From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2087.outbound.protection.outlook.com [40.107.20.87]) by sourceware.org (Postfix) with ESMTPS id A8A74385C6F7 for ; Tue, 19 Dec 2023 17:16:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A8A74385C6F7 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=arm.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A8A74385C6F7 Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=40.107.20.87 ARC-Seal: i=3; a=rsa-sha256; d=sourceware.org; s=key; t=1703006182; cv=pass; b=KArHKBdAXTnyzzEK89gp5XAYmxHDFIyE6sTDcQduTOWVQgu2XqoR4Z88mbmTmiur8iA3DGVYHbGshI0Km54UpfY+7d9BMq8IaJZWB+WaU9oNGRnXyS22cr8P3Zo+Rl3Tz5KhjPQJ5/sGlA8nsLWbGP9KuLy/yO4zN+XZ6EhmiO0= ARC-Message-Signature: i=3; a=rsa-sha256; d=sourceware.org; s=key; t=1703006182; c=relaxed/simple; bh=7PNLp+xQZz7++utUjxaKaqkAmRrlNvijEvxIjq394hI=; h=DKIM-Signature:DKIM-Signature:Date:From:To:Subject:Message-ID: MIME-Version; b=XI8GVoi5Qu08Gexl/nv2U4pXRL3OGOrpaMEHJ/w1EQWCA6Dyp35zXgVTjglYQFWEvbSd6/x12S3hLbZboOQHfNzXTu3HjliBY8g6rJ0ISTULVjPqQJZVlRIOQZ+85BmOCvMEnBGcOn5uUQ7pv7F797NrP7a8IuVVNqozHXYt3f0= ARC-Authentication-Results: i=3; server2.sourceware.org ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=eXbQt7VNToqkUXYqyMkE0QCAU53rl0WILs2xN43OfHydKJkrIymcQBi8981/vkR0Mh4LshAV6JFx6TG2uGOTyKSODpiBH/aULOiVHmQn7s12GVCE2eG+K9o9KeDxV0LdNgY6t7fcLDz1iNmqjYa6ltrYWhi2zvuI6jESSfg9eYaKXxhf8wcvA+d6P0WYQlp3t5eG33BxySDCUTOloOM2xgJPWSEQUDfOmumAQwrzDtMJZnd/kk2p959+VzDdyJKEUPwIMw2xrEZ8J0rbAb/dZDcm0UdtUAfYRmydAK6tjo0KUybDQRBTFC7VnN658bXMV3IR+6yLWHw01OukAqmhzg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RwAtidyQBsoCVtxcbJvYkXaQfQAbYgtmIKfcng6FjRw=; b=LYG/YIW4Hs1sCK6IG+ue0dKwB4HZCQZetm30WRXhQF7bTqK33GN+9HWkeLIpEOnF748tIcFHf84DIEO7YTtIuRN2rTBRdZwiaBhWRUckUFs5oLkwgqE4QtQK+uIIyGQHoqkzGlYmuUwUIc91bz0kK6Fk0/NxFntLaAJ1LCOt3rKe5u6EoSkJJLtw9PtK9dwXyPOb/ZhljldOjMrvG+3jHjxWwPk8WpVmSbZb20yCgsWo5xlb902L4/qeUycBYUHn08bIbS8VTBtWj1xG6hM9gJS4zJ1JU6upjV+y28FGw4HNY9mNwgR+LnQBowQgANjESghfMc1Kuu/ZJZzthRuksg== ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=sourceware.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com]) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RwAtidyQBsoCVtxcbJvYkXaQfQAbYgtmIKfcng6FjRw=; b=99YuHQ0Gl46J17Iw6FsKvHFCHUh7wZ2aYCbCm/xslW85VGvU+7Hqiluo2XBixog66SoJ2YFb3kLhRhZmiR/pNK+cTBtIQYYoaBJqgkN9s6S/4CRhj/vc9jNgFw7EQuSqvVxn4jxESH8salbRrSI0Zay+u4ZRJM6neEv18WFwslk= Received: from AM9P195CA0006.EURP195.PROD.OUTLOOK.COM (2603:10a6:20b:21f::11) by AS8PR08MB6520.eurprd08.prod.outlook.com (2603:10a6:20b:319::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.38; Tue, 19 Dec 2023 17:16:13 +0000 Received: from AM4PEPF00025F97.EURPRD83.prod.outlook.com (2603:10a6:20b:21f:cafe::ed) by AM9P195CA0006.outlook.office365.com (2603:10a6:20b:21f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.37 via Frontend Transport; Tue, 19 Dec 2023 17:16:13 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM4PEPF00025F97.mail.protection.outlook.com (10.167.16.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7113.12 via Frontend Transport; Tue, 19 Dec 2023 17:16:13 +0000 Received: ("Tessian outbound 7c4ecdadb9e7:v228"); Tue, 19 Dec 2023 17:16:13 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: d39f08378f4009b1 X-CR-MTA-TID: 64aa7808 Received: from fe61682e1e73.