Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200427220942.GB80713@google.com>
Date: Mon, 27 Apr 2020 15:09:42 -0700
From: Sami Tolvanen <samitolvanen@...gle.com>
To: Ard Biesheuvel <ardb@...nel.org>
Cc: Will Deacon <will@...nel.org>,
	Catalin Marinas <catalin.marinas@....com>,
	James Morse <james.morse@....com>,
	Steven Rostedt <rostedt@...dmis.org>,
	Ard Biesheuvel <ard.biesheuvel@...aro.org>,
	Mark Rutland <mark.rutland@....com>,
	Masahiro Yamada <masahiroy@...nel.org>,
	Michal Marek <michal.lkml@...kovi.net>,
	Ingo Molnar <mingo@...hat.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Juri Lelli <juri.lelli@...hat.com>,
	Vincent Guittot <vincent.guittot@...aro.org>,
	Kees Cook <keescook@...omium.org>, Jann Horn <jannh@...gle.com>,
	Marc Zyngier <maz@...nel.org>, kernel-hardening@...ts.openwall.com,
	Nick Desaulniers <ndesaulniers@...gle.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Miguel Ojeda <miguel.ojeda.sandonis@...il.com>,
	Masami Hiramatsu <mhiramat@...nel.org>,
	clang-built-linux <clang-built-linux@...glegroups.com>,
	Laura Abbott <labbott@...hat.com>,
	Dave Martin <Dave.Martin@....com>,
	Linux ARM <linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH v13 00/12] add support for Clang's Shadow Call Stack

On Mon, Apr 27, 2020 at 10:50:34PM +0200, Ard Biesheuvel wrote:
> > OK, so one thing that came up in an offline discussion about SCS is
> > the way it interacts with the vmap'ed stack.
> >
> > The vmap'ed stack is great for robustness, but it only works if things
> > don't explode for other reasons in the mean time. This means the
> > ordinary-to-shadow-call-stack size ratio should be chosen such that it
> > is *really* unlikely you could ever overflow the shadow call stack and
> > corrupt another task's call stack before hitting the vmap stack's
> > guard region.
> >
> > Alternatively, I wonder if there is a way we could let the SCS and
> > ordinary stack share the [bottom of] the vmap'ed region. That would
> > give rather nasty results if the ordinary stack overflows into the
> > SCS, but for cases where we really recurse out of control, we could
> > catch this occurrence on either stack, whichever one occurs first. And
> > the nastiness -when it does occur- will not corrupt any state beyond
> > the stack of the current task.
> 
> Hmm, I guess that would make it quite hard to keep the SCS address
> secret though :-(

Yes, and the stack potentially overflowing into the SCS sort of defeats
the purpose. I'm fine with increasing the SCS size to something safer,
but using a vmapped shadow stack seems like the correct solution to this
problem, at least on devices where allocating a full page isn't an issue.

Sami

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.