lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed,  8 Jul 2015 12:24:02 -0700
From:	Andy Lutomirski <luto@...nel.org>
To:	x86@...nel.org, linux-kernel@...r.kernel.org
Cc:	Frédéric Weisbecker <fweisbec@...il.com>,
	Rik van Riel <riel@...hat.com>,
	Oleg Nesterov <oleg@...hat.com>,
	Denys Vlasenko <vda.linux@...glemail.com>,
	Borislav Petkov <bp@...en8.de>,
	Kees Cook <keescook@...omium.org>,
	Brian Gerst <brgerst@...il.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andy Lutomirski <luto@...nel.org>
Subject: [RFC/PATCH 5/7] x86/vm86: Teach handle_vm86_trap to return to 32bit mode directly

The TIF_NOTIFY_RESUME hack it was using was buggy and unsupportable.
vm86 mode was completely broken under ptrace, for example, because
we'd never make it to v8086 mode.

This code is still a huge, scary mess, but at least it's no longer
tangled with the exit-to-userspace loop.

Signed-off-by: Andy Lutomirski <luto@...nel.org>
---
 arch/x86/entry/entry_32.S | 17 -----------------
 arch/x86/kernel/traps.c   | 12 ++++++++++++
 arch/x86/kernel/vm86_32.c |  8 ++------
 3 files changed, 14 insertions(+), 23 deletions(-)

diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
index 66ff9c4055d7..3afd201bce55 100644
--- a/arch/x86/entry/entry_32.S
+++ b/arch/x86/entry/entry_32.S
@@ -481,29 +481,12 @@ work_resched:
 
 work_notifysig:					# deal with pending signals and
 						# notify-resume requests
-#ifdef CONFIG_VM86
-	testl	$X86_EFLAGS_VM, PT_EFLAGS(%esp)
-	movl	%esp, %eax
-	jnz	work_notifysig_v86		# special case for v86
-1:
-#else
 	movl	%esp, %eax
-#endif
 	TRACE_IRQS_ON
 	ENABLE_INTERRUPTS(CLBR_NONE)
 	xorl	%edx, %edx
 	call	do_notify_resume
 	jmp	resume_userspace
-
-#ifdef CONFIG_VM86
-	ALIGN
-work_notifysig_v86:
-	pushl	%ecx				# save ti_flags for do_notify_resume
-	call	save_v86_state			# %eax contains pt_regs pointer
-	popl	%ecx
-	movl	%eax, %esp
-	jmp	1b
-#endif
 END(work_pending)
 
 	# perform syscall exit tracing
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 8e65d8a9b8db..f86172d4f5db 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -190,6 +190,13 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
 		 * On nmi (interrupt 2), do_trap should not be called.
 		 */
 		if (trapnr < X86_TRAP_UD) {
+			/*
+			 * handle_vm86_trap may not return.  If that
+			 * happens, then there is no debug stack counter
+			 * (it's a 32-bit kernel) and handle_vm86_trap
+			 * will clear the preempt counter.
+			 */
+
 			if (!handle_vm86_trap((struct kernel_vm86_regs *) regs,
 						error_code, trapnr))
 				return 0;
@@ -650,6 +657,11 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code)
 	preempt_conditional_sti(regs);
 
 	if (v8086_mode(regs)) {
+		/*
+		 * handle_vm86_trap may not return.  If that happens, then
+		 * there is no debug stack counter (it's a 32-bit kernel)
+		 * and handle_vm86_trap will clear the preempt counter.
+		 */
 		handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code,
 					X86_TRAP_DB);
 		preempt_conditional_cli(regs);
diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
index fc9db6ef2a95..c526ee34c22d 100644
--- a/arch/x86/kernel/vm86_32.c
+++ b/arch/x86/kernel/vm86_32.c
@@ -351,6 +351,7 @@ static inline void return_to_32bit(struct kernel_vm86_regs *regs16, int retval)
 {
 	struct pt_regs *regs32;
 
+	preempt_count_set(0);
 	regs32 = save_v86_state(regs16);
 	regs32->ax = retval;
 	__asm__ __volatile__("movl %0,%%esp\n\t"
@@ -549,12 +550,7 @@ int handle_vm86_trap(struct kernel_vm86_regs *regs, long error_code, int trapno)
 {
 	if (VMPI.is_vm86pus) {
 		if ((trapno == 3) || (trapno == 1)) {
-			KVM86->regs32->ax = VM86_TRAP + (trapno << 8);
-			/* setting this flag forces the code in entry_32.S to
-			   the path where we call save_v86_state() and change
-			   the stack pointer to KVM86->regs32 */
-			set_thread_flag(TIF_NOTIFY_RESUME);
-			return 0;
+			return_to_32bit(regs, VM86_TRAP + (trapno << 8));
 		}
 		do_int(regs, trapno, (unsigned char __user *) (regs->pt.ss << 4), SP(regs));
 		return 0;
-- 
2.4.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