Re: [RFC][PATCH v2 11/21] x86/pti: Extend PTI user mappings

From: Thomas Gleixner
Date: Thu Nov 19 2020 - 14:16:18 EST

Next message: pr-tracker-bot: "Re: [GIT PULL] thermal fixes for v5.10-rc5"
Previous message: Will Deacon: "Re: [PATCH v4 2/9] arm64: perf: Enable pmu counter direct access for perf event on armv8"
In reply to: Andy Lutomirski: "Re: [RFC][PATCH v2 11/21] x86/pti: Extend PTI user mappings"
Next in thread: Alexandre Chartre: "[RFC][PATCH v2 17/21] x86/pti: Execute page fault handler on the kernel stack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 17 2020 at 09:42, Alexandre Chartre wrote:
> On 11/17/20 12:06 AM, Andy Lutomirski wrote:
> The PTI stack does have guard pages because it maps only a part of the task
> stack into the user page-table, so pages around the PTI stack are not mapped
> into the user-pagetable (the page below is the task stack guard, and the page
> above is part of the kernel-only stack so it's never mapped into the user
> page-table).
>
> + * +-------------+
> + * | | ^ ^
> + * | kernel-only | | KERNEL_STACK_SIZE |
> + * | stack | | |
> + * | | V |
> + * +-------------+ <- top of kernel stack | THREAD_SIZE
> + * | | ^ |
> + * | kernel and | | KERNEL_STACK_SIZE |
> + * | PTI stack | | |
> + * | | V v
> + * +-------------+ <- top of stack

Well, the PTI stack might have guard pages, but the kernel stack can now
underflow into the PTI stack. Not good.

Thanks,

tglx

Next message: pr-tracker-bot: "Re: [GIT PULL] thermal fixes for v5.10-rc5"
Previous message: Will Deacon: "Re: [PATCH v4 2/9] arm64: perf: Enable pmu counter direct access for perf event on armv8"
In reply to: Andy Lutomirski: "Re: [RFC][PATCH v2 11/21] x86/pti: Extend PTI user mappings"
Next in thread: Alexandre Chartre: "[RFC][PATCH v2 17/21] x86/pti: Execute page fault handler on the kernel stack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]