Xen project Mailing List

Re: [PATCH] x86/cet: Remove writeable mapping of the BSPs shadow stack

From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>

Date: Wed, 16 Mar 2022 19:23:00 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YyJiFnqb2mvWHh6Pi1BTMc8UiOIEWmx0GZL2NWtEag0=; b=JpEwGILQyFmhck9k6rwE9gzMau09NDCw0W3ytre8Kg76haIIYs+Nr0UxL3xGawk9xUDpvNl6nJ9TTE7jRttHQf1Nk7xNrPQgYxB9eqS5gVPYhkRAD9klbae9Vn6qaWd+FNYSV2oGNRL8kd1eGmx7OIa7ArUe1OiVkVcpnWt35RDRwlwkKXTt5tT7CAy1fVc5ZfXHPSjV/lL0QJpIBQu27qf1OSKHArcbAqlhlSGFJnzAJSgNzXncxBuQ/eOiinYrJjnM6qrrldeCl5SLLg9qcF7owCM3KSW+sUpbn7M2Uxq94voURgaC9xLn9HeiKOdz85IxX6TSuSAXfLWzgm23iA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MJw2r4XtmMoKdpqtLP5XoLOrOD9Asx3dVV4BBExi7/ga2NxNHs6y26M/eoR7lSZVxpFQxjjchp7Sk7LAF5skdtUEncmd1Ako+/S/qFiv/gj7BWSgzSKD3eAiwHXpQSbImsfXUIaVVpb52cb1OeJ63S9oLoAb7YUOhqApjeIYCdLHgDiyGPE/VMegFb9xAQZpoJc0tA/AJ9xdJ/j9lbuQtLTM9/DF/PFRu/wzaTx/SnfBy8u0jwXPIaVC4yzxkVt8OE9+Q5XZLVjXEYayUCRMPNDhGvP4n0oXpKBGzZ4wqTazWVKDJ2IsCXjjK8v6w7KTKjpOvlkTDBS/vRBKfSuBIw==

Authentication-results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 16 Mar 2022 19:23:24 +0000

Ironport-data: A9a23:zY1T4KCaUdaRLRVW/xTjw5YqxClBgxIJ4kV8jS/XYbTApGx332MHn GBNWG+AaPuJZzTxKd9zPIji9U0O75GDy9MyQQY4rX1jcSlH+JHPbTi7wuYcHM8wwunrFh8PA xA2M4GYRCwMZiaA4E/raNANlFEkvU2ybuOU5NXsZ2YgHWeIdA970Ug5w7Vg3NYy6TSEK1jlV e3a8pW31GCNg1aYAkpMg05UgEoy1BhakGpwUm0WPZinjneH/5UmJMt3yZWKB2n5WuFp8tuSH I4v+l0bElTxpH/BAvv9+lryn9ZjrrT6ZWBigVIOM0Sub4QrSoXfHc/XOdJFAXq7hQllkPhyx /FurJWQVT4JYJfNvMZaTAVjSj1XaPguFL/veRBTsOSWxkzCNXDt3+9vHAc9OohwFuRfWD8Us 6ZCcXZUM07F17neLLGTE4GAguwKKsXxMZxZkXZn1TzDVt4tQIzZQrWM7thdtNs1rp4QQayDP JFHAdZpRBr5QCUUNwc7MZMvv6SBhn7wTjZajk3A8MLb5ECMlVcsgdABKuH9f9WQQMxPk0Wwp 2TY/n/4CBUXKNyezzWe9numwOTImEvTSI8UUbG16PNuqFmS3XAITg0bU0Ohpvu0gVL4XMhQQ 2QW8Cczqak59GSwU8LwGRa/pRasoRo0S9dWVeog52mwJrH8uljDQDJeF3gYNYJg5JReqSEWO kGhnNzNJiVmkKGsaSyn95O26iyuAnEJBDpXDcMbdjct797mqYA1qxvASNd/DaK45uHI9SHML yOi93Zn2ehK5SIf/+DipA2c3WrwznTcZlRtjjg7SF5J+e+QiGSNQ4WzoWbW4v9bRGpyZgnQ5 SNU8yRyAQ1nMH1sqMBvaLhVdF1Kz6zcWNE5vbKJN8J5n9hK0yT/Fb28GBkkeC9U3j8sIFcFm nP7twJL/4N0N3C3d6JxaI/ZI510kfe6RI68DKCNNIAmjn1NmOmvp3gGiam4hTyFraTRuftnZ cfznTiEUB729piLPBLpHrxAgNfHNwg1xH/JRICT8vhU+eH2WZJhcp9caAHmRrlgtMus+VyJm /4CZ5ri40gOC4XWP3iImbP/2HhXdBDX87it8JcJHgNCSyI7cFwc5wj5mupwJdY6w/wLyo8lP BiVAydl9bY2vlWeQS2iYXF/crL/G5F5qHMwJys3Oli0nXMkZO6SAG03LvPboZFPGDRf8MNJ

