Re: [PATCH 22/35] arm64/mm: Implement map_shadow_stack()

The 07/16/2023 22:51, Mark Brown wrote:

+SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags) +{

• unsigned long aligned_size;
• unsigned long __user *cap_ptr;
• unsigned long cap_val;
• int ret;
• if (!system_supports_gcs())

• return -EOPNOTSUPP;
  

• if (flags)

• return -EINVAL;
  

• /*

• * An overflow would result in attempting to write the restore token
  

• * to the wrong location. Not catastrophic, but just return the right
  

• * error code and block it.
  

• */
  

• aligned_size = PAGE_ALIGN(size);
• if (aligned_size < size)

• return -EOVERFLOW;
  

• addr = alloc_gcs(addr, aligned_size, 0, false);
• if (IS_ERR_VALUE(addr))

• return addr;
  

• /*

• * Put a cap token at the end of the allocated region so it
  

• * can be switched to.
  

• */
  

• cap_ptr = (unsigned long __user *)(addr + aligned_size -

• 			   (2 * sizeof(unsigned long)));
  

• cap_val = GCS_CAP(cap_ptr);
• ret = copy_to_user_gcs(cap_ptr, &cap_val, 1);

with

uint64_t *p = map_shadow_stack(0, N*8, 0);

i'd expect p[N-1] to be the end token and p[N-2] to be the cap token, not p[PAGE_ALIGN(N*8)/8-2].

if we allow misalligned size here (and in munmap) then i think it's better to not page align. size%8!=0 || size<16 can be an error.

• if (ret != 0) {

• vm_munmap(addr, size);
  

• return -EFAULT;
  

• }
• return addr;

+}