From: Catalin Marinas <catalin.marinas@arm.com>
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
Cc: "dietmar.eggemann@arm.com" <dietmar.eggemann@arm.com>,
"juri.lelli@redhat.com" <juri.lelli@redhat.com>,
"linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
"shuah@kernel.org" <shuah@kernel.org>,
"brauner@kernel.org" <brauner@kernel.org>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"debug@rivosinc.com" <debug@rivosinc.com>,
"mgorman@suse.de" <mgorman@suse.de>,
"Szabolcs.Nagy@arm.com" <Szabolcs.Nagy@arm.com>,
"fweimer@redhat.com" <fweimer@redhat.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"mingo@redhat.com" <mingo@redhat.com>,
"hjl.tools@gmail.com" <hjl.tools@gmail.com>,
"rostedt@goodmis.org" <rostedt@goodmis.org>,
"vincent.guittot@linaro.org" <vincent.guittot@linaro.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"vschneid@redhat.com" <vschneid@redhat.com>,
"kees@kernel.org" <kees@kernel.org>,
"will@kernel.org" <will@kernel.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"peterz@infradead.org" <peterz@infradead.org>,
"jannh@google.com" <jannh@google.com>,
"bp@alien8.de" <bp@alien8.de>,
"bsegall@google.com" <bsegall@google.com>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"broonie@kernel.org" <broonie@kernel.org>,
"x86@kernel.org" <x86@kernel.org>
Subject: Re: [PATCH RFT v8 4/9] fork: Add shadow stack support to clone3()
Date: Fri, 16 Aug 2024 16:38:48 +0100 [thread overview]
Message-ID: <Zr9yiH6DP0IPac-H@arm.com> (raw)
In-Reply-To: <23a8838adda28b03b3db77e135934e2da0599d0f.camel@intel.com>
On Fri, Aug 16, 2024 at 02:52:28PM +0000, Edgecombe, Rick P wrote:
> On Fri, 2024-08-16 at 09:44 +0100, Catalin Marinas wrote:
> > > After a token is consumed normally, it doesn't set it to zero. Instead it
> > > sets it to a "previous-ssp token". I don't think we actually want to do that here
> > > though because it involves the old SSP, which doesn't really apply in this
> > > case. I don't see any problem with zero, but was there any special thinking behind
> > > it?
> >
> > BTW, since it's the parent setting up the shadow stack in its own
> > address space before forking, I think at least the read can avoid
> > access_remote_vm() and we could do it earlier, even before the new
> > process is created.
>
> Hmm. Makes sense. It's a bit racy since the parent could consume that token from
> another thread, but it would be a race in any case.
More on the race below. If we handle it properly, we don't need the
separate checks.
> > > > + if (access_remote_vm(mm, addr, &val, sizeof(val),
> > > > + FOLL_FORCE | FOLL_WRITE) != sizeof(val))
> > > > + goto out;
> > >
> > > The GUPs still seem a bit unfortunate for a couple reasons:
> > > - We could do a CMPXCHG version and are just not (I see ARM has identical
> > > code in gcs_consume_token()). It's not the only race like this though FWIW.
> > > - I *think* this is the only unprivileged FOLL_FORCE that can write to the
> > > current process in the kernel. As is, it could be used on normal RO
> > > mappings, at
> > > least in a limited way. Maybe another point for the VMA check. We'd want to
> > > check that it is normal shadow stack?
> > > - Lingering doubts about the wisdom of doing GUPs during task creation.
> >
> > I don't like the access_remote_vm() either. In the common (practically
> > only) case with CLONE_VM, the mm is actually current->mm, so no need for
> > a GUP.
>
> On the x86 side, we don't have a shadow stack access CMPXCHG. We will have to
> GUP and do a normal CMPXCHG off of the direct map to handle it fully properly in
> any case (CLONE_VM or not).
I guess we could do the same here and for the arm64 gcs_consume_token().
Basically get_user_page_vma_remote() gives us the page together with the
vma that you mentioned needs checking. We can then do a cmpxchg directly
on the page_address(). It's probably faster anyway than doing GUP twice.
--
Catalin
next prev parent reply other threads:[~2024-08-16 15:38 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-08 8:15 [PATCH RFT v8 0/9] fork: Support shadow stacks in clone3() Mark Brown
2024-08-08 8:15 ` [PATCH RFT v8 1/9] Documentation: userspace-api: Add shadow stack API documentation Mark Brown
2024-08-14 10:40 ` Catalin Marinas
2024-08-08 8:15 ` [PATCH RFT v8 2/9] selftests: Provide helper header for shadow stack testing Mark Brown
2024-08-08 8:15 ` [PATCH RFT v8 3/9] mm: Introduce ARCH_HAS_USER_SHADOW_STACK Mark Brown
2024-08-14 10:41 ` Catalin Marinas
2024-08-08 8:15 ` [PATCH RFT v8 4/9] fork: Add shadow stack support to clone3() Mark Brown
2024-08-09 18:19 ` Catalin Marinas
2024-08-09 23:06 ` Mark Brown
2024-08-13 16:25 ` Catalin Marinas
2024-08-13 18:58 ` Mark Brown
2024-08-14 9:38 ` Catalin Marinas
2024-08-14 13:20 ` Mark Brown
2024-08-15 0:18 ` Edgecombe, Rick P
2024-08-15 14:24 ` Mark Brown
2024-08-16 8:44 ` Catalin Marinas
2024-08-16 10:51 ` Mark Brown
2024-08-16 15:29 ` Catalin Marinas
2024-08-16 15:46 ` Mark Brown
2024-08-16 14:52 ` Edgecombe, Rick P
2024-08-16 15:30 ` Mark Brown
2024-08-16 15:38 ` Catalin Marinas [this message]
2024-08-16 17:06 ` Mark Brown
2024-08-16 17:08 ` Jann Horn
2024-08-16 17:17 ` Mark Brown
2024-08-08 8:15 ` [PATCH RFT v8 5/9] selftests/clone3: Remove redundant flushes of output streams Mark Brown
2024-08-08 8:15 ` [PATCH RFT v8 6/9] selftests/clone3: Factor more of main loop into test_clone3() Mark Brown
2024-08-08 8:15 ` [PATCH RFT v8 7/9] selftests/clone3: Explicitly handle child exits due to signals Mark Brown
2024-08-08 8:15 ` [PATCH RFT v8 8/9] selftests/clone3: Allow tests to flag if -E2BIG is a valid error code Mark Brown
2024-08-08 8:15 ` [PATCH RFT v8 9/9] selftests/clone3: Test shadow stack support Mark Brown
2024-08-08 17:54 ` [PATCH RFT v8 0/9] fork: Support shadow stacks in clone3() Kees Cook
2024-08-15 0:19 ` Edgecombe, Rick P
2024-08-16 15:52 ` Jann Horn
2024-08-16 16:19 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zr9yiH6DP0IPac-H@arm.com \
--to=catalin.marinas@arm.com \
--cc=Szabolcs.Nagy@arm.com \
--cc=bp@alien8.de \
--cc=brauner@kernel.org \
--cc=broonie@kernel.org \
--cc=bsegall@google.com \
--cc=dave.hansen@linux.intel.com \
--cc=debug@rivosinc.com \
--cc=dietmar.eggemann@arm.com \
--cc=fweimer@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=juri.lelli@redhat.com \
--cc=kees@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mgorman@suse.de \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=rostedt@goodmis.org \
--cc=shuah@kernel.org \
--cc=tglx@linutronix.de \
--cc=vincent.guittot@linaro.org \
--cc=vschneid@redhat.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.