Re: [PATCH v5 23/39] mm: Don't allow write GUPs to shadow stack memory

From: David Hildenbrand
Date: Mon Jan 23 2023 - 04:11:01 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH v2 1/2] dt-bindings: clock: Add SM7150 GCC clocks"
Previous message: Masahiro Yamada: "Re: Linux 6.2-rc2"
In reply to: Rick Edgecombe: "[PATCH v5 23/39] mm: Don't allow write GUPs to shadow stack memory"
Next in thread: Florian Weimer: "Re: [PATCH v5 23/39] mm: Don't allow write GUPs to shadow stack memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 19.01.23 22:23, Rick Edgecombe wrote:

The x86 Control-flow Enforcement Technology (CET) feature includes a new
type of memory called shadow stack. This shadow stack memory has some
unusual properties, which requires some core mm changes to function
properly.

Shadow stack memory is writable only in very specific, controlled ways.
However, since it is writable, the kernel treats it as such. As a result
there remain many ways for userspace to trigger the kernel to write to
shadow stack's via get_user_pages(, FOLL_WRITE) operations. To make this a
little less exposed, block writable GUPs for shadow stack VMAs.

Still allow FOLL_FORCE to write through shadow stack protections, as it
does for read-only protections.

So an app can simply modify the shadow stack itself by writing to /proc/self/mem ?

Is that really intended? Looks like security hole to me at first sight, but maybe I am missing something important.

--
Thanks,

David / dhildenb

Next message: Krzysztof Kozlowski: "Re: [PATCH v2 1/2] dt-bindings: clock: Add SM7150 GCC clocks"
Previous message: Masahiro Yamada: "Re: Linux 6.2-rc2"
In reply to: Rick Edgecombe: "[PATCH v5 23/39] mm: Don't allow write GUPs to shadow stack memory"
Next in thread: Florian Weimer: "Re: [PATCH v5 23/39] mm: Don't allow write GUPs to shadow stack memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]