| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <130a3b7ef4788baae3a6fe71293ab17442bc9a0a.1442793572.git.luto@kernel.org>
Date: Sun, 20 Sep 2015 17:02:55 -0700
From: Andy Lutomirski <luto@...nel.org>
To: x86@...nel.org
Cc: Paolo Bonzini <pbonzini@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
KVM list <kvm@...r.kernel.org>,
Arjan van de Ven <arjan@...ux.intel.com>,
xen-devel <Xen-devel@...ts.xen.org>,
linux-kernel@...r.kernel.org,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Ingo Molnar <mingo@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Andy Lutomirski <luto@...nel.org>
Subject: [PATCH v2 1/2] x86/msr: Carry on after a non-"safe" MSR access fails without !panic_on_oops
This demotes an OOPS and likely panic due to a failed non-"safe" MSR
access to a WARN_ON_ONCE and a return of zero (in the RDMSR case).
We still write a pr_info entry unconditionally for debugging.
To be clear, this type of failure should *not* happen. This patch
exists to minimize the chance of nasty undebuggable failures due on
systems that used to work due to a now-fixed CONFIG_PARAVIRT=y bug.
Signed-off-by: Andy Lutomirski <luto@...nel.org>
---
arch/x86/kernel/traps.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 346eec73f7db..f82987643e32 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -437,6 +437,58 @@ exit_trap:
do_trap(X86_TRAP_BR, SIGSEGV, "bounds", regs, error_code, NULL);
}
+static bool paper_over_kernel_gpf(struct pt_regs *regs)
+{
+ /*
+ * Try to decode the opcode that failed. So far, we only care
+ * about boring two-byte unprefixed opcodes, so we don't need
+ * the full instruction decoder machinery.
+ */
+ u16 opcode;
+
+ if (probe_kernel_read(&opcode, (const void *)regs->ip, sizeof(opcode)))
+ return false;
+
+ if (opcode == 0x320f) {
+ /* RDMSR */
+ pr_info("bad kernel RDMSR from non-existent MSR 0x%x",
+ (unsigned int)regs->cx);
+ if (!panic_on_oops) {
+ WARN_ON_ONCE(true);
+
+ /*
+ * Pretend that RDMSR worked and returned zero. We
+ * chose zero because zero seems less likely to
+ * cause further malfunctions than any other value.
+ */
+ regs->ax = 0;
+ regs->dx = 0;
+ regs->ip += 2;
+ return true;
+ } else {
+ /* Don't fix it up. */
+ return false;
+ }
+ } else if (opcode == 0x300f) {
+ /* WRMSR */
+ pr_info("bad kernel WRMSR writing 0x%08x%08x to MSR 0x%x",
+ (unsigned int)regs->dx, (unsigned int)regs->ax,
+ (unsigned int)regs->cx);
+ if (!panic_on_oops) {
+ WARN_ON_ONCE(true);
+
+ /* