Xen project Mailing List

[PATCH 14/16] x86/alt: Adjust _alternative_instructions() to not create shadow stacks

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 1 May 2020 23:58:36 +0100

Authentication-results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@xxxxxxxxxx; spf=Pass smtp.mailfrom=Andrew.Cooper3@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Fri, 01 May 2020 23:04:25 +0000

Ironport-sdr: LwgmbsDFxdS+tPhQKNfQOdklFvxXZDioEMP9BKxTatOmGiSlPKvotKZZwqe3z+LlvdvTNSoFug NJ2mHwyf1Ao8tw+o6ofA7ZWar0nPm/qP15wYYp3kPU9d9mj5tHrECaarbawvhyN6nNML/mr2zj nV6vc007LnblHHWt4VgzZNHORmk98DXVTGnb9tKQ23wuwFb3Z69Sj6/2mDLXs0eRRopJDOE/J5 bDq1LMsTN2dNfIyG4ZSHRsaXwMf2x/ZRetoDZ9OmSoGfZ/vGglnjx+g51ZgbGV/iEsQcEvHcRj Xzk=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

The current alternatives algorithm clears CR0.WP and writes into .text. This has a side effect of the mappings becoming shadow stacks once CET is active. Adjust _alternative_instructions() to clean up after itself. This involves extending the set of bits modify_xen_mappings() to include Dirty (and Accessed for good measure). Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Wei Liu <wl@xxxxxxx> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> --- xen/arch/x86/alternative.c | 14 ++++++++++++++ xen/arch/x86/mm.c | 6 +++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/alternative.c b/xen/arch/x86/alternative.c index ce2b4302e6..004e9ede25 100644 --- a/xen/arch/x86/alternative.c +++ b/xen/arch/x86/alternative.c @@ -21,6 +21,7 @@ #include <asm/processor.h> #include <asm/alternative.h> #include <xen/init.h> +#include <asm/setup.h> #include <asm/system.h> #include <asm/traps.h> #include <asm/nmi.h> @@ -398,6 +399,19 @@ static void __init _alternative_instructions(bool force) panic("Timed out waiting for alternatives self-NMI to hit\n"); set_nmi_callback(saved_nmi_callback); + + /* + * When Xen is using shadow stacks, the alternatives clearing CR0.WP and + * writing into the mappings set dirty bits, turning the mappings into + * shadow stack mappings. + * + * While we can execute from them, this would also permit them to be the + * target of WRSS instructions, so reset the dirty after patching. + */ + if ( cpu_has_xen_shstk ) + modify_xen_mappings(XEN_VIRT_START + MB(2), + (unsigned long)&__2M_text_end, + PAGE_HYPERVISOR_RX); } void __init alternative_instructions(void) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 4e2c3c9735..26b01cb917 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5448,8 +5448,8 @@ int populate_pt_range(unsigned long virt, unsigned long nr_mfns) * mappings, but will shatter superpages if necessary, and will destroy * mappings if not passed _PAGE_PRESENT. * - * The only flags considered are NX, RW and PRESENT. All other input flags - * are ignored. + * The only flags considered are NX, D, A, RW and PRESENT. All other input + * flags are ignored. * * It is an error to call with present flags over an unpopulated range. */ @@ -5462,7 +5462,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) unsigned long v = s; /* Set of valid PTE bits which may be altered. */ -#define FLAGS_MASK (_PAGE_NX|_PAGE_RW|_PAGE_PRESENT) +#define FLAGS_MASK (_PAGE_NX|_PAGE_DIRTY|_PAGE_ACCESSED|_PAGE_RW|_PAGE_PRESENT) nf &= FLAGS_MASK; ASSERT(IS_ALIGNED(s, PAGE_SIZE)); -- 2.11.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.