// SPDX-License-Identifier: GPL-2.0 /* * shstk.c - Intel shadow stack support * * Copyright (c) 2021, Intel Corporation. * Yu-cheng Yu <[email protected]> */ #include <linux/sched.h> #include <linux/bitops.h> #include <linux/types.h> #include <linux/mm.h> #include <linux/mman.h> #include <linux/slab.h> #include <linux/uaccess.h> #include <linux/sched/signal.h> #include <linux/compat.h> #include <linux/sizes.h> #include <linux/user.h> #include <linux/syscalls.h> #include <asm/msr.h> #include <asm/fpu/xstate.h> #include <asm/fpu/types.h> #include <asm/shstk.h> #include <asm/special_insns.h> #include <asm/fpu/api.h> #include <asm/prctl.h> #define SS_FRAME_SIZE … static bool features_enabled(unsigned long features) { … } static void features_set(unsigned long features) { … } static void features_clr(unsigned long features) { … } /* * Create a restore token on the shadow stack. A token is always 8-byte * and aligned to 8. */ static int create_rstor_token(unsigned long ssp, unsigned long *token_addr) { … } /* * VM_SHADOW_STACK will have a guard page. This helps userspace protect * itself from attacks. The reasoning is as follows: * * The shadow stack pointer(SSP) is moved by CALL, RET, and INCSSPQ. The * INCSSP instruction can increment the shadow stack pointer. It is the * shadow stack analog of an instruction like: * * addq $0x80, %rsp * * However, there is one important difference between an ADD on %rsp * and INCSSP. In addition to modifying SSP, INCSSP also reads from the * memory of the first and last elements that were "popped". It can be * thought of as acting like this: * * READ_ONCE(ssp); // read+discard top element on stack * ssp += nr_to_pop * 8; // move the shadow stack * READ_ONCE(ssp-8); // read+discard last popped stack element * * The maximum distance INCSSP can move the SSP is 2040 bytes, before * it would read the memory. Therefore a single page gap will be enough * to prevent any operation from shifting the SSP to an adjacent stack, * since it would have to land in the gap at least once, causing a * fault. */ static unsigned long alloc_shstk(unsigned long addr, unsigned long size, unsigned long token_offset, bool set_res_tok) { … } static unsigned long adjust_shstk_size(unsigned long size) { … } static void unmap_shadow_stack(u64 base, u64 size) { … } static int shstk_setup(void) { … } void reset_thread_features(void) { … } unsigned long shstk_alloc_thread_stack(struct task_struct *tsk, unsigned long clone_flags, unsigned long stack_size) { … } static unsigned long get_user_shstk_addr(void) { … } #define SHSTK_DATA_BIT … static int put_shstk_data(u64 __user *addr, u64 data) { … } static int get_shstk_data(unsigned long *data, unsigned long __user *addr) { … } static int shstk_push_sigframe(unsigned long *ssp) { … } static int shstk_pop_sigframe(unsigned long *ssp) { … } int setup_signal_shadow_stack(struct ksignal *ksig) { … } int restore_signal_shadow_stack(void) { … } void shstk_free(struct task_struct *tsk) { … } static int wrss_control(bool enable) { … } static int shstk_disable(void) { … } SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags) { … } long shstk_prctl(struct task_struct *task, int option, unsigned long arg2) { … } int shstk_update_last_frame(unsigned long val) { … } bool shstk_is_enabled(void) { … }
Codebase Browser
linux