From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dave Hansen Subject: Re: [RFC PATCH v2 15/27] mm/mprotect: Prevent mprotect from changing shadow stack Date: Tue, 10 Jul 2018 16:10:08 -0700 Message-ID: <04800c52-1f86-c485-ba7c-2216d8c4966f@linux.intel.com> References: <20180710222639.8241-1-yu-cheng.yu@intel.com> <20180710222639.8241-16-yu-cheng.yu@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <20180710222639.8241-16-yu-cheng.yu@intel.com> Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org To: Yu-cheng Yu , x86@kernel.org, "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra List-Id: linux-arch.vger.kernel.org On 07/10/2018 03:26 PM, Yu-cheng Yu wrote: > Signed-off-by: Yu-cheng Yu This still needs a changelog, even if you think it's simple. > --- a/mm/mprotect.c > +++ b/mm/mprotect.c > @@ -446,6 +446,15 @@ static int do_mprotect_pkey(unsigned long start, size_t len, > error = -ENOMEM; > if (!vma) > goto out; > + > + /* > + * Do not allow changing shadow stack memory. > + */ > + if (vma->vm_flags & VM_SHSTK) { > + error = -EINVAL; > + goto out; > + } > + I think this is a _bit_ draconian. Why shouldn't we be able to use protection keys with a shadow stack? Or, set it to PROT_NONE? From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com ([192.55.52.115]:34085 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732253AbeGJXL3 (ORCPT ); Tue, 10 Jul 2018 19:11:29 -0400 Subject: Re: [RFC PATCH v2 15/27] mm/mprotect: Prevent mprotect from changing shadow stack References: <20180710222639.8241-1-yu-cheng.yu@intel.com> <20180710222639.8241-16-yu-cheng.yu@intel.com> From: Dave Hansen Message-ID: <04800c52-1f86-c485-ba7c-2216d8c4966f@linux.intel.com> Date: Tue, 10 Jul 2018 16:10:08 -0700 MIME-Version: 1.0 In-Reply-To: <20180710222639.8241-16-yu-cheng.yu@intel.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-arch-owner@vger.kernel.org List-ID: To: Yu-cheng Yu , x86@kernel.org, "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , "Ravi V. Shankar" , Vedvyas Shanbhogue Message-ID: <20180710231008.pPAFTuzslCb7ERsUGeM0c8cZ3f1qYxmplIUfyzX69w8@z> On 07/10/2018 03:26 PM, Yu-cheng Yu wrote: > Signed-off-by: Yu-cheng Yu This still needs a changelog, even if you think it's simple. > --- a/mm/mprotect.c > +++ b/mm/mprotect.c > @@ -446,6 +446,15 @@ static int do_mprotect_pkey(unsigned long start, size_t len, > error = -ENOMEM; > if (!vma) > goto out; > + > + /* > + * Do not allow changing shadow stack memory. > + */ > + if (vma->vm_flags & VM_SHSTK) { > + error = -EINVAL; > + goto out; > + } > + I think this is a _bit_ draconian. Why shouldn't we be able to use protection keys with a shadow stack? Or, set it to PROT_NONE?