Re: [RFC PATCH 0/2] x86/vsyscall: Tighten vsyscall emulation checks for a #PF fixup

Next message: Zi Yan: "Re: [PATCH 0/5] mm: Switch gfp_t to unsigned long"
Previous message: Lee Jones: "Re: (subset) [PATCH v4 4/5] dt-bindings: mfd: max77620: document optional RTC address for MAX77663"
In reply to: Edgecombe, Rick P: "Re: [RFC PATCH 0/2] x86/vsyscall: Tighten vsyscall emulation checks for a #PF fixup"
Next in thread: Edgecombe, Rick P: "Re: [RFC PATCH 0/2] x86/vsyscall: Tighten vsyscall emulation checks for a #PF fixup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sohil Mehta

Date: Thu Mar 19 2026 - 14:32:24 EST

On 3/18/2026 11:47 AM, Edgecombe, Rick P wrote:
> On Fri, 2026-03-13 at 12:23 -0700, Sohil Mehta wrote:
>> X86_PF_SHSTK: I am not sure if we can have a vsyscall page access
>> that results in X86_PF_SHSTK set but doesn't have X86_PF_WRITE with
>> it. If we cannot, the current checks in emulate_vsyscall_pf() will
>> already reject emulation.
>
> There are shadow stack read accesses. This would be pretty hard to make
> happen to the vsyscall page though. I think it might be impossible.
> Ptrace should reject kernel addresses for the SSP. And I don't know how
> else you could get the SSP pointed at it. There is WRSS instruction,
> but that only generates writes.
>
> It is probably fair to say userspace will not care about the case.
>
>

Thanks for the insight. As userspace wouldn't care, and the cost of
adding the X86_PF_SHSTK check is almost zero, I'll keep the X86_PF_SHSTK
in patch 2.

For the next version, I will combine patch 1 and 2 as they are
essentially doing similar things. I am still unsure about X86_PF_SGX and
X86_PF_RMP. Unless someone with knowledge chimes in, I'll leave them out
of the checks for now.