From patchwork Thu Jan 19 21:23:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13108808 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02CF5C46467 for ; Thu, 19 Jan 2023 21:24:22 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 21C37280007; Thu, 19 Jan 2023 16:24:16 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 1CE4E280001; Thu, 19 Jan 2023 16:24:16 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E75DB280007; Thu, 19 Jan 2023 16:24:15 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id CAC4C280001 for ; Thu, 19 Jan 2023 16:24:15 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 8A410409D2 for ; Thu, 19 Jan 2023 21:24:15 +0000 (UTC) X-FDA: 80372826870.20.D7A1AFC Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by imf16.hostedemail.com (Postfix) with ESMTP id 6B3B5180016 for ; Thu, 19 Jan 2023 21:24:13 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=ZFrDCe6m; spf=pass (imf16.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.93 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674163453; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:dkim-signature; bh=BfytEEK/+VcJ5OwhEeIY6zyWKiTF9926RCmcxKRzpw0=; b=K4hXYmOGMnY28v0r6ePPoiW+MjqqD6Gk4cs7T6gHZ2zXrWIbKo6BkQmqE1FHpf5loAYON8 M28YkvnVyy5UZkE6skPaly3gKcoZulI71Fu2uMmo/hQ5wt7EzzVk03eyu9krXHuh1Mdj/N u6bko4Hc3pznyfV1zL2IGlVVFilc/A8= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=ZFrDCe6m; spf=pass (imf16.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.93 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674163453; a=rsa-sha256; cv=none; b=o5Q4kYva0aR9rhxcOylXD0WoUOuBBK7jrBuQYHpJz1cBCsx/zS9rH3HFl/mzAwO2Nv6yo1 y+0ArZ41kgHqSzzNCYFBDCO7W8MmXoKZxBLyU2irk1A1vNWeislGTxvrKbWcKb8XgJhOP0 LduvHgy5DZMWy//Xj7cWr0aZ92i7GB4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674163453; x=1705699453; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=9f0c+DcTpRuupUlQlGr5FM1/mXL/cB4F6Skj1zH+SWI=; b=ZFrDCe6mf7KjsQuXitYpC8kPuo//3DL4fu9bJ5IbYJf7gKKpggKBPKdQ uHPy0Nr3Oh39WhvSK2WnHYehVHAKNl7zn/AvYV/DpQ44e8nXx4fJml7pL G4exqKDhm3zpdCro2J83BriPl81rtPPt1x8teSWyBfHvfmop512/CTnQ6 5AXxyBg+JJ/MIs8Bp0fHuOr6NVn4+B/urgllyOLzWNJN14lRVKfj90Uvs xwqTMc6uJz7Zq9vkTaw5m4d8ZuIdWiSHWbhLsYKgp1J/Uf7O5KxidAcSt dVuYD2shciJp1jl1a3LxgkygUMBR8rG0u1Rzn8S2dW9Y15GMGB9h0FliH Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="323119909" X-IronPort-AV: E=Sophos;i="5.97,230,1669104000"; d="scan'208";a="323119909" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 13:24:12 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="989139150" X-IronPort-AV: E=Sophos;i="5.97,230,1669104000"; d="scan'208";a="989139150" Received: from hossain3-mobl.amr.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.252.128.187]) by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 13:24:11 -0800 From: Rick Edgecombe To: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com Cc: rick.p.edgecombe@intel.com, Yu-cheng Yu Subject: [PATCH v5 30/39] x86/shstk: Handle signals for shadow stack Date: Thu, 19 Jan 2023 13:23:08 -0800 Message-Id: <20230119212317.8324-31-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230119212317.8324-1-rick.p.edgecombe@intel.com> References: <20230119212317.8324-1-rick.p.edgecombe@intel.com> X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 6B3B5180016 X-Stat-Signature: agy9qeeq3g9tyqyyqqcmwnq4a7rtzir5 X-Rspam-User: X-HE-Tag: 1674163453-297881 X-HE-Meta: