Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW

From: Jann Horn
Date: Thu Aug 30 2018 - 14:00:02 EST


On Thu, Aug 30, 2018 at 7:58 PM Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> wrote:
>
> On Thu, 2018-08-30 at 10:33 -0700, Dave Hansen wrote:
> > On 08/30/2018 10:26 AM, Yu-cheng Yu wrote:
> > >
> > > We don't have the guard page now, but there is a shadow stack
> > > token
> > > there, which cannot be used as a return address.
> > The overall concern is that we could overflow into a page that we
> > did
> > not intend. Either another actual shadow stack or something that a
> > page
> > that the attacker constructed, like the transient scenario Jann
> > described.
> >
>
> A task could go beyond the bottom of its shadow stack by doing either
> 'ret' or 'incssp'. If it is the 'ret' case, the token prevents it.
> If it is the 'incssp' case, a guard page cannot prevent it entirely,
> right?

I mean the other direction, on "call".