Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAMe9rOoo55aFHHuLf=zdc4PNvU+Tu9rtpWaMUdRL=JtHGbE3pA@mail.gmail.com>
Date: Wed, 21 Feb 2024 13:12:47 -0800
From: "H.J. Lu" <hjl.tools@...il.com>
To: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
Cc: "dalias@...c.org" <dalias@...c.org>, 
	"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>, 
	"suzuki.poulose@....com" <suzuki.poulose@....com>, "Szabolcs.Nagy@....com" <Szabolcs.Nagy@....com>, 
	"musl@...ts.openwall.com" <musl@...ts.openwall.com>, 
	"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>, 
	"linux-riscv@...ts.infradead.org" <linux-riscv@...ts.infradead.org>, 
	"kvmarm@...ts.linux.dev" <kvmarm@...ts.linux.dev>, "corbet@....net" <corbet@....net>, 
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, 
	"catalin.marinas@....com" <catalin.marinas@....com>, "broonie@...nel.org" <broonie@...nel.org>, 
	"oliver.upton@...ux.dev" <oliver.upton@...ux.dev>, "palmer@...belt.com" <palmer@...belt.com>, 
	"debug@...osinc.com" <debug@...osinc.com>, "aou@...s.berkeley.edu" <aou@...s.berkeley.edu>, 
	"shuah@...nel.org" <shuah@...nel.org>, "arnd@...db.de" <arnd@...db.de>, "maz@...nel.org" <maz@...nel.org>, 
	"oleg@...hat.com" <oleg@...hat.com>, "fweimer@...hat.com" <fweimer@...hat.com>, 
	"keescook@...omium.org" <keescook@...omium.org>, "james.morse@....com" <james.morse@....com>, 
	"ebiederm@...ssion.com" <ebiederm@...ssion.com>, "will@...nel.org" <will@...nel.org>, 
	"brauner@...nel.org" <brauner@...nel.org>, 
	"linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>, 
	"paul.walmsley@...ive.com" <paul.walmsley@...ive.com>, "ardb@...nel.org" <ardb@...nel.org>, 
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, 
	"linux-mm@...ck.org" <linux-mm@...ck.org>, 
	"thiago.bauermann@...aro.org" <thiago.bauermann@...aro.org>, 
	"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>, "sorear@...tmail.com" <sorear@...tmail.com>, 
	"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>
Subject: Re: Re: [PATCH v8 00/38] arm64/gcs: Provide support for GCS in userspace

On Wed, Feb 21, 2024 at 12:25 PM H.J. Lu <hjl.tools@...il.com> wrote:
>
> On Wed, Feb 21, 2024 at 12:18 PM H.J. Lu <hjl.tools@...il.com> wrote:
> >
> > On Wed, Feb 21, 2024 at 11:22 AM Edgecombe, Rick P
> > <rick.p.edgecombe@...el.com> wrote:
> > >
> > > On Wed, 2024-02-21 at 14:06 -0500, dalias@...c.org wrote:
> > > > Due to arbitrarily nestable signal frames, no, this does not suffice.
> > > > An interrupted operation using the lock could be arbitrarily delayed,
> > > > even never execute again, making any call to dlopen deadlock.
> > >
> > > Doh! Yep, it is not robust to this. The only thing that could be done
> > > would be a timeout in dlopen(). Which would make the whole thing just
> > > better than nothing.
> > >
> > > >
> > > > >
> > > >
> > > > It's fine to turn RDSSP into an actual emulated read of the SSP, or
> > > > at
> > > > least an emulated load of zero so that uninitialized data is not left
> > > > in the target register.
> > >
> > > We can't intercept RDSSP, but it becomes a NOP by default. (disclaimer
> > > x86-only knowledge).
> > >
> > > >  If doing the latter, code working with the
> > > > shadow stack just needs to be prepared for the possibility that it
> > > > could be async-disabled, and check the return value.
> > > >
> > > > I have not looked at all the instructions that become #UD but I
> > > > suspect they all have reasonable trivial ways to implement a
> > > > "disabled" version of them that userspace can act upon reasonably.
> > >
> > > This would have to be thought through functionally and performance
> > > wise. I'm not opposed if can come up with a fully fleshed out plan. How
> > > serious are you in pursuing musl support, if we had something like
> > > this?
> > >
> > > HJ, any thoughts on whether glibc would use this as well?
> >
> > Assuming that we are talking about permissive mode,  if kernel can
> > suppress UD, we don't need to disable SHSTK.   Glibc can enable
> > ARCH_SHSTK_SUPPRESS_UD instead.
>
> Kernel must suppress all possible SHSTK UDs.

If SHSTK is disabled by kernel, not by glibc,  there can be 2 issues:

1.  Glibc and kernel may be out of sync on SHSTK.
2.  When kernel disables SHSTK, glibc may be in the middle of reading
shadow stack in longjmp, searching for a restore token.

> > > It is probably worth mentioning that from the security side (as Mark
> > > mentioned there is always tension in the tradeoffs on these features),
> > > permissive mode is seen by some as something that weakens security too
> > > much. Apps could call dlopen() on a known unsupported DSO before doing
> > > ROP. I don't know if you have any musl users with specific shadow stack
> > > use cases to ask about this.
> >
> >
> >
> > --
> > H.J.
>
>
>
> --
> H.J.



-- 
H.J.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.