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id AA669ACE-995F-47D6-90F3-5D0F95BF93F4.1; Tue, 19 Dec 2023 17:16:06 +0000 Received: from EUR02-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id fe61682e1e73.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 19 Dec 2023 17:16:06 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kcckU5FU3Wjq4iNO6PiKpKFNxvKy7J4Ue4LBlJMaMj9yYqGJ83PYH9s7P2rvUxrxOEhn7gt9fkUSK5PmLQXUDd2tw0mS3mS3VcPz/bjo8a4LK/q3QDtetkWj4kfF12rUj8SlIDXWdNJH3l1BnTVLtTykLz3QBdP1/9KZ+O1ftGrh2hEemZHf2RbnCZTI4xARK58zZnUd1uKsRo80DUoJksDEDiSym6JrQIG5notEItb4JFS5KnG1UW+ddzLmwpgCvgxc+lEndO8MPOCavmMTk7ADFaMMeLBs2fmOiuiMRx647FoSV/Z3k0AUf7J5pGCfatneN6IaxT4Rl/bbLBVlmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RwAtidyQBsoCVtxcbJvYkXaQfQAbYgtmIKfcng6FjRw=; b=T0F81Gelc2Xqm2nWU3DlF+MjnCumUpYdJT1D0Io4ji4V7HWWY7Hepu6Va4u+0xxSGQB3i8BHww2MXuhJ7WNBm/+ZMW3TN54nJvwuPudShFSQ3pfkfckzkRLlR4EKa1cvTmyEd6shKWBmBZVGQmz8JN7KWMvUEi8SCFKJajW5zQr0a0oTd1BWHV14YejlDflEK2lyH/SLEj9RHGQtPyp3LhXnr8IiRhcLPO8qMzLxtEeYM1kCWanQr9mXE6KVTQIZsgsQA36JelWUCvBfRhyGfvwD2Idbw1EJ8hlhn7LBkBwYymCqc20TbmZTXaJtiibLG1Oo+O+hpMbMAF0a0aacIg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RwAtidyQBsoCVtxcbJvYkXaQfQAbYgtmIKfcng6FjRw=; b=99YuHQ0Gl46J17Iw6FsKvHFCHUh7wZ2aYCbCm/xslW85VGvU+7Hqiluo2XBixog66SoJ2YFb3kLhRhZmiR/pNK+cTBtIQYYoaBJqgkN9s6S/4CRhj/vc9jNgFw7EQuSqvVxn4jxESH8salbRrSI0Zay+u4ZRJM6neEv18WFwslk= Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com; Received: from DB9PR08MB7179.eurprd08.prod.outlook.com (2603:10a6:10:2cc::19) by DB3PR08MB10335.eurprd08.prod.outlook.com (2603:10a6:10:435::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.38; Tue, 19 Dec 2023 17:16:03 +0000 Received: from DB9PR08MB7179.eurprd08.prod.outlook.com ([fe80::292d:9c0e:e9f7:deba]) by DB9PR08MB7179.eurprd08.prod.outlook.com ([fe80::292d:9c0e:e9f7:deba%6]) with mapi id 15.20.7091.034; Tue, 19 Dec 2023 17:16:03 +0000 Date: Tue, 19 Dec 2023 17:15:50 +0000 From: "szabolcs.nagy@arm.com" To: "H.J. Lu" Cc: "Edgecombe, Rick P" , "libc-alpha@sourceware.org" Subject: Re: [PATCH 11/17] x86/cet: Sync with Linux kernel 6.6 shadow stack interface Message-ID: References: Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-ClientProxiedBy: LO2P265CA0399.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:f::27) To DB9PR08MB7179.eurprd08.prod.outlook.com (2603:10a6:10:2cc::19) MIME-Version: 1.0 X-MS-TrafficTypeDiagnostic: DB9PR08MB7179:EE_|DB3PR08MB10335:EE_|AM4PEPF00025F97:EE_|AS8PR08MB6520:EE_ X-MS-Office365-Filtering-Correlation-Id: 682d7f21-6da2-46ba-f15b-08dc00b633f1 x-checkrecipientrouted: true NoDisclaimer: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: m4zwRkKeIKPTNvUbld9CNgKNDBMeIpsGxv/4oAsxCRlpT/G2nnN4mhTK8LxqEF+BoiR3/EPmGlbveZszfb+Yn5UWYJsKU1+e4+M2chss+zvM+LvdKAZD3MUketZ/B/OcNTkVMFjITD0RCSbwGk+TTEQuyzG0xWC5bQbKlbY1oBw89dstYxkjEzcuo/3D+tnmul3EAMtCwTb/ZyXmY1zBm1w8UBONUBljHY5R9NR2gsfmhaSB98697ghxa2dQyAzFWhiQSe9RxXDbEI7lbg9C+NhrtDfdpSUCdU0MRu+/vwFO5uxvArRNnbFY0UbFgj+1utDMAGoDjFkSNci486oha517duaLkzBEum79kqtrEsZgt+dwk5vWFSYkk3TiipPpXQ3A7zdpUtFvGgL+wTUKuApILRG8l5fdq9/ppyMX7IL+84kaNx6wtlO9niLVRJAKwm5xGPSlaWJ35TH9TNAG+3+t+crVxULP44PkVni+In9L64MYp+RuesQfN66/PwQ6vELV5xzWKZDatxTPk1w3uaFAz3vGJR/UF8D/DEwywxMZtsfmU7zvEuOtLpc6i2BH X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR08MB7179.