Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW

From: Yu-cheng Yu
Date: Thu Aug 30 2018 - 13:58:44 EST

Next message: Christoph Hellwig: "Re: [RFC 2/3] USB: core: Add non-coherent buffer allocation helpers"
Previous message: Sunil Kovvuri: "Re: [PATCH 11/15] soc: octeontx2: Add Marvell OcteonTX2 CGX driver"
In reply to: Dave Hansen: "Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW"
Next in thread: Jann Horn: "Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2018-08-30 at 10:33 -0700, Dave Hansen wrote:
> On 08/30/2018 10:26 AM, Yu-cheng Yu wrote:
> >
> > We don't have the guard page now, but there is a shadow stack
> > token
> > there, which cannot be used as a return address.
> The overall concern is that we could overflow into a page that we
> did
> not intend.ÂÂEither another actual shadow stack or something that a
> page
> that the attacker constructed, like the transient scenario Jann
> described.
>

A task could go beyond the bottom of its shadow stack by doing either
'ret' or 'incssp'. ÂIf it is the 'ret' case, the token prevents it.
ÂIf it is the 'incssp' case, a guard page cannot prevent it entirely,
right?

Yu-cheng

Next message: Christoph Hellwig: "Re: [RFC 2/3] USB: core: Add non-coherent buffer allocation helpers"
Previous message: Sunil Kovvuri: "Re: [PATCH 11/15] soc: octeontx2: Add Marvell OcteonTX2 CGX driver"
In reply to: Dave Hansen: "Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW"
Next in thread: Jann Horn: "Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]