lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141001090915.16c8b1db@as>
Date:	Wed, 1 Oct 2014 09:09:13 -0500
From:	Chuck Ebbert <cebbert.lkml@...il.com>
To:	Andy Lutomirski <luto@...capital.net>
Cc:	Thomas Gleixner <tglx@...utronix.de>, X86 ML <x86@...nel.org>,
	Ingo Molnar <mingo@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	Sebastian Lackner <sebastian@...-team.de>,
	Anish Bhatt <anish@...lsio.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	stable@...r.kernel.org
Subject: Re: [PATCH v2 1/2] x86_64,entry: Filter RFLAGS.NT on entry from
 userspace

On Tue, 30 Sep 2014 21:51:27 -0700
Andy Lutomirski <luto@...capital.net> wrote:

> The NT flag doesn't do anything in long mode other than causing IRET
> to #GP.  Oddly, CPL3 code can still set NT using popf.
> 
> Entry via hardware or software interrupt clears NT automatically, so
> the only relevant entries are fast syscalls.
> 
> If user code causes kernel code to run with NT set, then there's at
> least some (small) chance that it could cause trouble.  For example,
> user code could cause a call to EFI code with NT set, and who knows
> what would happen?  Apparently some games on Wine sometimes do
> this (!), and, if an IRET return happens, they will segfault.  That
> segfault cannot be handled, because signal delivery fails, too.
> 
> This patch programs the CPU to clear NT on entry via SYSCALL (both
> 32-bit and 64-bit, by my reading of the AMD APM), and it clears NT
> in software on entry via SYSENTER.
> 
> To save a few cycles, this borrows a trick from Jan Beulich in Xen:
> it checks whether NT is set before trying to clear it.  As a result,
> it seems to have very little effect on SYSENTER performance on my
> machine.
> 
> Testers beware: on Xen, SYSENTER with NT set turns into a GPF.
> 
> I haven't touched anything on 32-bit kernels.
> 
> The syscall mask change comes from a variant of this patch by Anish
> Bhatt.
> 
> Cc: stable@...r.kernel.org
> Reported-by: Anish Bhatt <anish@...lsio.com>
> Signed-off-by: Andy Lutomirski <luto@...capital.net>
> ---
>  arch/x86/ia32/ia32entry.S    | 12 ++++++++++++
>  arch/x86/kernel/cpu/common.c |  2 +-
>  2 files changed, 13 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
> index 4299eb05023c..44d1dd371454 100644
> --- a/arch/x86/ia32/ia32entry.S
> +++ b/arch/x86/ia32/ia32entry.S
> @@ -151,6 +151,18 @@ ENTRY(ia32_sysenter_target)
>  1:	movl	(%rbp),%ebp
>  	_ASM_EXTABLE(1b,ia32_badarg)
>  	ASM_CLAC
> +
> +	/*
> +	 * Sysenter doesn't filter flags, so we need to clear NT
> +	 * ourselves.  To save a few cycles, we can check whether
> +	 * NT was set instead of doing an unconditional popfq.
> +	 */
> +	testl $X86_EFLAGS_NT,EFLAGS(%rsp)	/* saved EFLAGS match cpu */
> +	jz 1f
> +	pushq_cfi $(X86_EFLAGS_IF|X86_EFLAGS_FIXED)
> +	popfq_cfi
> +1:
> +

I think you've gone backwards with this version. The earlier one got
some of the performance loss back by not needing to do the "cld" insn.

You should just replace that "cld" (line 146) with

	pushfq_cfi $2
	popfq_cfi

Unfortunately I'm not set up to test that yet. But I did look at
the SDM and can't see a need to preserve any of the flags.

>  	orl     $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
>  	testl   $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
>  	CFI_REMEMBER_STATE
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index e4ab2b42bd6f..31265580c38a 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -1184,7 +1184,7 @@ void syscall_init(void)
>  	/* Flags to clear on syscall */
>  	wrmsrl(MSR_SYSCALL_MASK,
>  	       X86_EFLAGS_TF|X86_EFLAGS_DF|X86_EFLAGS_IF|
> -	       X86_EFLAGS_IOPL|X86_EFLAGS_AC);
> +	       X86_EFLAGS_IOPL|X86_EFLAGS_AC|X86_EFLAGS_NT);
>  }
>  
>  /*

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