diff for duplicates of <1535660494.28258.36.camel@intel.com> diff --git a/a/content_digest b/N1/content_digest index e8a0e7f..1c7e86e 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -33,7 +33,10 @@ Mike Kravetz <mike.kravetz@oracle.com> Nadav Amit <nadav.amit@gmail.com> Oleg Nesterov <oleg@redhat.com> - " Pavel Machek <pave>\0" + Pavel Machek <pavel@ucw.cz> + Peter Zijlstra <peterz@infradead.org> + ravi.v.shankar@intel.com + " vedvyas.shanbhogue@intel.com\0" "\00:1\0" "b\0" "On Thu, 2018-08-30 at 19:59 +0200, Jann Horn wrote:\n" @@ -76,4 +79,4 @@ "recursive calls in B, move ssp to the end of the guard page, and\n" "trigger the same again? \302\240He can simply take the incssp route." -ed7e0f858826d094229464adfd787b272b020e0a9be3dd07a169f85589fe3c2a +16aad8cbf6a471cf9855031c4afde1cd87b4bf4cc7ea96b443deed95ad47e614
diff --git a/a/1.txt b/N2/1.txt index b5c5257..19abf06 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -14,7 +14,7 @@ On Thu, 2018-08-30 at 19:59 +0200, Jann Horn wrote: > > > The overall concern is that we could overflow into a page that > > > we > > > did -> > > not intend. Either another actual shadow stack or something +> > > not intend.A A Either another actual shadow stack or something > > > that a > > > page > > > that the attacker constructed, like the transient scenario Jann @@ -22,18 +22,18 @@ On Thu, 2018-08-30 at 19:59 +0200, Jann Horn wrote: > > > > > A task could go beyond the bottom of its shadow stack by doing > > either -> > 'ret' or 'incssp'. If it is the 'ret' case, the token prevents +> > 'ret' or 'incssp'.A A If it is the 'ret' case, the token prevents > > it. -> > If it is the 'incssp' case, a guard page cannot prevent it +> > A If it is the 'incssp' case, a guard page cannot prevent it > > entirely, > > right? > I mean the other direction, on "call". In the flow you described, if C writes to the overflow page before B -gets in with a 'call', the return address is still correct for B. To -make an attack, C needs to write again before the TLB flush. I agree +gets in with a 'call', the return address is still correct for B. A To +make an attack, C needs to write again before the TLB flush. A I agree that is possible. Assume we have a guard page, can someone in the short window do recursive calls in B, move ssp to the end of the guard page, and -trigger the same again? He can simply take the incssp route. +trigger the same again? A He can simply take the incssp route. diff --git a/a/content_digest b/N2/content_digest index e8a0e7f..621146d 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -33,7 +33,10 @@ Mike Kravetz <mike.kravetz@oracle.com> Nadav Amit <nadav.amit@gmail.com> Oleg Nesterov <oleg@redhat.com> - " Pavel Machek <pave>\0" + Pavel Machek <pavel@ucw.cz> + Peter Zijlstra <peterz@infradead.org> + ravi.v.shankar@intel.com + " vedvyas.shanbhogue@intel.com\0" "\00:1\0" "b\0" "On Thu, 2018-08-30 at 19:59 +0200, Jann Horn wrote:\n" @@ -52,7 +55,7 @@ "> > > The overall concern is that we could overflow into a page that\n" "> > > we\n" "> > > did\n" - "> > > not intend.\302\240\302\240Either another actual shadow stack or something\n" + "> > > not intend.A A Either another actual shadow stack or something\n" "> > > that a\n" "> > > page\n" "> > > that the attacker constructed, like the transient scenario Jann\n" @@ -60,20 +63,20 @@ "> > > \n" "> > A task could go beyond the bottom of its shadow stack by doing\n" "> > either\n" - "> > 'ret' or 'incssp'.\302\240\302\240If it is the 'ret' case, the token prevents\n" + "> > 'ret' or 'incssp'.A A If it is the 'ret' case, the token prevents\n" "> > it.\n" - "> > \302\240If it is the 'incssp' case, a guard page cannot prevent it\n" + "> > A If it is the 'incssp' case, a guard page cannot prevent it\n" "> > entirely,\n" "> > right?\n" "> I mean the other direction, on \"call\".\n" "\n" "In the flow you described, if C writes to the overflow page before B\n" - "gets in with a 'call', the return address is still correct for B. \302\240To\n" - "make an attack, C needs to write again before the TLB flush. \302\240I agree\n" + "gets in with a 'call', the return address is still correct for B. A To\n" + "make an attack, C needs to write again before the TLB flush. A I agree\n" "that is possible.\n" "\n" "Assume we have a guard page, can someone in the short window do\n" "recursive calls in B, move ssp to the end of the guard page, and\n" - "trigger the same again? \302\240He can simply take the incssp route." + trigger the same again? A He can simply take the incssp route. -ed7e0f858826d094229464adfd787b272b020e0a9be3dd07a169f85589fe3c2a +e88bd625510de03907632d7c2c750108c282fbba0a1358e4b4375a1c7eb21198
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.