[v1,RFC,Zisslpcfi,05/20] mmap : Introducing new protection "PROT_SHADOWSTACK" for mmap
Commit Message
Major architectures (x86, arm, riscv) have introduced shadow
stack support in their architecture for return control flow integrity
ISA extensions have some special encodings to make sure this shadow stack
page has special property in page table i.e a readonly page but still
writeable under special scenarios. As an example x86 has `call` (or new
shadow stack instructions) which can perform store on shadow stack but
regular stores are disallowed. Similarly riscv has sspush & ssamoswap
instruction which can perform stores but regular stores are not allowed.
As evident a page which can only be writeable by certain special
instructions but otherwise appear readonly to regular stores need a new
protection flag.
This patch introduces a new mmap protection flag to indicate such
protection in generic manner. Architectures can implement such protection
using arch specific encodings in page tables.
Signed-off-by: Deepak Gupta <debug@rivosinc.com>
---
include/uapi/asm-generic/mman-common.h | 6 ++++++
mm/mmap.c | 4 ++++
2 files changed, 10 insertions(+)
@@ -11,6 +11,12 @@
#define PROT_WRITE 0x2 /* page can be written */
#define PROT_EXEC 0x4 /* page can be executed */
#define PROT_SEM 0x8 /* page may be used for atomic ops */
+/*
+ * Major architectures (x86, aarch64, riscv) have shadow stack now. Each architecture can
+ * choose to implement different PTE encodings. x86 encodings are PTE.R=0, PTE.W=1, PTE.D=1
+ * riscv encodings are PTE.R=0, PTE.W=1. Aarch64 encodings are not published yet
+ */
+#define PROT_SHADOWSTACK 0x40
/* 0x10 reserved for arch-specific use */
/* 0x20 reserved for arch-specific use */
#define PROT_NONE 0x0 /* page can not be accessed */
@@ -46,6 +46,7 @@
#include <linux/pkeys.h>
#include <linux/oom.h>
#include <linux/sched/mm.h>
+#include <linux/processor.h>
#include <linux/uaccess.h>
#include <asm/cacheflush.h>
@@ -1251,6 +1252,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
if (!len)
return -EINVAL;
+ /* If PROT_SHADOWSTACK is specified and arch doesn't support it, return -EINVAL */
+ if ((prot & PROT_SHADOWSTACK) && !arch_supports_shadow_stack())
+ return -EINVAL;
/*
* Does the application expect PROT_READ to imply PROT_EXEC?
*