[PATCH 1/2] arch/x86: do not allow unlock to set bits

Next message: Shitalkumar Gandhi: "[PATCH net v2 0/2] net: ethernet: sunplus: spl2sw: fix of_node refcount leaks"
Previous message: Bill Roberts: "[PATCH 2/2] selftest/x86: test ARCH_SHSTK_UNLOCK"
Next in thread: Bill Roberts: "[PATCH 2/2] selftest/x86: test ARCH_SHSTK_UNLOCK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bill Roberts

Date: Mon Jun 15 2026 - 15:53:43 EST

Currently, the code for handling arch_prctl for shadow stack operations
is written to exit early on all operations but enable. However, the
check for ARCH_SHSTK_UNLOCK is gated on a check for task != current,
which means that if current == task, ARCH_SHSTK_UNLOCK can be used to
set feature bits by virtue of skipping that check.

This seems not as intended, and the check should first check that the
operation is ARCH_SHSTK_UNLOCK and then check the task status to
determine the error code.

Signed-off-by: Bill Roberts <bill.roberts@xxxxxxx>
---
arch/x86/kernel/shstk.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index 0ca64900192f..664167f94acd 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -583,12 +583,13 @@ long shstk_prctl(struct task_struct *task, int option, unsigned long arg2)
}

/* Only allow via ptrace */
- if (task != current) {
- if (option == ARCH_SHSTK_UNLOCK && IS_ENABLED(CONFIG_CHECKPOINT_RESTORE)) {
- task->thread.features_locked &= ~features;
- return 0;
- }
- return -EINVAL;
+ if (option == ARCH_SHSTK_UNLOCK) {
+ if (task == current)
+ return -EPERM;
+ if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE))
+ return -EINVAL;
+ task->thread.features_locked &= ~features;
+ return 0;
}

/* Do not allow to change locked features */
--
2.54.0