Ironport-hdrordr: A9a23:Dr9hSajuNFXE30z1DMOo4pTusXBQX3p13DAbv31ZSRFFG/FwyP rBoB1L73DJYWgqNE3IwerwRJVpQRvnhPpICRF4B8btYOCUghrWEGgE1/qi/9SAIVywygc578 ZdmsdFeaXN5DRB/KTHCUyDYqsdKbq8geCVbIXlvgxQpGhRAskKhWoYe2Wm+w9NNXN77PICZc ChD6F81l2dkAEsH72G7w4+Lo7+TrPw5ffbSC9DIyRixBiFjDuu5rK/OQOfxA0iXzRGxqpn2X TZkiTij5/T8M2T+1v57Sv+/p5WkNzuxp9oH8qXkPUYLT3ql0KBeJlhYbufpzo4ydvfqmrC0e O85ivIDf4DrE85TVvF5ycFHDOQiQrG3kWSjWNwR0GT+fARCghKUPapzrgpDCcxo3BQze2Ulp g7gl5x/qAnfi8p1k7Glqj1fgAvmUyurXU4l+kPy3RZTIsFcbdU6ZcS5UVPDf47bWjHAa0cYa FT5fvnlb1rmJKhHgfkl3gqxMbpUmU4Hx+ATERHssuJ0yJOlHQ8y0cD3sQQknoJ6Zp4EvB/lq j5G7UtkKsLQt4dbKp7CutEScyrCnbVSRaJNG6JO1zoGKwOJnqIoZ/q57c+4v2sZfUzvdYPsY WEVEkduX85ekroB8HL1JpX8grVSGH4RjjpwtE23ekxhlQ9fsucDcSuciFaryL7mYRsPiTyYY fGBK5r

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHYOI1bRL6jiuzp4UWoineooRKJ46zBsAOAgAC1YIA=

Thread-topic: [PATCH] x86/cet: Remove writeable mapping of the BSPs shadow stack

On 16/03/2022 08:33, Jan Beulich wrote: > On 15.03.2022 17:53, Andrew Cooper wrote: >> An unintended consequence of the BSP using cpu0_stack[] is that writeable >> mappings to the BSPs shadow stacks are retained in the bss. This renders >> CET-SS almost useless, as an attacker can update both return addresses and >> the >> ret will not fault. >> >> We specifically don't want the shatter the superpage mapping .data/.bss, so >> the only way to fix this is to not have the BSP stack in the main Xen image. >> >> Break cpu_alloc_stack() out of cpu_smpboot_alloc(), and dynamically allocate >> the BSP stack as early as reasonable in __start_xen(). As a consequence, >> there is no need to delay the BSP's memguard_guard_stack() call. >> >> Copy the top of cpu info block just before switching to use the new stack. >> Fix a latent bug by setting %rsp to info->guest_cpu_user_regs rather than >> ->es; this would be buggy if reinit_bsp_stack() called schedule() (which >> rewrites the GPR block) directly, but luckily it doesn't. > While I don't mind the change, I also don't view the original code as > latently buggy. (Just a remark, not a request to change anything.) This is practically a textbook definition of a latent bug. Using one of a number of functions in Xen will either read utter garbage off the stack, or clobber the stack frame and most likely a return address, and the reason this hasn't exploded is luck, not design. > >> --- a/xen/arch/x86/setup.c >> +++ b/xen/arch/x86/setup.c >> @@ -148,7 +148,7 @@ cpumask_t __read_mostly cpu_present_map; >> >> unsigned long __read_mostly xen_phys_start; >> >> -char __section(".bss.stack_aligned") __aligned(STACK_SIZE) >> +char __section("init.bss.stack_aligned") __aligned(STACK_SIZE) >> cpu0_stack[STACK_SIZE]; > I guess the section name was meant to start with a dot, matching > the linker script change? You should actually have seen > --orphan-handling in action here ... It does, now that I've rebased on staging. >> --- a/xen/arch/x86/xen.lds.S >> +++ b/xen/arch/x86/xen.lds.S >> @@ -215,8 +215,9 @@ SECTIONS >> } PHDR(text) >> DECL_SECTION(.init.data) { >> #endif >> + . = ALIGN(STACK_SIZE); >> + *(.init.bss.stack_aligned) > No real need for the ALIGN() here - it's the contributions to the > section which ought to come with proper alignment. Imo ALIGN() > should only ever be there ahead of a symbol definition, as otherwise > the symbol might not mark what it is intended to mark due to padding > which might be inserted. See also 01fe4da6243b ("x86: force suitable > alignment in sources rather than in linker script"). > > Really we should consider using > > *(SORT_BY_ALIGNMENT(.init.data .init.data.* .init.bss.*)) > > While I can see your point against forcing sorting by alignment > globally, this very argument doesn't apply here (at least until > there appeared a way for the section attribute and -fdata-sections > to actually interact, such that .init.* could also become per- > function/object). > > Then again - this block of zeroes doesn't need to occupy space in > the binary. It already occupies space, because of mkelf32. > It could very well live in a @nobits .init.bss in the > final ELF binary. But sadly the section isn't @nobits in the object > file, and with that there would need to be a way to make the linker > convert it to @nobits (and I'm unaware of such). What would work is > naming the section .bss.init.stack_aligned (or e.g. > .bss..init.stack_aligned to make it easier to separate it from > .bss.* in the linker script) - that'll make gcc mark it @nobits. Living in .bss would prevent it from being reclaimed. We've got several nasty bugs from shooting holes in the Xen image, and too many special cases already. Furthermore, we're talking about initdata here. Size is not a concern, especially when its 7-9 orders of magnitude smaller than typical systems. The choice here is between between (theoretically but not in practice) extra space on disk, and not reclaiming 32k of init data after boot. >> - . = ALIGN(POINTER_ALIGN); >> __initdata_cf_clobber_start = .; > As a consequence, this ALIGN() shouldn't go away. The only present > contribution to the section is as large as its alignment, but that's > not generally a requirement. It would actually be a severe error for there to be anything in here with less than pointer alignment, because of how the section gets walked. But I'll keep the ALIGN() in. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.