U2FsdGVkX1+RLPiHD1aiugJ/GpPsEoCPBozGvi60asgk9FGme17lwLl1wBj+9mx4ZLnai12cktHZSdYcbOqWOFg86BgKw+KUzY4I9se/SAMjmfsQRPJc8kjZbKZOw/BUHDdl4EuHdNjFdk5o9V6RMFGLtWMaQpNAVS7Zd1wqLxEhuMJkfsvsOgvoFFW+V1b+0Nh3xWpYDbe86XQGBDNS6lS5lrndx/hLaHJYH1aQKaQ93EhSnbLf/L3zAjb+6NtH7p35TXurtzaC5VLjVjKLngM7lQJj/fticNkM8HMEoDUNCjv8K6r8OQDiciOhkAdl55nWDp879/e3YyOcFVlplQSxWuJ/Bygkzh/Nq50tMURXkOaX3Znmavv8q1WM4vw8glo3ZrzOhh8oYBVMLyBudiVbGWJCS3y8+4ItHbhfhPiBEewPMeeHv/mQeaR+Fu46ydVuQeMN6P7RAyovlUScWWEH6SHQMypfR3emNXqV9Jg39VNCqBROEGJAsve1KDpObdOwGQiCeeBKffp/IWjw+V0EtEBLrJUgoS6UgTdrF4rQ4nMLOrfXT0NRtrxEgHr92CNIM4YXr7BhuEz4rBcybev8DInty3TPVjniaZd58yCDoaK6m2BpElZ79cJXTKgEGAbehbpVYk5Z81TUBoWAtISKdJXhfVdC+DtWSP9BuCmQojar2A4DQ+gDBtfOJN0bBKN5nNs2WC5yjjkgFY2AEsjLQjYlYZKDnqqfHI2Qz2PkvCant7EhuHSWH3VRUIPfK9ry8wjDvE7XIHChBrzMeizjDpruB5tw2FUFgl75OD5VFJgs9Ysqb+VT/6JH7jKwe1LIKrDH7tngKKfGc+J2lfN+28lnWpDFA1AvdlmV8Vw91gK4Y1yZ+icbPbYEJg/wY5eHOuHlh2uwO/fGiMnu/5zRNaSkmFG5C+r7lK3JSv6aYSTA46S4wbfKQ2R2am6dGlps7Hd/siVphod+Ajs 3yO/xUur roVBzRtX5+j6zfghvRjwZhDdv9tfKkIP2i7q33uxkS0FZbqHTbjv6fj9qoeewe+BJb9eKmdx0JJGgYWucNBIuhmnOk3ednpxk7nOgM3z+VDl92jTiWazvqlFBja4UtL2sdDeYCzixFDmrkq7cUv2BBCZDqiyQ7DnohqGLBvwkpMeCWBu3Sk+wZ4+5CmEQyaeFb6GMYU/uzqpSLV4wp9xoh5n09wmy406YxNZ/R4d17e6ILgD+5KM7LKGpWMG2xalcF1vZOPm3vFgIvLjmH3LVazgKISPQK9aimGtQV4U1rHI1jRDS1rrrnilZwB4Qpyia0flxjw7ayAXp1c9RANYiafj5kLLW9pquhn3swt5Cg4iW3EoSfSbw/RffaRRl6B4z/amf0LwvEkUqhHxhyT3i2apcoPn5K/5MAcfpy4hojyDudsVAswyK64YdnwBAsp/IEvPkiDy4JeIFF+s= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Yu-cheng Yu When a signal is handled normally the context is pushed to the stack before handling it. For shadow stacks, since the shadow stack only track's return addresses, there isn't any state that needs to be pushed. However, there are still a few things that need to be done. These things are userspace visible and which will be kernel ABI for shadow stacks. One is to make sure the restorer address is written to shadow stack, since the signal handler (if not changing ucontext) returns to the restorer, and the restorer calls sigreturn. So add the restorer on the shadow stack before handling the signal, so there is not a conflict when the signal handler returns to the restorer. The other thing to do is to place some type of checkable token on the thread's shadow stack before handling the signal and check it during sigreturn. This is an extra layer of protection to hamper attackers calling sigreturn manually as in SROP-like attacks. For this token we can use the shadow stack data format defined earlier. Have the data pushed be the previous SSP. In the future the sigreturn might want to return back to a different stack. Storing the SSP (instead of a restore offset or something) allows for future functionality that may want to restore to a different stack. So, when handling a signal push - the SSP pointing in the shadow stack data format - the restorer address below the restore token. In sigreturn, verify SSP is stored in the data format and pop the shadow stack. Reviewed-by: Kees Cook Tested-by: Pengfei Xu Tested-by: John Allen Signed-off-by: Yu-cheng Yu Co-developed-by: Rick Edgecombe Signed-off-by: Rick Edgecombe Cc: Andy Lutomirski Cc: Cyrill Gorcunov Cc: Florian Weimer Cc: H. Peter Anvin Cc: Kees Cook --- v3: - Drop shstk_setup_rstor_token() (Kees) - Drop x32 signal support, since x32 support is dropped v2: - Switch to new shstk signal format v1: - Use xsave helpers. - Expand commit log. Yu-cheng v27: - Eliminate saving shadow stack pointer to signal context. arch/x86/include/asm/shstk.h | 5 ++ arch/x86/kernel/shstk.c | 98 ++++++++++++++++++++++++++++++++++++ arch/x86/kernel/signal.c | 1 + arch/x86/kernel/signal_64.c | 6 +++ 4 files changed, 110 insertions(+) diff --git a/arch/x86/include/asm/shstk.h b/arch/x86/include/asm/shstk.h index 172a69052770..746c040f7cb6 100644 --- a/arch/x86/include/asm/shstk.h +++ b/arch/x86/include/asm/shstk.h @@ -6,6 +6,7 @@ #include struct task_struct; +struct ksignal; #ifdef CONFIG_X86_USER_SHADOW_STACK struct thread_shstk { @@ -19,6 +20,8 @@ int shstk_alloc_thread_stack(struct task_struct *p, unsigned long clone_flags, unsigned long stack_size, unsigned long *shstk_addr); void shstk_free(struct task_struct *p); +int setup_signal_shadow_stack(struct