[PATCH v21 16/26] mm: Add guard pages around a shadow stack.

Wed, 17 Feb 2021 14:41:07 -0800 

INCSSP(Q/D) increments shadow stack pointer and 'pops and discards' the
first and the last elements in the range, effectively touches those memory
areas.

The maximum moving distance by INCSSPQ is 255 * 8 = 2040 bytes and
255 * 4 = 1020 bytes by INCSSPD.  Both ranges are far from PAGE_SIZE.
Thus, putting a gap page on both ends of a shadow stack prevents INCSSP,
CALL, and RET from going beyond.

Signed-off-by: Yu-cheng Yu <yu-cheng...@intel.com>
Reviewed-by: Kees Cook <keesc...@chromium.org>
---
 arch/x86/include/asm/page_64_types.h | 10 ++++++++++
 include/linux/mm.h                   | 24 ++++++++++++++++++++----
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/arch/x86/include/asm/page_64_types.h 
b/arch/x86/include/asm/page_64_types.h
index 645bd1d0ee07..fda4c023e009 100644
--- a/arch/x86/include/asm/page_64_types.h
+++ b/arch/x86/include/asm/page_64_types.h
@@ -115,4 +115,14 @@
 #define KERNEL_IMAGE_SIZE      (512 * 1024 * 1024)
 #endif
 
+/*
+ * Shadow stack pointer is moved by CALL, RET, and INCSSP(Q/D).  INCSSPQ
+ * moves shadow stack pointer up to 255 * 8 = ~2 KB (~1KB for INCSSPD) and
+ * touches the first and the last element in the range, which triggers a
+ * page fault if the range is not in a shadow stack.  Because of this,
+ * creating 4-KB guard pages around a shadow stack prevents these
+ * instructions from going beyond.
+ */
+#define ARCH_SHADOW_STACK_GUARD_GAP PAGE_SIZE
+
 #endif /* _ASM_X86_PAGE_64_DEFS_H */
diff --git a/include/linux/mm.h b/include/linux/mm.h
index abd756e426fc..c12b3d36dbd3 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2640,6 +2640,10 @@ extern vm_fault_t filemap_page_mkwrite(struct vm_fault 
*vmf);
 int __must_check write_one_page(struct page *page);
 void task_dirty_inc(struct task_struct *tsk);
 
+#ifndef ARCH_SHADOW_STACK_GUARD_GAP
+#define ARCH_SHADOW_STACK_GUARD_GAP 0
+#endif
+
 extern unsigned long stack_guard_gap;
 /* Generic expand stack which grows the stack according to GROWS{UP,DOWN} */
 extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
@@ -2672,9 +2676,15 @@ static inline struct vm_area_struct * 
find_vma_intersection(struct mm_struct * m
 static inline unsigned long vm_start_gap(struct vm_area_struct *vma)
 {
        unsigned long vm_start = vma->vm_start;
+       unsigned long gap = 0;
 
-       if (vma->vm_flags & VM_GROWSDOWN) {
-               vm_start -= stack_guard_gap;
+       if (vma->vm_flags & VM_GROWSDOWN)
+               gap = stack_guard_gap;
+       else if (vma->vm_flags & VM_SHSTK)
+               gap = ARCH_SHADOW_STACK_GUARD_GAP;
+
+       if (gap != 0) {
+               vm_start -= gap;
                if (vm_start > vma->vm_start)
                        vm_start = 0;
        }
@@ -2684,9 +2694,15 @@ static inline unsigned long vm_start_gap(struct 
vm_area_struct *vma)
 static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
 {
        unsigned long vm_end = vma->vm_end;
+       unsigned long gap = 0;
+
+       if (vma->vm_flags & VM_GROWSUP)
+               gap = stack_guard_gap;
+       else if (vma->vm_flags & VM_SHSTK)
+               gap = ARCH_SHADOW_STACK_GUARD_GAP;
 
-       if (vma->vm_flags & VM_GROWSUP) {
-               vm_end += stack_guard_gap;
+       if (gap != 0) {
+               vm_end += gap;
                if (vm_end < vma->vm_end)
                        vm_end = -PAGE_SIZE;
        }
-- 
2.21.0

Reply via email to