Hi Paul/Zong,
Can you apply following diff on `allocate_shadow_stack` function in this patch.
This fixes the bug that I earlier mentioned. We shouldn't be returning location
to token and instead return base address of shadow stack. Userspace consumer
should be determining token location itself. This matches the ABI of other
arches. Sorry for being late on this.
diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c
index 27b36034ea85..a8530e6afb1e 100644
--- a/arch/riscv/kernel/usercfi.c
+++ b/arch/riscv/kernel/usercfi.c
@@ -232,7 +232,7 @@ static unsigned long allocate_shadow_stack(unsigned long
addr, unsigned long siz
{
int flags = MAP_ANONYMOUS | MAP_PRIVATE;
struct mm_struct *mm = current->mm;
- unsigned long populate, tok_loc = 0;
+ unsigned long populate;
if (addr)
flags |= MAP_FIXED_NOREPLACE;
@@ -245,13 +245,11 @@ static unsigned long allocate_shadow_stack(unsigned long
addr, unsigned long siz
if (!set_tok || IS_ERR_VALUE(addr))
goto out;
- if (create_rstor_token(addr + token_offset, &tok_loc)) {
+ if (create_rstor_token(addr + token_offset, NULL)) {
vm_munmap(addr, size);
return -EINVAL;
}
- addr = tok_loc;
-
out:
return addr;
}
On Thu, Dec 11, 2025 at 09:20:43AM -0800, Deepak Gupta via B4 Relay wrote:
From: Deepak Gupta <[email protected]>
As discussed extensively in the changelog for the addition of this
syscall on x86 ("x86/shstk: Introduce map_shadow_stack syscall") the
existing mmap() and madvise() syscalls do not map entirely well onto the
security requirements for shadow stack memory since they lead to windows
where memory is allocated but not yet protected or stacks which are not
properly and safely initialised. Instead a new syscall map_shadow_stack()
has been defined which allocates and initialises a shadow stack page.
This patch implements this syscall for riscv. riscv doesn't require token
to be setup by kernel because user mode can do that by itself. However to
provide compatibility and portability with other architectues, user mode
can specify token set flag.
Reviewed-by: Zong Li <[email protected]>
Tested-by: Andreas Korb <[email protected]>
Tested-by: Valentin Haudiquet <[email protected]>
Signed-off-by: Deepak Gupta <[email protected]>
---
arch/riscv/kernel/Makefile | 1 +
arch/riscv/kernel/usercfi.c | 142 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 143 insertions(+)
diff --git a/arch/riscv/kernel/Makefile b/arch/riscv/kernel/Makefile
index f60fce69b725..2d0e0dcedbd3 100644
--- a/arch/riscv/kernel/Makefile
+++ b/arch/riscv/kernel/Makefile
@@ -125,3 +125,4 @@ obj-$(CONFIG_ACPI) += acpi.o
obj-$(CONFIG_ACPI_NUMA) += acpi_numa.o
obj-$(CONFIG_GENERIC_CPU_VULNERABILITIES) += bugs.o
+obj-$(CONFIG_RISCV_USER_CFI) += usercfi.o
diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c
new file mode 100644
index 000000000000..251c3faccbf8
--- /dev/null
+++ b/arch/riscv/kernel/usercfi.c
@@ -0,0 +1,142 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2024 Rivos, Inc.
+ * Deepak Gupta <[email protected]>
+ */
+
+#include <linux/sched.h>
+#include <linux/bitops.h>
+#include <linux/types.h>
+#include <linux/mm.h>
+#include <linux/mman.h>
+#include <linux/uaccess.h>
+#include <linux/sizes.h>
+#include <linux/user.h>
+#include <linux/syscalls.h>
+#include <linux/prctl.h>
+#include <asm/csr.h>
+#include <asm/usercfi.h>
+
+#define SHSTK_ENTRY_SIZE sizeof(void *)
+
+/*
+ * Writes on shadow stack can either be `sspush` or `ssamoswap`. `sspush` can
happen
+ * implicitly on current shadow stack pointed to by CSR_SSP. `ssamoswap` takes
pointer to
+ * shadow stack. To keep it simple, we plan to use `ssamoswap` to perform
writes on shadow
+ * stack.
