Re: [PATCH v2 15/39] x86/mm: Check Shadow Stack page fault errors

From: Peter Zijlstra
Date: Fri Oct 14 2022 - 06:07:53 EST


On Thu, Sep 29, 2022 at 03:29:12PM -0700, Rick Edgecombe wrote:

> The architecture has concepts of both shadow stack reads and shadow stack
> writes. Any shadow stack access to non-shadow stack memory will generate
> a fault with the shadow stack error code bit set.
>
> This means that, unlike normal write protection, the fault handler needs
> to create a type of memory that can be written to (with instructions that
> generate shadow stack writes), even to fulfill a read access. So in the
> case of COW memory, the COW needs to take place even with a shadow stack
> read. Otherwise the page will be left (shadow stack) writable in
> userspace. So to trigger the appropriate behavior, set FAULT_FLAG_WRITE
> for shadow stack accesses, even if the access was a shadow stack read.

That ^ should be moved into the comment below

> - Clarify reasoning for FAULT_FLAG_WRITE for all shadow stack accesses

> @@ -1300,6 +1314,13 @@ void do_user_addr_fault(struct pt_regs *regs,
>
> perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
>
> + /*
> + * In order to fullfull a shadow stack access, the page needs
> + * to be made (shadow stack) writable. So treat all shadow stack
> + * accesses as writes.
> + */

Because that's impenetrable.

> + if (error_code & X86_PF_SHSTK)
> + flags |= FAULT_FLAG_WRITE;
> if (error_code & X86_PF_WRITE)
> flags |= FAULT_FLAG_WRITE;
> if (error_code & X86_PF_INSTR)
> --
> 2.17.1
>