From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yu-cheng Yu Subject: Re: [PATCH 00/10] Control Flow Enforcement - Part (3) Date: Tue, 26 Jun 2018 07:56:57 -0700 Message-ID: <1530025017.27091.1.camel@intel.com> References: <20180607143807.3611-1-yu-cheng.yu@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Andy Lutomirski , Linux API , Jann Horn , Florian Weimer Cc: LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com List-Id: linux-arch.vger.kernel.org On Mon, 2018-06-25 at 22:26 -0700, Andy Lutomirski wrote: > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu > wrote: > > > > > > This series introduces CET - Shadow stack > I think you should add some mitigation against sigreturn-oriented > programming.  How about creating some special token on the shadow > stack that indicates the presence of a signal frame at a particular > address when delivering a signal and verifying and popping that token > in sigreturn?  The token could be literally the address of the signal > frame, and you could make this unambiguous by failing sigreturn if > CET > is on and the signal frame is in executable memory. > > IOW, it would be a shame if sigreturn() itself became a convenient > CET-bypassing gadget. > > --Andy I will look into that. Thanks, Yu-cheng From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com ([192.55.52.88]:38081 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751796AbeFZPA2 (ORCPT ); Tue, 26 Jun 2018 11:00:28 -0400 Message-ID: <1530025017.27091.1.camel@intel.com> Subject: Re: [PATCH 00/10] Control Flow Enforcement - Part (3) From: Yu-cheng Yu Date: Tue, 26 Jun 2018 07:56:57 -0700 In-Reply-To: References: <20180607143807.3611-1-yu-cheng.yu@intel.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-arch-owner@vger.kernel.org List-ID: To: Andy Lutomirski , Linux API , Jann Horn , Florian Weimer Cc: LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Message-ID: <20180626145657.QVxYtJyH6VwMCrNzN7j3alsdRQFMmfB6Gm84OYfxOeg@z> On Mon, 2018-06-25 at 22:26 -0700, Andy Lutomirski wrote: > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu > wrote: > > > > > > This series introduces CET - Shadow stack > I think you should add some mitigation against sigreturn-oriented > programming.  How about creating some special token on the shadow > stack that indicates the presence of a signal frame at a particular > address when delivering a signal and verifying and popping that token > in sigreturn?  The token could be literally the address of the signal > frame, and you could make this unambiguous by failing sigreturn if > CET > is on and the signal frame is in executable memory. > > IOW, it would be a shame if sigreturn() itself became a convenient > CET-bypassing gadget. > > --Andy I will look into that. Thanks, Yu-cheng