11 +298,13 @@ extern unsigned int kobjsize(const void *objp); #define VM_HIGH_ARCH_BIT_2 34 /* bit only usable on 64-bit architectures */ #define VM_HIGH_ARCH_BIT_3 35 /* bit only usable on 64-bit architectures */ #define VM_HIGH_ARCH_BIT_4 36 /* bit only usable on 64-bit architectures */ +#define VM_HIGH_ARCH_BIT_5 37 /* bit only usable on 64-bit architectures */ #define VM_HIGH_ARCH_0 BIT(VM_HIGH_ARCH_BIT_0) #define VM_HIGH_ARCH_1 BIT(VM_HIGH_ARCH_BIT_1) #define VM_HIGH_ARCH_2 BIT(VM_HIGH_ARCH_BIT_2) #define VM_HIGH_ARCH_3 BIT(VM_HIGH_ARCH_BIT_3) #define VM_HIGH_ARCH_4 BIT(VM_HIGH_ARCH_BIT_4) +#define VM_HIGH_ARCH_5 BIT(VM_HIGH_ARCH_BIT_5) #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */ #ifdef CONFIG_ARCH_HAS_PKEYS @@ -340,6 +342,12 @@ extern unsigned int kobjsize(const void *objp); # define VM_MPX VM_NONE #endif +#ifdef CONFIG_X86_INTEL_SHADOW_STACK_USER +# define VM_SHSTK VM_HIGH_ARCH_5 +#else +# define VM_SHSTK VM_NONE +#endif + #ifndef VM_GROWSUP # define VM_GROWSUP VM_NONE #endif
A Shadow Stack (SHSTK) PTE must be read-only and have _PAGE_DIRTY set. However, read-only and Dirty PTEs also exist for copy-on-write (COW) pages. These two cases are handled differently for page faults and a new VM flag is necessary for tracking SHSTK VMAs. v9: - Add VM_SHSTK case to arch_vma_name(). - Revise the commit log to explain why a new VM flag is needed. Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> --- arch/x86/mm/mmap.c | 2 ++ fs/proc/task_mmu.c | 3 +++ include/linux/mm.h | 8 ++++++++ 3 files changed, 13 insertions(+)