From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dave Hansen Subject: Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW Date: Thu, 30 Aug 2018 10:33:34 -0700 Message-ID: <33d45a12-513c-eba2-a2de-3d6b630e928e@linux.intel.com> References: <20180830143904.3168-1-yu-cheng.yu@intel.com> <20180830143904.3168-13-yu-cheng.yu@intel.com> <079a55f2-4654-4adf-a6ef-6e480b594a2f@linux.intel.com> <1535649960.26689.15.camel@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <1535649960.26689.15.camel@intel.com> Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org To: Yu-cheng Yu , Jann Horn Cc: the arch/x86 maintainers , "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , kernel list , linux-doc@vger.kernel.org, Linux-MM , linux-arch , Linux API , Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Florian Weimer , hjl.tools@gmail.com, Jonathan Corbet , keescook@chromiun.org, Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra List-Id: linux-arch.vger.kernel.org On 08/30/2018 10:26 AM, Yu-cheng Yu wrote: > We don't have the guard page now, but there is a shadow stack token > there, which cannot be used as a return address. The overall concern is that we could overflow into a page that we did not intend. Either another actual shadow stack or something that a page that the attacker constructed, like the transient scenario Jann described. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com ([134.134.136.31]:43203 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727475AbeH3Vj3 (ORCPT ); Thu, 30 Aug 2018 17:39:29 -0400 Subject: Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW References: <20180830143904.3168-1-yu-cheng.yu@intel.com> <20180830143904.3168-13-yu-cheng.yu@intel.com> <079a55f2-4654-4adf-a6ef-6e480b594a2f@linux.intel.com> <1535649960.26689.15.camel@intel.com> From: Dave Hansen Message-ID: <33d45a12-513c-eba2-a2de-3d6b630e928e@linux.intel.com> Date: Thu, 30 Aug 2018 10:33:34 -0700 MIME-Version: 1.0 In-Reply-To: <1535649960.26689.15.camel@intel.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-arch-owner@vger.kernel.org List-ID: To: Yu-cheng Yu , Jann Horn Cc: the arch/x86 maintainers , "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , kernel list , linux-doc@vger.kernel.org, Linux-MM , linux-arch , Linux API , Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Florian Weimer , hjl.tools@gmail.com, Jonathan Corbet , keescook@chromiun.org, Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , ravi.v.shankar@intel.com, vedvyas.shanbhogue@intel.com Message-ID: <20180830173334.hXWY__e9rycdtua20BU3TniNe0fmqy5Yi_6pBq_HAps@z> On 08/30/2018 10:26 AM, Yu-cheng Yu wrote: > We don't have the guard page now, but there is a shadow stack token > there, which cannot be used as a return address. The overall concern is that we could overflow into a page that we did not intend. Either another actual shadow stack or something that a page that the attacker constructed, like the transient scenario Jann described.