Re: [PATCH v19 16/25] mm: Add guard pages around a shadow stack.

From: Kees Cook
Date: Thu Feb 04 2021 - 15:25:02 EST

Next message: Bhaumik Bhatt: "Re: [PATCH v5 6/9] bus: mhi: core: Check channel execution environment before issuing reset"
Previous message: Kees Cook: "Re: [PATCH v19 15/25] mm: Fixup places that call pte_mkwrite() directly"
In reply to: Yu-cheng Yu: "[PATCH v19 16/25] mm: Add guard pages around a shadow stack."
Next in thread: Yu-cheng Yu: "[PATCH v19 14/25] x86/mm: Update maybe_mkwrite() for shadow stack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 03, 2021 at 02:55:38PM -0800, Yu-cheng Yu wrote:
> INCSSP(Q/D) increments shadow stack pointer and 'pops and discards' the
> first and the last elements in the range, effectively touches those memory
> areas.
>
> The maximum moving distance by INCSSPQ is 255 * 8 = 2040 bytes and
> 255 * 4 = 1020 bytes by INCSSPD. Both ranges are far from PAGE_SIZE.
> Thus, putting a gap page on both ends of a shadow stack prevents INCSSP,
> CALL, and RET from going beyond.
>
> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx>

Yay guard pages! :)

Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>

--
Kees Cook

Next message: Bhaumik Bhatt: "Re: [PATCH v5 6/9] bus: mhi: core: Check channel execution environment before issuing reset"
Previous message: Kees Cook: "Re: [PATCH v19 15/25] mm: Fixup places that call pte_mkwrite() directly"
In reply to: Yu-cheng Yu: "[PATCH v19 16/25] mm: Add guard pages around a shadow stack."
Next in thread: Yu-cheng Yu: "[PATCH v19 14/25] x86/mm: Update maybe_mkwrite() for shadow stack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]