From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yu-cheng Yu Subject: Re: [PATCH 00/10] Control Flow Enforcement - Part (3) Date: Tue, 26 Jun 2018 07:56:57 -0700 Message-ID: <1530025017.27091.1.camel@intel.com> References: <20180607143807.3611-1-yu-cheng.yu@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Andy Lutomirski , Linux API , Jann Horn , Florian Weimer Cc: LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com List-Id: linux-api@vger.kernel.org On Mon, 2018-06-25 at 22:26 -0700, Andy Lutomirski wrote: > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu > wrote: > > > > > > This series introduces CET - Shadow stack > I think you should add some mitigation against sigreturn-oriented > programming.  How about creating some special token on the shadow > stack that indicates the presence of a signal frame at a particular > address when delivering a signal and verifying and popping that token > in sigreturn?  The token could be literally the address of the signal > frame, and you could make this unambiguous by failing sigreturn if > CET > is on and the signal frame is in executable memory. > > IOW, it would be a shame if sigreturn() itself became a convenient > CET-bypassing gadget. > > --Andy I will look into that. Thanks, Yu-cheng From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on archive.lwn.net X-Spam-Level: X-Spam-Status: No, score=-5.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham autolearn_force=no version=3.4.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by archive.lwn.net (Postfix) with ESMTP id BE8D67D043 for ; Tue, 26 Jun 2018 15:00:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751827AbeFZPAa (ORCPT ); Tue, 26 Jun 2018 11:00:30 -0400 Received: from mga01.intel.com ([192.55.52.88]:38081 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751796AbeFZPA2 (ORCPT ); Tue, 26 Jun 2018 11:00:28 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Jun 2018 08:00:28 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,274,1526367600"; d="scan'208";a="60298635" Received: from 2b52.sc.intel.com ([143.183.136.147]) by FMSMGA003.fm.intel.com with ESMTP; 26 Jun 2018 08:00:28 -0700 Message-ID: <1530025017.27091.1.camel@intel.com> Subject: Re: [PATCH 00/10] Control Flow Enforcement - Part (3) From: Yu-cheng Yu To: Andy Lutomirski , Linux API , Jann Horn , Florian Weimer Cc: LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Date: Tue, 26 Jun 2018 07:56:57 -0700 In-Reply-To: References: <20180607143807.3611-1-yu-cheng.yu@intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-doc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-doc@vger.kernel.org On Mon, 2018-06-25 at 22:26 -0700, Andy Lutomirski wrote: > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu > wrote: > > > > > > This series introduces CET - Shadow stack > I think you should add some mitigation against sigreturn-oriented > programming.  How about creating some special token on the shadow > stack that indicates the presence of a signal frame at a particular > address when delivering a signal and verifying and popping that token > in sigreturn?  The token could be literally the address of the signal > frame, and you could make this unambiguous by failing sigreturn if > CET > is on and the signal frame is in executable memory. > > IOW, it would be a shame if sigreturn() itself became a convenient > CET-bypassing gadget. > > --Andy I will look into that. Thanks, Yu-cheng -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f197.google.com (mail-pf0-f197.google.com [209.85.192.197]) by kanga.kvack.org (Postfix) with ESMTP id CD7BF6B000A for ; Tue, 26 Jun 2018 11:00:29 -0400 (EDT) Received: by mail-pf0-f197.google.com with SMTP id l2-v6so8916154pff.3 for ; Tue, 26 Jun 2018 08:00:29 -0700 (PDT) Received: from mga11.intel.com (mga11.intel.com. [192.55.52.93]) by mx.google.com with ESMTPS id q13-v6si1879756plr.220.2018.06.26.08.00.28 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Jun 2018 08:00:28 -0700 (PDT) Message-ID: <1530025017.27091.1.camel@intel.com> Subject: Re: [PATCH 00/10] Control Flow Enforcement - Part (3) From: Yu-cheng Yu Date: Tue, 26 Jun 2018 07:56:57 -0700 In-Reply-To: References: <20180607143807.3611-1-yu-cheng.yu@intel.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-linux-mm@kvack.org List-ID: To: Andy Lutomirski , Linux API , Jann Horn , Florian Weimer Cc: LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com On Mon, 2018-06-25 at 22:26 -0700, Andy Lutomirski wrote: > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu > wrote: > > > > > > This series introduces CET - Shadow stack > I think you should add some mitigation against sigreturn-oriented > programming.A A How about creating some special token on the shadow > stack that indicates the presence of a signal frame at a particular > address when delivering a signal and verifying and popping that token > in sigreturn?A A The token could be literally the address of the signal > frame, and you could make this unambiguous by failing sigreturn if > CET > is on and the signal frame is in executable memory. > > IOW, it would be a shame if sigreturn() itself became a convenient > CET-bypassing gadget. > > --Andy I will look into that. Thanks, Yu-cheng