Re: [PATCH v6 00/41] Shadow stacks for userspace

From: Kees Cook
Date: Sun Feb 19 2023 - 22:42:28 EST

Next message: Eddy Tao: "Re: [ovs-dev] [PATCH net-next v1 1/1] net: openvswitch: ovs_packet_cmd_execute put sw_flow mainbody in stack"
Previous message: Anup Patel: "Re: [PATCH v2 4/9] dt-bindings: interrupt-controller: Add RISC-V incoming MSI controller"
In reply to: Rick Edgecombe: "[PATCH v6 41/41] x86/shstk: Add ARCH_SHSTK_STATUS"
Next in thread: Edgecombe, Rick P: "Re: [PATCH v6 00/41] Shadow stacks for userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Feb 18, 2023 at 01:13:52PM -0800, Rick Edgecombe wrote:
> This series implements Shadow Stacks for userspace using x86's Control-flow
> Enforcement Technology (CET). CET consists of two related security features:
> shadow stacks and indirect branch tracking. This series implements just the
> shadow stack part of this feature, and just for userspace.

Okay, I've done some bare metal testing, and it all looks happy. The
selftest passes, and I can can see the stack address mismatch get
detected if I explicitly rewrite the saved function pointer on the stack:

[INFO] Want normal flow
[INFO] Found 0x401890 @ 0x7fff47cf2ef8
[INFO] Normal execution flow
[INFO] Want to redirect
[INFO] Found 0x401890 @ 0x7fff47cf2ef8
[INFO] Hijacked execution flow
[INFO] Enabling shadow stack
[INFO] Want to redirect
[INFO] Found 0x401890 @ 0x7fff47cf2ef8
Segmentation fault (core dumped)

Tested-by: Kees Cook <keescook@xxxxxxxxxxxx>

--
Kees Cook

Next message: Eddy Tao: "Re: [ovs-dev] [PATCH net-next v1 1/1] net: openvswitch: ovs_packet_cmd_execute put sw_flow mainbody in stack"
Previous message: Anup Patel: "Re: [PATCH v2 4/9] dt-bindings: interrupt-controller: Add RISC-V incoming MSI controller"
In reply to: Rick Edgecombe: "[PATCH v6 41/41] x86/shstk: Add ARCH_SHSTK_STATUS"
Next in thread: Edgecombe, Rick P: "Re: [PATCH v6 00/41] Shadow stacks for userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]