Re: [RFC PATCH 0/2] x86/vsyscall: Tighten vsyscall emulation checks for a #PF fixup

Next message: Dmitry Ilvokhin: "[PATCH v3 2/4] locking/percpu-rwsem: Extract __percpu_up_read()"
Previous message: Arnaldo Carvalho de Melo: "[PATCH 1/1 fyi] tools arch x86: Sync the msr-index.h copy with the kernel sources"
Next in thread: Sohil Mehta: "Re: [RFC PATCH 0/2] x86/vsyscall: Tighten vsyscall emulation checks for a #PF fixup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Edgecombe, Rick P

Date: Wed Mar 18 2026 - 14:47:55 EST

On Fri, 2026-03-13 at 12:23 -0700, Sohil Mehta wrote:
> X86_PF_SHSTK: I am not sure if we can have a vsyscall page access
> that results in X86_PF_SHSTK set but doesn't have X86_PF_WRITE with
> it. If we cannot, the current checks in emulate_vsyscall_pf() will
> already reject emulation.

There are shadow stack read accesses. This would be pretty hard to make
happen to the vsyscall page though. I think it might be impossible.
Ptrace should reject kernel addresses for the SSP. And I don't know how
else you could get the SSP pointed at it. There is WRSS instruction,
but that only generates writes.

It is probably fair to say userspace will not care about the case.