Re: [PATCH 00/35] Shadow stacks for userspace

From: Edgecombe, Rick P
Date: Mon Feb 07 2022 - 20:49:46 EST

Next message: Mimi Zohar: "[PATCH v4 1/8] ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS"
Previous message: Lu Baolu: "[PATCH v2 08/10] iommu: Remove unused argument in is_attach_deferred"
In reply to: Florian Weimer: "Re: [PATCH 00/35] Shadow stacks for userspace"
Next in thread: Andy Lutomirski: "Re: [PATCH 00/35] Shadow stacks for userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2022-02-06 at 13:42 +0000, David Laight wrote:
> > I don't think this is as difficult to avoid because userspace ssp
> > has
> > its own register that should not be accessed at that point, but I
> > have
> > not given this aspect enough analysis. Thanks for bringing it up.
>
> So the user ssp isn't saved (or restored) by the trap entry/exit.
> So it needs to be saved by the context switch code?
> Much like the user segment registers?
> So you are likely to get the same problems if restoring it can fault
> in kernel (eg for a non-canonical address).

PL3_SSP is lazily saved and restored by the FPU supervisor xsave code,
which has its buffer in kernel memory. For the most part it is
userspace instructions that use this register and they can only modify
it in limited ways.

It does look like IRET can cause a #CP if the PL3 SSP is not aligned,
but only after RIP and CPL are set back to userspace. I'm not confident
enough interpreting the specs to assert the specific behavior and will
follow up internally to clarify.

Next message: Mimi Zohar: "[PATCH v4 1/8] ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS"
Previous message: Lu Baolu: "[PATCH v2 08/10] iommu: Remove unused argument in is_attach_deferred"
In reply to: Florian Weimer: "Re: [PATCH 00/35] Shadow stacks for userspace"
Next in thread: Andy Lutomirski: "Re: [PATCH 00/35] Shadow stacks for userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]