ksignal *ksig); +int restore_signal_shadow_stack(void); #else static inline long shstk_prctl(struct task_struct *task, int option, unsigned long features) { return -EINVAL; } @@ -28,6 +31,8 @@ static inline int shstk_alloc_thread_stack(struct task_struct *p, unsigned long stack_size, unsigned long *shstk_addr) { return 0; } static inline void shstk_free(struct task_struct *p) {} +static inline int setup_signal_shadow_stack(struct ksignal *ksig) { return 0; } +static inline int restore_signal_shadow_stack(void) { return 0; } #endif /* CONFIG_X86_USER_SHADOW_STACK */ #endif /* __ASSEMBLY__ */ diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 3e470917eb0b..56e7ca8e42cc 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -233,6 +233,104 @@ static int get_shstk_data(unsigned long *data, unsigned long __user *addr) return 0; } +static int shstk_push_sigframe(unsigned long *ssp) +{ + unsigned long target_ssp = *ssp; + + /* Token must be aligned */ + if (!IS_ALIGNED(*ssp, 8)) + return -EINVAL; + + if (!IS_ALIGNED(target_ssp, 8)) + return -EINVAL; + + *ssp -= SS_FRAME_SIZE; + if (put_shstk_data((void *__user)*ssp, target_ssp)) + return -EFAULT; + + return 0; +} + +static int shstk_pop_sigframe(unsigned long *ssp) +{ + unsigned long token_addr; + int err; + + err = get_shstk_data(&token_addr, (unsigned long __user *)*ssp); + if (unlikely(err)) + return err; + + /* Restore SSP aligned? */ + if (unlikely(!IS_ALIGNED(token_addr, 8))) + return -EINVAL; + + /* SSP in userspace? */ + if (unlikely(token_addr >= TASK_SIZE_MAX)) + return -EINVAL; + + *ssp = token_addr; + + return 0; +} + +int setup_signal_shadow_stack(struct ksignal *ksig) +{ + void __user *restorer = ksig->ka.sa.sa_restorer; + unsigned long ssp; + int err; + + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK) || + !features_enabled(ARCH_SHSTK_SHSTK)) + return 0; + + if (!restorer) + return -EINVAL; + + ssp = get_user_shstk_addr(); + if (unlikely(!ssp)) + return -EINVAL; + + err = shstk_push_sigframe(&ssp); + if (unlikely(err)) + return err; + + /* Push restorer address */ + ssp -= SS_FRAME_SIZE; + err = write_user_shstk_64((u64 __user *)ssp, (u64)restorer); + if (unlikely(err)) + return -EFAULT; + + fpregs_lock_and_load(); + wrmsrl(MSR_IA32_PL3_SSP, ssp); + fpregs_unlock(); + + return 0; +} + +int restore_signal_shadow_stack(void) +{ + unsigned long ssp; + int err; + + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK) || + !features_enabled(ARCH_SHSTK_SHSTK)) + return 0; + + ssp = get_user_shstk_addr(); + if (unlikely(!ssp)) + return -EINVAL; + + err = shstk_pop_sigframe(&ssp); + if (unlikely(err)) + return err; + + fpregs_lock_and_load(); + wrmsrl(MSR_IA32_PL3_SSP, ssp); + fpregs_unlock(); + + return 0; +} + void shstk_free(struct task_struct *tsk) { struct thread_shstk *shstk = &tsk->thread.shstk; diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c index 004cb30b7419..356253e85ce9 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -40,6 +40,7 @@ #include #include #include +#include static inline int is_ia32_compat_frame(struct ksignal *ksig) { diff --git a/arch/x86/kernel/signal_64.c b/arch/x86/kernel/signal_64.c index 0e808c72bf7e..cacf2ede6217 100644 --- a/arch/x86/kernel/signal_64.c +++ b/arch/x86/kernel/signal_64.c @@ -175,6 +175,9 @@ int x64_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) frame = get_sigframe(ksig, regs, sizeof(struct rt_sigframe), &fp); uc_flags = frame_uc_flags(regs); + if (setup_signal_shadow_stack(ksig)) + return -EFAULT; + if (!user_access_begin(frame, sizeof(*frame))) return -EFAULT; @@ -260,6 +263,9 @@ SYSCALL_DEFINE0(rt_sigreturn) if (!restore_sigcontext(regs, &frame->uc.uc_mcontext, uc_flags)) goto badframe; + if (restore_signal_shadow_stack()) + goto badframe; + if (restore_altstack(&frame->uc.uc_stack)) goto badframe;