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(396003)(39850400004)(366004)(136003)(376002)(346002)(230922051799003)(186009)(1800799012)(451199024)(64100799003)(6512007)(2616005)(6506007)(53546011)(8936002)(83380400001)(26005)(86362001)(36756003)(41300700001)(8676002)(4326008)(2906002)(5660300002)(66476007)(6916009)(66556008)(316002)(66946007)(54906003)(6666004)(478600001)(6486002)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR08MB10335 Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM4PEPF00025F97.EURPRD83.prod.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: bb59f673-e92c-4931-fb5d-08dc00b62dc6 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: OrIo9c+/0nOWm0SvqSQTW6UY1FC4VX1RvlaZkkjKS1uXHHE8fSnow/uqJ5ZVrYG+A7JXqH3uWMeADSglhFBIHoBE1/zJ6Pyesg53gyGaQ7UjR3OGvm+BVRzL6RZhyT00If88dxgMDjIXjwvSDGmkTnL43edbMsLBcv3pbrDDa4BnwWmRTF809JSS5wEuxp7TJszA08ahusA5mjvEZNyRVpLf6WzuE2ZwlzYYg4OuoxjKuGMPSoW4tYAwldY7MlVlRzIJQT1OdXVEC9zn+X4vaiyWUdTAGZylVG6paci5IW+dQzzSCoESGA/5PU2JCDgifFVZsRdtYa9S2lUw8GyEEnNqkRjOKpEJBl5m7qr8uuBYfpZ/nHk+OtUA1hy3ZK4PU8l4AvRNhCfdvcg/lS7EEVeRe3sXFeD7drXCLUZnntkCjTpCUDs2+2Td4Yw+IuJXm6oHaYqm4MkbhFl2rl1yky4wpc2SyauiH8gQspqXeotblv+kshqahGpb3RK6yPKiCVlybG2ka+tw9zzfOH5Vxe7htyf4q9PIroj8uvBZvnMgs7iqXOQUDlSzj1+AemFhNYkvX4JRMuINLp5jfkx0LgsBOfvxfsRfcrsL/d6fVK8wruN6Nt8fDjQLfJYvTYOSn4yyEULSaOKMobenmRf6IzdGcqW1NI7Bjfz2hjLGXQIkXxMSHF6t2dGP/vvOza1DE7vmQqhZ7XGaPaLGemK76k3iLkCFgJWw/Cfga5AeVrQ+9sEu0BhvmPLOb8KZq+Bu X-Forefront-Antispam-Report: CIP:63.35.35.123;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:64aa7808-outbound-1.mta.getcheckrecipient.com;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;CAT:NONE;SFS:(13230031)(4636009)(396003)(376002)(136003)(39860400002)(346002)(230922051799003)(82310400011)(1800799012)(64100799003)(186009)(451199024)(36840700001)(46966006)(40470700004)(40480700001)(40460700003)(36860700001)(356005)(81166007)(47076005)(36756003)(82740400003)(5660300002)(53546011)(83380400001)(336012)(6666004)(6506007)(2906002)(26005)(2616005)(6512007)(70206006)(6486002)(478600001)(41300700001)(8676002)(70586007)(86362001)(4326008)(8936002)(54906003)(316002)(6862004);DIR:OUT;SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Dec 2023 17:16:13.4840 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 682d7f21-6da2-46ba-f15b-08dc00b633f1 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00025F97.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB6520 X-Spam-Status: No, score=-11.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,FORGED_SPF_HELO,GIT_PATCH_0,KAM_DMARC_NONE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: The 12/18/2023 11:06, H.J. Lu wrote: > On Mon, Dec 18, 2023 at 2:54 AM szabolcs.nagy@arm.com > wrote: > > it does if it scans. > > > > for (;; targetssp--) { > > if (targetssp == ssp) do_samestack(); > > if (*targetssp == restoretoken) do_differentstack(); > > } > > > > the only problem i see is if the target shadow stack is > > different from the current one and does not end in a restore > > token. but i think