Re: [PATCH v6 19/41] x86/mm: Check shadow stack page fault errors

[David Hildenbrand]

On 23.02.23 00:07, Edgecombe, Rick P wrote:
> On Mon, 2023-02-20 at 13:57 +0100, David Hildenbrand wrote:
> > >     
> > > +     /*
> > > +      * When a page becomes COW it changes from a shadow stack
> > > permission
> > > +      * page (Write=0,Dirty=1) to (Write=0,Dirty=0,SavedDirty=1),
> > > which is simply
> > > +      * read-only to the CPU. When shadow stack is enabled, a RET
> > > would
> > > +      * normally pop the shadow stack by reading it with a "shadow
> > > stack
> > > +      * read" access. However, in the COW case the shadow stack
> > > memory does
> > > +      * not have shadow stack permissions, it is read-only. So it
> > > will
> > > +      * generate a fault.
> > > +      *
> > > +      * For conventionally writable pages, a read can be serviced
> > > with a
> > > +      * read only PTE, and COW would not have to happen. But for
> > > shadow
> > > +      * stack, there isn't the concept of read-only shadow stack
> > > memory.
> > > +      * If it is shadow stack permission, it can be modified via
> > > CALL and
> > > +      * RET instructions. So COW needs to happen before any memory
> > > can be
> > > +      * mapped with shadow stack permissions.
> > > +      *
> > > +      * Shadow stack accesses (read or write) need to be serviced
> > > with
> > > +      * shadow stack permission memory, so in the case of a shadow
> > > stack
> > > +      * read access, treat it as a WRITE fault so both COW will
> > > happen and
> > > +      * the write fault path will tickle maybe_mkwrite() and map
> > > the memory
> > > +      * shadow stack.
> > > +      */
> >
> > Again, I suggest dropping all details about COW from this comment
> > and
> > from the patch description. It's just one such case that can happen.
>
> Hi David,

Hi Rick,

> I was just trying to edit this one to drop COW details, but I think in
> this case, one of the major reasons for the code *is* actually COW. We
> are not working around the whole inadvertent shadow stack memory piece
> here, but something else: Making sure shadow stack memory is faulted in
> and doing COW if required to make this possible. I came up with this,
> does it seem better?

Regarding the fault handling I completely agree. We have to treat a read 
like a write event. And as read-only shadow stack PTEs don't exist, we 
have to tell the MM to create a writable one for us.

> /*
>   * For conventionally writable pages, a read can be serviced with a
>   *
> read only PTE. But for shadow stack, there isn't a concept of
>   * read-
> only shadow stack memory. If it a PTE has the shadow stack
>   *
> permission, it can be modified via CALL and RET instructions. So
>   * core
> MM needs to fault in a writable PTE and do things it already
>   * does for
> write faults.
>   *
>   * Shadow stack accesses (read or write) need to be
> serviced with
>   * shadow stack permission memory, so in the case of a
> shadow stack
>   * read access, treat it as a WRITE fault so both any
> required COW will
>   * happen and the write fault path will tickle
> maybe_mkwrite() and map
>   * the memory shadow stack.
>   */

That sounds good! I'd rewrite the last part slightly.

"
Shadow stack accesses (read or write) need to be serviced with
shadow stack permission memory, which always include write permissions. 
So in the case of a shadow stack read access, treat it as a WRITE fault. 
This will make sure that MM will prepare everything (e.g., break COW) 
such that maybe_mkwrite() can create a proper shadow stack PTE.
"

--
Thanks,

David / dhildenb