From: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
To: "dalias@libc.org" <dalias@libc.org>
Cc: "linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
"suzuki.poulose@arm.com" <suzuki.poulose@arm.com>,
"Szabolcs.Nagy@arm.com" <Szabolcs.Nagy@arm.com>,
"musl@lists.openwall.com" <musl@lists.openwall.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-riscv@lists.infradead.org"
<linux-riscv@lists.infradead.org>,
"catalin.marinas@arm.com" <catalin.marinas@arm.com>,
"corbet@lwn.net" <corbet@lwn.net>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"kvmarm@lists.linux.dev" <kvmarm@lists.linux.dev>,
"broonie@kernel.org" <broonie@kernel.org>,
"oliver.upton@linux.dev" <oliver.upton@linux.dev>,
"palmer@dabbelt.com" <palmer@dabbelt.com>,
"debug@rivosinc.com" <debug@rivosinc.com>,
"aou@eecs.berkeley.edu" <aou@eecs.berkeley.edu>,
"shuah@kernel.org" <shuah@kernel.org>,
"arnd@arndb.de" <arnd@arndb.de>,
"maz@kernel.org" <maz@kernel.org>,
"oleg@redhat.com" <oleg@redhat.com>,
"fweimer@redhat.com" <fweimer@redhat.com>,
"keescook@chromium.org" <keescook@chromium.org>,
"james.morse@arm.com" <james.morse@arm.com>,
"ebiederm@xmission.com" <ebiederm@xmission.com>,
"will@kernel.org" <will@kernel.org>,
"brauner@kernel.org" <brauner@kernel.org>,
"thiago.bauermann@linaro.org" <thiago.bauermann@linaro.org>,
"hjl.tools@gmail.com" <hjl.tools@gmail.com>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"paul.walmsley@sifive.com" <paul.walmsley@sifive.com>,
"ardb@kernel.org" <ardb@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"sorear@fastmail.com" <sorear@fastmail.com>
Subject: Re: [musl] Re: [PATCH v8 00/38] arm64/gcs: Provide support for GCS in userspace
Date: Tue, 20 Feb 2024 23:30:22 +0000 [thread overview]
Message-ID: <9fc9c45ff6e14df80ad023e66ff7a978bd4ec91c.camel@intel.com> (raw)
In-Reply-To: <20240220185714.GO4163@brightrain.aerifal.cx>
On Tue, 2024-02-20 at 13:57 -0500, Rich Felker wrote:
> On Tue, Feb 20, 2024 at 06:41:05PM +0000, Edgecombe, Rick P wrote:
> > Hmm, could the shadow stack underflow onto the real stack then? Not
> > sure how bad that is. INCSSP (incrementing the SSP register on x86)
> > loops are not rare so it seems like something that could happen.
>
> Shadow stack underflow should fault on attempt to access
> non-shadow-stack memory as shadow-stack, no?
Maybe I'm misunderstanding. I thought the proposal included allowing
shadow stack access to convert normal address ranges to shadow stack,
and normal writes to convert shadow stack to normal.
> >
> > Won't this prevent catching stack overflows when they happen? An
> > overflow will just turn the shadow stack into normal stack and only
> > get
> > detected when the shadow stack unwinds?
>
> I don't think that's as big a problem as it sounds like. It might
> make
> pinpointing the spot at which things went wrong take a little bit
> more
> work, but it should not admit any wrong-execution.
Right, it's a point about debugging. I'm just trying to analyze the
pros and cons and not calling it a showstopper.
> >
> > Shadow stacks currently have automatic guard gaps to try to prevent
> > one
> > thread from overflowing onto another thread's shadow stack. This
> > would
> > somewhat opens that up, as the stack guard gaps are usually
> > maintained
> > by userspace for new threads. It would have to be thought through
> > if
> > these could still be enforced with checking at additional spots.
>
> I would think the existing guard pages would already do that if a
> thread's shadow stack is contiguous with its own data stack.
The difference is that the kernel provides the guard gaps, where this
would rely on userspace to do it. It is not a showstopper either.
I think my biggest question on this is how does it change the
capability for two threads to share a shadow stack. It might require
some special rules around the syscall that writes restore tokens. So
I'm not sure. It probably needs a POC.
>
> From the musl side, I have always looked at the entirely of shadow
> stack stuff with very heavy skepticism, and anything that breaks
> existing interface contracts, introduced places where apps can get
> auto-killed because a late resource allocation fails, or requires
> applications to code around the existence of something that should be
> an implementation detail, is a non-starter. To even consider shadow
> stack support, it must truely be fully non-breaking.
