mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Xiang Mei <xmei5@asu.edu>
To: Peter Zijlstra <peterz@infradead.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>,
	Dave Hansen <dave.hansen@intel.com>, Kees Cook <kees@kernel.org>,
	 Andrew Morton <akpm@linux-foundation.org>,
	Thomas Gleixner <tglx@kernel.org>,
	 Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	 Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org,  linux-hardening@vger.kernel.org,
	Uladzislau Rezki <urezki@gmail.com>,
	 "Gustavo A . R . Silva" <gustavoars@kernel.org>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	 Jennifer Miller <jmill@asu.edu>, Tiffany Bao <tbao@asu.edu>,
	Ruoyu Wang <fishw@asu.edu>,  Adam Doupe <doupe@asu.edu>,
	Kyle Zeng <zengyhkyle@asu.edu>,
	Yan Shoshitaishvili <yans@asu.edu>
Subject: Re: [PATCH v2] mm/vmalloc: widen guard region to defeat ENTER-based stack pivot
Date: Wed, 1 Jul 2026 14:04:05 -0700	[thread overview]
Message-ID: <CAPpSM+SzqLSPt2q0KhkzB-WvphXGmby99QBJL7v_nq4kJGAYFA@mail.gmail.com> (raw)
In-Reply-To: <20260701083108.GD751831@noisy.programming.kicks-ass.net>

On Wed, Jul 1, 2026 at 1:31 AM Peter Zijlstra <peterz@infradead.org> wrote:
>
> On Wed, Jul 01, 2026 at 12:58:12AM -0700, H. Peter Anvin wrote:
> > On July 1, 2026 12:48:34 AM PDT, Peter Zijlstra <peterz@infradead.org> wrote:
> > >On Wed, Jul 01, 2026 at 09:27:47AM +0200, Peter Zijlstra wrote:
> > >> On Mon, Jun 29, 2026 at 03:29:50PM -0700, Dave Hansen wrote:
> > >>
> > >> > But, really, if ENTER is so evil and nobody uses it, shouldn't we just
> > >> > have an MSR bit somewhere to tell the CPU to #UD for it rather than
> > >> > playing these stack games?
> > >>
> > >> For supervisor mode only, I suppose. We can't ever get rid of userspace
> > >> ENTER because legacy I suppose. But we can make sure the kernel is
> > >> clean.
> > >>
> > >> So yeah, having a knob to make supervisor-ENTER trap would be useful I
> > >> suppose.
> > >
> > >x86_64-defconfig builds clean with the below :-)
> > >
> > >
> > >diff --git a/tools/objtool/arch/x86/decode.c b/tools/objtool/arch/x86/decode.c
> > >index 1b387d5a195b..9e53db863203 100644
> > >--- a/tools/objtool/arch/x86/decode.c
> > >+++ b/tools/objtool/arch/x86/decode.c
> > >@@ -642,6 +642,10 @@ int arch_decode_instruction(struct objtool_file *file, const struct section *sec
> > >
> > >             break;
> > >
> > >+    case 0xc8:
> > >+            WARN("ENTER instruction at %s:%lx", sec->name, offset);
> > >+            break;
> > >+
> > >     case 0xc9:
> > >             /*
> > >              * leave
> >
> > The problem is that it being a single byte long it can appear in the middle of another instruction.
>
> I understand; this was in response to Dave's suggestion to make
> (supervisor) ENTER #UD, in which case we'd have to ensure no legit
> ENTERs exist.

Peter's explanation is correct: this technique makes CFH->ACE easier.

I think both ways can mitigate it, but I would like to hear your
(maintainers') idea of which one we should proceed:

1. supervisor-ENTER-#UD + Peter's objtool check. Cleanest for ENTER,
but it needs a new bit from Intel/AMD, so future CPUs only.
2. Kill the landing zone with a 0x11-page guard area.

Thanks,
Xiang

  reply	other threads:[~2026-07-01 21:04 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 21:47 Xiang Mei
2026-06-29 22:29 ` Dave Hansen
2026-06-29 23:28   ` Xiang Mei
2026-06-29 23:37     ` Dave Hansen
2026-06-30  1:22       ` Xiang Mei
2026-06-30 14:01         ` Dave Hansen
2026-06-30 14:58           ` Pedro Falcato
2026-07-01  7:23             ` Peter Zijlstra
2026-06-30 22:02           ` Xiang Mei
2026-06-30 22:05             ` Dave Hansen
2026-06-30 22:13               ` H. Peter Anvin
2026-06-30 22:47                 ` Xiang Mei
2026-06-30 23:40                   ` Dave Hansen
2026-06-30 23:48                     ` Xiang Mei
2026-07-01  7:19           ` Peter Zijlstra
2026-06-30 14:40     ` Pedro Falcato
2026-06-30 15:15       ` Dave Hansen
2026-06-30 21:54         ` Dave Hansen
2026-06-30 21:41       ` Xiang Mei
2026-07-01  7:27   ` Peter Zijlstra
2026-07-01  7:48     ` Peter Zijlstra
2026-07-01  7:58       ` H. Peter Anvin
2026-07-01  8:31         ` Peter Zijlstra
2026-07-01 21:04           ` Xiang Mei [this message]
2026-07-10 18:58             ` Dave Hansen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAPpSM+SzqLSPt2q0KhkzB-WvphXGmby99QBJL7v_nq4kJGAYFA@mail.gmail.com \
    --to=xmei5@asu.edu \
    --cc=akpm@linux-foundation.org \
    --cc=bp@alien8.de \
    --cc=dave.hansen@intel.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=doupe@asu.edu \
    --cc=fishw@asu.edu \
    --cc=gustavoars@kernel.org \
    --cc=hpa@zytor.com \
    --cc=jmill@asu.edu \
    --cc=kees@kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=tbao@asu.edu \
    --cc=tglx@kernel.org \
    --cc=urezki@gmail.com \
    --cc=x86@kernel.org \
    --cc=yans@asu.edu \
    --cc=zengyhkyle@asu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox