[PATCH v14 24/26] x86/cet/shstk: Handle thread shadow stack

Mon, 12 Oct 2020 08:41:52 -0700 

The kernel allocates (and frees on thread exit) a new shadow stack for a
pthread child.

    It is possible for the kernel to complete the clone syscall and set the
    child's shadow stack pointer to NULL and let the child thread allocate
    a shadow stack for itself.  There are two issues in this approach: It
    is not compatible with existing code that does inline syscall and it
    cannot handle signals before the child can successfully allocate a
    shadow stack.

A 64-bit shadow stack has a size of min(RLIMIT_STACK, 4 GB).  A compat-mode
thread shadow stack has a size of 1/4 min(RLIMIT_STACK, 4 GB).  This allows
more threads to run in a 32-bit address space.

Signed-off-by: Yu-cheng Yu <yu-cheng...@intel.com>
---
 arch/x86/include/asm/cet.h         |  3 ++
 arch/x86/include/asm/mmu_context.h |  3 ++
 arch/x86/kernel/cet.c              | 44 ++++++++++++++++++++++++++++++
 arch/x86/kernel/process.c          |  7 +++++
 4 files changed, 57 insertions(+)

diff --git a/arch/x86/include/asm/cet.h b/arch/x86/include/asm/cet.h
index 73435856ce54..ec4b5e62d0ce 100644
--- a/arch/x86/include/asm/cet.h
+++ b/arch/x86/include/asm/cet.h
@@ -18,12 +18,15 @@ struct cet_status {
 
 #ifdef CONFIG_X86_CET
 int cet_setup_shstk(void);
+int cet_setup_thread_shstk(struct task_struct *p, unsigned long clone_flags);
 void cet_disable_shstk(void);
 void cet_free_shstk(struct task_struct *p);
 int cet_verify_rstor_token(bool ia32, unsigned long ssp, unsigned long 
*new_ssp);
 void cet_restore_signal(struct sc_ext *sc);
 int cet_setup_signal(bool ia32, unsigned long rstor, struct sc_ext *sc);
 #else
+static inline int cet_setup_thread_shstk(struct task_struct *p,
+                                        unsigned long clone_flags) { return 0; 
}
 static inline void cet_disable_shstk(void) {}
 static inline void cet_free_shstk(struct task_struct *p) {}
 static inline void cet_restore_signal(struct sc_ext *sc) { return; }
diff --git a/arch/x86/include/asm/mmu_context.h 
b/arch/x86/include/asm/mmu_context.h
index d98016b83755..ceb593e405e1 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -11,6 +11,7 @@
 
 #include <asm/tlbflush.h>
 #include <asm/paravirt.h>
+#include <asm/cet.h>
 #include <asm/debugreg.h>
 
 extern atomic64_t last_mm_ctx_id;
@@ -142,6 +143,8 @@ do {                                                \
 #else
 #define deactivate_mm(tsk, mm)                 \
 do {                                           \
+       if (!tsk->vfork_done)                   \
+               cet_free_shstk(tsk);            \
        load_gs_index(0);                       \
        loadsegment(fs, 0);                     \
 } while (0)
diff --git a/arch/x86/kernel/cet.c b/arch/x86/kernel/cet.c
index 728d9baceb74..d57f3a433af9 100644
--- a/arch/x86/kernel/cet.c
+++ b/arch/x86/kernel/cet.c
@@ -172,6 +172,50 @@ int cet_setup_shstk(void)
        return 0;
 }
 
+int cet_setup_thread_shstk(struct task_struct *tsk, unsigned long clone_flags)
+{
+       unsigned long addr, size;
+       struct cet_user_state *state;
+       struct cet_status *cet = &tsk->thread.cet;
+
+       if (!cet->shstk_size)
+               return 0;
+
+       if ((clone_flags & (CLONE_VFORK | CLONE_VM)) != CLONE_VM)
+               return 0;
+
+       state = get_xsave_addr(&tsk->thread.fpu.state.xsave,
+                              XFEATURE_CET_USER);
+
+       if (!state)
+               return -EINVAL;
+
+       /* Cap shadow stack size to 4 GB */
+       size = min(rlimit(RLIMIT_STACK), 1UL << 32);
+
+       /*
+        * Compat-mode pthreads share a limited address space.
+        * If each function call takes an average of four slots
+        * stack space, we need 1/4 of stack size for shadow stack.
+        */
+       if (in_compat_syscall())
+               size /= 4;
+       size = round_up(size, PAGE_SIZE);
+       addr = alloc_shstk(size, 0);
+
+       if (IS_ERR_VALUE(addr)) {
+               cet->shstk_base = 0;
+               cet->shstk_size = 0;
+               return PTR_ERR((void *)addr);
+       }
+
+       fpu__prepare_write(&tsk->thread.fpu);
+       state->user_ssp = (u64)(addr + size);
+       cet->shstk_base = addr;
+       cet->shstk_size = size;
+       return 0;
+}
+
 void cet_disable_shstk(void)
 {
        struct cet_status *cet = &current->thread.cet;
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index ff3b44d6740b..67632ba893b7 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -110,6 +110,7 @@ void exit_thread(struct task_struct *tsk)
 
        free_vm86(t);
 
+       cet_free_shstk(tsk);
        fpu__drop(fpu);
 }
 
@@ -182,6 +183,12 @@ int copy_thread(unsigned long clone_flags, unsigned long 
sp, unsigned long arg,
        if (clone_flags & CLONE_SETTLS)
                ret = set_new_tls(p, tls);
 
+#ifdef CONFIG_X86_64
+       /* Allocate a new shadow stack for pthread */
+       if (!ret)
+               ret = cet_setup_thread_shstk(p, clone_flags);
+#endif
+
        if (!ret && unlikely(test_tsk_thread_flag(current, TIF_IO_BITMAP)))
                io_bitmap_share(p);
 
-- 
2.21.0

Reply via email to