The manual assembly stack switching and JIT code in the apps needs to
be updated. I don't think there is a way around it.
I agree though that the late allocation failures are not great. Mark is
working on clone3 support which should allow moving the shadow stack
allocation to happen in userspace with the normal stack. Even for riscv
though, doesn't it need to update a new register in stack switching?
BTW, x86 shadow stack has a mode where the shadow stack is writable
with a special instruction (WRSS). It enables the SSP to be set
arbitrarily by writing restore tokens. We discussed this as an option
to make the existing longjmp() and signal stuff work more transparently
for glibc.
>
> > > _Without_ doing this, sigaltstack cannot be used to recover from
> > > stack
> > > overflows if the shadow stack limit is reached first, and
> > > makecontext
> > > cannot be supported without memory leaks and unreportable error
> > > conditions.
> >
> > FWIW, I think the makecontext() shadow stack leaking is a bad idea.
> > I
> > would prefer the existing makecontext() interface just didn't
> > support
> > shadow stack, rather than the leaking solution glibc does today.
>
> AIUI the proposal by Stefan makes it non-leaking because it's just
> using normal memory that reverts to normal usage on any
> non-shadow-stack access.
>
Right, but does it break any existing apps anyway (because of small
ucontext stack sizes)?
BTW, when I talk about "not supporting" I don't mean the app should
crash. I mean it should instead run normally, just without shadow stack
enabled. Not sure if that was clear. Since shadow stack is not
essential for an application to function, it is only security hardening
on top.
Although determining if an application supports shadow stack has turned
out to be difficult in practice. Handling dlopen() is especially hard.
next prev parent reply other threads:[~2024-02-20 23:41 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240203-arm64-gcs-v8-0-c9fec77673ef@kernel.org>
2024-02-20 16:36 ` Stefan O'Rear
2024-02-20 18:41 ` Edgecombe, Rick P
2024-02-20 18:57 ` Rich Felker
2024-02-20 23:30 ` Edgecombe, Rick P [this message]
2024-02-20 23:54 ` dalias
2024-02-21 0:35 ` Edgecombe, Rick P
2024-02-21 0:44 ` Mark Brown
2024-02-21 1:27 ` dalias
2024-02-21 2:11 ` Edgecombe, Rick P
2024-02-21 4:18 ` Edgecombe, Rick P
2024-02-21 13:53 ` Mark Brown
2024-02-21 14:58 ` dalias
2024-02-21 17:36 ` Mark Brown
2024-02-21 17:57 ` dalias
2024-02-21 18:12 ` Edgecombe, Rick P
2024-02-21 18:30 ` dalias
2024-02-21 18:53 ` Edgecombe, Rick P
2024-02-21 19:06 ` dalias
2024-02-21 19:22 ` Edgecombe, Rick P
2024-02-21 20:18 ` dalias
2024-02-21 20:18 ` H.J. Lu
2024-02-21 20:25 ` H.J. Lu
2024-02-21 21:12 ` H.J. Lu
2024-02-22 13:57 ` Mark Brown
2024-02-21 18:32 ` Mark Brown
2024-02-21 19:10 ` dalias
2024-03-02 14:57 ` Szabolcs Nagy
2024-03-02 15:05 ` H.J. Lu
2024-03-14 14:03 ` Mark Brown
2024-02-20 23:59 ` Stefan O'Rear
2024-02-21 0:40 ` Mark Brown
2024-02-21 4:30 ` Edgecombe, Rick P
2024-02-20 20:14 ` Mark Brown
2024-02-20 23:30 ` Edgecombe, Rick P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9fc9c45ff6e14df80ad023e66ff7a978bd4ec91c.camel@intel.com \
--to=rick.p.edgecombe@intel.com \
--cc=Szabolcs.Nagy@arm.com \
--cc=akpm@linux-foundation.org \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=dalias@libc.org \
--cc=debug@rivosinc.com \
--cc=ebiederm@xmission.com \
--cc=fweimer@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=james.morse@arm.com \
--cc=keescook@chromium.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=maz@kernel.org \
--cc=musl@lists.openwall.com \
--cc=oleg@redhat.com \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=shuah@kernel.org \
--cc=sorear@fastmail.com \
--cc=suzuki.poulose@arm.com \
--cc=thiago.bauermann@linaro.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).