Commit 2198d07c authored by Ard Biesheuvel's avatar Ard Biesheuvel Committed by Catalin Marinas
Browse files

arm64: Always load shadow stack pointer directly from the task struct 



All occurrences of the scs_load macro load the value of the shadow call
stack pointer from the task which is current at that point. So instead
of taking a task struct register argument in the scs_load macro to
specify the task struct to load from, let's always reference the current
task directly. This should make it much harder to exploit any
instruction sequences reloading the shadow call stack pointer register
from memory.

Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20230109174800.3286265-2-ardb@kernel.org


Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
parent b7bfaa76

arch/arm64/include/asm/scs.h

+4 −3
Original line number Diff line number Diff line
@@ -10,15 +10,16 @@ 
#ifdef CONFIG_SHADOW_CALL_STACK

	scs_sp	.req	x18



	.macro scs_load tsk

	ldr	scs_sp, [\tsk, #TSK_TI_SCS_SP]

	.macro scs_load_current

	get_current_task scs_sp

	ldr	scs_sp, [scs_sp, #TSK_TI_SCS_SP]

	.endm



	.macro scs_save tsk

	str	scs_sp, [\tsk, #TSK_TI_SCS_SP]

	.endm

#else

	.macro scs_load tsk

	.macro scs_load_current

	.endm



	.macro scs_save tsk

arch/arm64/kernel/entry.S

+2 −2
Original line number Diff line number Diff line
@@ -275,7 +275,7 @@ alternative_if ARM64_HAS_ADDRESS_AUTH 
alternative_else_nop_endif

1:



	scs_load tsk

	scs_load_current

	.else

	add	x21, sp, #PT_REGS_SIZE

	get_current_task tsk
@@ -848,7 +848,7 @@ SYM_FUNC_START(cpu_switch_to) 
	msr	sp_el0, x1

	ptrauth_keys_install_kernel x1, x8, x9, x10

	scs_save x0

	scs_load x1

	scs_load_current

	ret

SYM_FUNC_END(cpu_switch_to)

NOKPROBE(cpu_switch_to)

arch/arm64/kernel/head.S

+1 −1
Original line number Diff line number Diff line
@@ -404,7 +404,7 @@ SYM_FUNC_END(create_kernel_mapping) 
	stp	xzr, xzr, [sp, #S_STACKFRAME]

	add	x29, sp, #S_STACKFRAME



	scs_load \tsk

	scs_load_current



	adr_l	\tmp1, __per_cpu_offset

	ldr	w\tmp2, [\tsk, #TSK_TI_CPU]