Re: [PATCH v7 21/41] mm: Add guard pages around a shadow stack.
From: Edgecombe, Rick P
Date: Mon Mar 06 2023 - 20:30:08 EST
On Mon, 2023-03-06 at 09:08 +0100, Borislav Petkov wrote:
> Just typos:
All seem reasonable to me. Thanks.
For using the log verbiage for the comment, it is quite big. Does
something like this seem reasonable?
/*
* The shadow stack pointer(SSP) is moved by CALL, RET, and INCSSPQ.
* The INCSSP instruction can increment the shadow stack pointer. It
* is the shadow stack analog of an instruction like:
*
* addq $0x80, %rsp
*
* However, there is one important difference between an ADD on %rsp
* and INCSSP. In addition to modifying SSP, INCSSP also reads from the
* memory of the first and last elements that were "popped". It can be
* thought of as acting like this:
*
* READ_ONCE(ssp); // read+discard top element on stack
* ssp += nr_to_pop * 8; // move the shadow stack
* READ_ONCE(ssp-8); // read+discard last popped stack element
*
* The maximum distance INCSSP can move the SSP is 2040 bytes, before
* it would read the memory. Therefore a single page gap will be enough
* to prevent any operation from shifting the SSP to an adjacent stack,
* since it would have to land in the gap at least once, causing a
* fault.
*
* Prevent using INCSSP to move the SSP between shadow stacks by
* having a PAGE_SIZE gaurd gap.
*/