gt;>> 00:00:00 2001
> >>>>>>>>> From: Yu-cheng Yu
> >>>>>>>>> Date: Thu, 29 Nov 2018 14:15:38 -0800
> >>>>>>>>> Subject: [PATCH v13 8/8] x86/vsyscall/64: Fixup Shadow Stack and
> >>&
09803e66dca38d7784e32687d0693550948199ed Mon Sep 17 00:00:00 2001
From: Yu-cheng Yu
Date: Thu, 29 Nov 2018 14:15:38 -0800
Subject: [PATCH v13 8/8] x86/vsyscall/64: Fixup Shadow Stack and
Indirect Branch
Tracking for vsyscall emulation
Vsyscall entry points are effectively branch targets. Mark them with
ENDBR64
t;>From 09803e66dca38d7784e32687d0693550948199ed Mon Sep 17 00:00:00
> >>>>>>> 2001
> >>>>>>> From: Yu-cheng Yu
> >>>>>>> Date: Thu, 29 Nov 2018 14:15:38 -0800
> >>>>>>> Subject: [PATCH v13
Subject: [PATCH v13 8/8] x86/vsyscall/64: Fixup Shadow Stack and
Indirect Branch
Tracking for vsyscall emulation
Vsyscall entry points are effectively branch targets. Mark them with
ENDBR64 opcodes. When emulating the RET instruction, unwind shadow stack
and reset IBT state machine.
Signed-off
;> +
> > > > >>>>> + if (cet->user_ssp && ((cet->user_ssp + 8) <
> > > > >>>>> TASK_SIZE_MAX))
> > > > >>>>> + cet->user_ssp +=
}
> > > >>>>> +
> > > >>>>> + if (cet->user_ssp && ((cet->user_ssp + 8) <
> > > >>>>> TASK_SIZE_MAX))
> > > >>>>> + cet->user_ssp += 8;
gt;>> + }
> > >>>>> +
> > >>>>> + if (cet->user_ssp && ((cet->user_ssp + 8) <
> > >>>>> TASK_SIZE_MAX))
> > >>>>> + cet->user_ssp += 8;
>
cet->user_ssp += 8;
> >>>>
> >>>> This looks buggy. The condition should be "if SHSTK is on, then add 8
> >>>> to user_ssp". If the result is noncanonical, then some appropriate
> >>>> exception should be generated,
eng Yu
Date: Thu, 29 Nov 2018 14:15:38 -0800
Subject: [PATCH v13 8/8] x86/vsyscall/64: Fixup Shadow Stack and
Indirect Branch
Tracking for vsyscall emulation
Vsyscall entry points are effectively branch targets. Mark them with
ENDBR64 opcodes. When emulating the RET instruction, unwind shadow
gt; > > This looks buggy. The condition should be "if SHSTK is on, then add 8
> > > to user_ssp". If the result is noncanonical, then some appropriate
> > > exception should be generated, probably by the FPU restore code -- see
> > > below. You should be checki
You should be checking the SHSTK_EN bit, not SSP.
>
> Updated. Is this OK? I will resend the whole series later.
>
> Thanks,
> Yu-cheng
>
> ==
>
> From 09803e66dca38d7784e32687d0693550948199ed Mon Sep 17 00:00:00 2001
> From: Yu-cheng Yu
> Date: Thu, 29 N
will resend the whole series later.
Thanks,
Yu-cheng
==
From 09803e66dca38d7784e32687d0693550948199ed Mon Sep 17 00:00:00 2001
From: Yu-cheng Yu
Date: Thu, 29 Nov 2018 14:15:38 -0800
Subject: [PATCH v13 8/8] x86/vsyscall/64: Fixup Shadow Stack and
Indirect Branch
Tracking for vsyscall emulation
On 9/28/2020 10:37 AM, Andy Lutomirski wrote:
On Mon, Sep 28, 2020 at 9:59 AM Yu-cheng Yu wrote:
On Fri, 2020-09-25 at 09:51 -0700, Andy Lutomirski wrote:
On Sep 25, 2020, at 9:48 AM, Yu, Yu-cheng wrote:
+
+ cet = get_xsave_addr(>state.xsave, XFEATURE_CET_USER);
+
On Mon, Sep 28, 2020 at 9:59 AM Yu-cheng Yu wrote:
>
> On Fri, 2020-09-25 at 09:51 -0700, Andy Lutomirski wrote:
> > > On Sep 25, 2020, at 9:48 AM, Yu, Yu-cheng wrote:
> +
> + cet = get_xsave_addr(>state.xsave, XFEATURE_CET_USER);
> + if (!cet) {
> +
a comment and a warning would be much
> > > better than a random sigsegv.
> >
> > Yes, it should be impossible to get here. I will add a comment and a
> > warning, but still do sigsegv. Should this happen, and the function
> > return, the app gets a control-protectio
> On Sep 25, 2020, at 9:48 AM, Yu, Yu-cheng wrote:
>
> On 9/25/2020 9:31 AM, Andy Lutomirski wrote:
>>> On Fri, Sep 25, 2020 at 7:58 AM Yu-cheng Yu wrote:
>>>
>
> [...]
>
>>> @@ -286,6 +289,37 @@ bool emulate_vsyscall(unsigned long error_code,
>>> /* Emulate a ret instruction. */
On 9/25/2020 9:31 AM, Andy Lutomirski wrote:
On Fri, Sep 25, 2020 at 7:58 AM Yu-cheng Yu wrote:
[...]
@@ -286,6 +289,37 @@ bool emulate_vsyscall(unsigned long error_code,
/* Emulate a ret instruction. */
regs->ip = caller;
regs->sp += 8;
+
+#ifdef CONFIG_X86_CET
On Fri, Sep 25, 2020 at 7:58 AM Yu-cheng Yu wrote:
>
> Vsyscall entry points are effectively branch targets. Mark them with
> ENDBR64 opcodes. When emulating the RET instruction, unwind shadow stack
> and reset IBT state machine.
>
> Signed-off-by: Yu-cheng Yu
> ---
> v13:
> - Check shadow
Vsyscall entry points are effectively branch targets. Mark them with
ENDBR64 opcodes. When emulating the RET instruction, unwind shadow stack
and reset IBT state machine.
Signed-off-by: Yu-cheng Yu
---
v13:
- Check shadow stack address is canonical.
- Change from writing to MSRs to writing to
19 matches
Mail list logo
