Re: [RFC][PATCH v2 21/21] x86/pti: Use a different stack canary with the user and kernel page-table

[Alexandre Chartre]

On 11/16/20 5:56 PM, Andy Lutomirski wrote:
> On Mon, Nov 16, 2020 at 6:48 AM Alexandre Chartre
> <alexandre.chartre@xxxxxxxxxx> wrote:
> > Using stack protector requires the stack canary to be mapped into
> > the current page-table. Now that the page-table switch between the
> > user and kernel page-table is deferred to C code, stack protector can
> > be used while the user page-table is active and so the stack canary
> > is mapped into the user page-table.
> >
> > To prevent leaking the stack canary used with the kernel page-table,
> > use a different canary with the user and kernel page-table. The stack
> > canary is changed when switching the page-table.
>
> Unless I've missed something, this doesn't have the security
> properties we want.  One CPU can be executing with kernel CR3, and
> another CPU can read the stack canary using Meltdown.

I think you are right because we have the mapping to the stack canary in
the user page-table. From userspace, we will only read the user stack canary,
but using Meltdown we can speculatively read the kernel stack canary which
will be stored at the same place.

> I think that doing this safely requires mapping a different page with
> the stack canary in the two pagetables.

Right.

alex.