that is a user error. > > Yes, it works. But it is hard to tell its performance overhead. > > > if we plan to introduce altshadowstack then this does not > > work in case of shadow stack overflow because the overflowed > > shadow stack cannot be jumped to even though in practice we > > want that to work. > > > > I'd like to support shadow stack in glibc 2.39. Since my patch > doesn't enable shadow stack by default, it doesn't have any > functionality impact on users. It allows us to evaluate shadow > stack support in all packages. We may need to use WRUSS > to enable shadow stack for some packages. But users and > developers can't see how shadow stack works if shadow stack > can't be turned on. ok. > From 3dba6d876db6a47b66a680bb4aa85b1db63aa3f8 Mon Sep 17 00:00:00 2001 > From: "H.J. Lu" > Date: Wed, 13 Dec 2023 17:50:47 -0800 > Subject: [PATCH] x86-64/cet: Check the restore token in longjmp > > setcontext and swapcontext put a restore token on the old shadow stack > so that they switch to a different shadow stack when switching user > contexts. When longjmp from a user context, the target shadow stack > can be different from the current shadow stack and INCSSP can't be > used to restore the shadow stack pointer to the target shadow stack. > Update longjmp to search for a restore token. If found, use the token > to restore the shadow stack pointer before using INCSSP to pop the > shadow stack. Stop the token search and use INCSSP if the shadow stack > entry value is the same as the current shadow stack pointer. > > It is a user error if there is a shadow stack switch without leaving a > restore token on the old shadow stack. looks good except missing saveprevssp below > --- > sysdeps/x86_64/__longjmp.S | 28 +++++++++++++++++++++++++++- > 1 file changed, 27 insertions(+), 1 deletion(-) > > diff --git a/sysdeps/x86_64/__longjmp.S b/sysdeps/x86_64/__longjmp.S > index 9ac075e0a8..b106affdcd 100644 > --- a/sysdeps/x86_64/__longjmp.S > +++ b/sysdeps/x86_64/__longjmp.S > @@ -63,9 +63,35 @@ ENTRY(__longjmp) > /* Check and adjust the Shadow-Stack-Pointer. */ > /* Get the current ssp. */ > rdsspq %rax > + /* Save the current ssp. */ > + movq %rax, %r10 > /* And compare it with the saved ssp value. */ > - subq SHADOW_STACK_POINTER_OFFSET(%rdi), %rax > + movq SHADOW_STACK_POINTER_OFFSET(%rdi), %rcx > + subq %rcx, %rax > je L(skip_ssp) > + > +L(find_restore_token_loop): > + /* Look for a restore token. */ > + movq -8(%rcx), %rbx > + andq $-8, %rbx > + cmpq %rcx, %rbx > + /* Find the restore token. */ > + je L(restore_shadow_stack) > + > + /* Try the next slot. */ > + subq $8, %rcx > + /* Stop if the current ssp is found. */ > + cmpq %rcx, %r10 > + je L(no_shadow_stack_token) > + jmp L(find_restore_token_loop) > + > +L(restore_shadow_stack): > + /* Restore the target shadow stack. */ > + rstorssp -8(%rcx) > + rdsspq %rax > + subq SHADOW_STACK_POINTER_OFFSET(%rdi), %rax > + i'd use saveprevssp in this case so the old shadow stack remains resumable with a later longjmp. > +L(no_shadow_stack_token): > /* Count the number of frames to adjust and adjust it > with incssp instruction. The instruction can adjust > the ssp by [0..255] value only thus use a loop if > -- > 2.43.0 >