Re: [PATCH v2 28/39] x86/cet/shstk: Introduce map_shadow_stack syscall
From: Jason A. Donenfeld
Date: Mon Oct 10 2022 - 10:19:56 EST
On Mon, Oct 10, 2022 at 01:13:05PM +0200, Florian Weimer wrote:
> * Rick Edgecombe:
>
> > When operating with shadow stacks enabled, the kernel will automatically
> > allocate shadow stacks for new threads, however in some cases userspace
> > will need additional shadow stacks. The main example of this is the
> > ucontext family of functions, which require userspace allocating and
> > pivoting to userspace managed stacks.
> >
> > Unlike most other user memory permissions, shadow stacks need to be
> > provisioned with special data in order to be useful. They need to be setup
> > with a restore token so that userspace can pivot to them via the RSTORSSP
> > instruction. But, the security design of shadow stack's is that they
> > should not be written to except in limited circumstances. This presents a
> > problem for userspace, as to how userspace can provision this special
> > data, without allowing for the shadow stack to be generally writable.
> >
> > Previously, a new PROT_SHADOW_STACK was attempted, which could be
> > mprotect()ed from RW permissions after the data was provisioned. This was
> > found to not be secure enough, as other thread's could write to the
> > shadow stack during the writable window.
> >
> > The kernel can use a special instruction, WRUSS, to write directly to
> > userspace shadow stacks. So the solution can be that memory can be mapped
> > as shadow stack permissions from the beginning (never generally writable
> > in userspace), and the kernel itself can write the restore token.
> >
> > First, a new madvise() flag was explored, which could operate on the
> > PROT_SHADOW_STACK memory. This had a couple downsides:
> > 1. Extra checks were needed in mprotect() to prevent writable memory from
> > ever becoming PROT_SHADOW_STACK.
> > 2. Extra checks/vma state were needed in the new madvise() to prevent
> > restore tokens being written into the middle of pre-used shadow stacks.
> > It is ideal to prevent restore tokens being added at arbitrary
> > locations, so the check was to make sure the shadow stack had never been
> > written to.
> > 3. It stood out from the rest of the madvise flags, as more of direct
> > action than a hint at future desired behavior.
> >
> > So rather than repurpose two existing syscalls (mmap, madvise) that don't
> > quite fit, just implement a new map_shadow_stack syscall to allow
> > userspace to map and setup new shadow stacks in one step. While ucontext
> > is the primary motivator, userspace may have other unforeseen reasons to
> > setup it's own shadow stacks using the WRSS instruction. Towards this
> > provide a flag so that stacks can be optionally setup securely for the
> > common case of ucontext without enabling WRSS. Or potentially have the
> > kernel set up the shadow stack in some new way.
> >
> > The following example demonstrates how to create a new shadow stack with
> > map_shadow_stack:
> > void *shstk = map_shadow_stack(adrr, stack_size, SHADOW_STACK_SET_TOKEN);
>
> Jason has recently been working on vDSO-based getrandom acceleration.
> It needs a way for a userspace thread to allocate userspace memory in a
> specific way. Jason proposed to use a vDSO call as the interface, not a
> system call.
Not quite so in the latest revision of that patch:
https://lore.kernel.org/lkml/20220916125916.652546-1-Jason@xxxxxxxxx/
Jason
>
> Maybe this approach is applicable here as well? Or we can come up with
> a more general interface for such per-thread allocations?
>
> Thanks,
> Florian
>