+ */
+static noinline unsigned long amo_user_shstk(unsigned long *addr, unsigned
long val)
+{
+ /*
+ * Never expect -1 on shadow stack. Expect return addresses and zero
+ */
+ unsigned long swap = -1;
+
+ __enable_user_access();
+ asm goto(".option push\n"
+ ".option arch, +zicfiss\n"
+ "1: ssamoswap.d %[swap], %[val], %[addr]\n"
+ _ASM_EXTABLE(1b, %l[fault])
+ ".option pop\n"
+ : [swap] "=r" (swap), [addr] "+A" (*addr)
+ : [val] "r" (val)
+ : "memory"
+ : fault
+ );
+ __disable_user_access();
+ return swap;
+fault:
+ __disable_user_access();
+ return -1;
+}
+
+/*
+ * Create a restore token on the shadow stack. A token is always XLEN wide
+ * and aligned to XLEN.
+ */
+static int create_rstor_token(unsigned long ssp, unsigned long *token_addr)
+{
+ unsigned long addr;
+
+ /* Token must be aligned */
+ if (!IS_ALIGNED(ssp, SHSTK_ENTRY_SIZE))
+ return -EINVAL;
+
+ /* On RISC-V we're constructing token to be function of address itself
*/
+ addr = ssp - SHSTK_ENTRY_SIZE;
+
+ if (amo_user_shstk((unsigned long __user *)addr, (unsigned long)ssp) ==
-1)
+ return -EFAULT;
+
+ if (token_addr)
+ *token_addr = addr;
+
+ return 0;
+}
+
+static unsigned long allocate_shadow_stack(unsigned long addr, unsigned long
size,
+ unsigned long token_offset, bool
set_tok)
+{
+ int flags = MAP_ANONYMOUS | MAP_PRIVATE;
+ struct mm_struct *mm = current->mm;
+ unsigned long populate, tok_loc = 0;
+
+ if (addr)
+ flags |= MAP_FIXED_NOREPLACE;
+
+ mmap_write_lock(mm);
+ addr = do_mmap(NULL, addr, size, PROT_READ, flags,
+ VM_SHADOW_STACK | VM_WRITE, 0, &populate, NULL);
+ mmap_write_unlock(mm);
+
+ if (!set_tok || IS_ERR_VALUE(addr))
+ goto out;
+
+ if (create_rstor_token(addr + token_offset, &tok_loc)) {
+ vm_munmap(addr, size);
+ return -EINVAL;
+ }
+
+ addr = tok_loc;
+
+out:
+ return addr;
+}
+
+SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size,
unsigned int, flags)
+{
+ bool set_tok = flags & SHADOW_STACK_SET_TOKEN;
+ unsigned long aligned_size = 0;
+
+ if (!cpu_supports_shadow_stack())
+ return -EOPNOTSUPP;
+
+ /* Anything other than set token should result in invalid param */
+ if (flags & ~SHADOW_STACK_SET_TOKEN)
+ return -EINVAL;
+
+ /*
+ * Unlike other architectures, on RISC-V, SSP pointer is held in
CSR_SSP and is available
+ * CSR in all modes. CSR accesses are performed using 12bit index
programmed in instruction
+ * itself. This provides static property on register programming and
writes to CSR can't
+ * be unintentional from programmer's perspective. As long as
programmer has guarded areas
+ * which perform writes to CSR_SSP properly, shadow stack pivoting is
not possible. Since
+ * CSR_SSP is writeable by user mode, it itself can setup a shadow
stack token subsequent
+ * to allocation. Although in order to provide portablity with other
architecture (because
+ * `map_shadow_stack` is arch agnostic syscall), RISC-V will follow
expectation of a token
+ * flag in flags and if provided in flags, setup a token at the base.
+ */
+
+ /* If there isn't space for a token */
+ if (set_tok && size < SHSTK_ENTRY_SIZE)
+ return -ENOSPC;
+
+ if (addr && (addr & (PAGE_SIZE - 1)))
+ return -EINVAL;
+
+ aligned_size = PAGE_ALIGN(size);
+ if (aligned_size < size)
+ return -EOVERFLOW;
+
+ return allocate_shadow_stack(addr, aligned_size, size, set_tok);
+}
--
2.43.0
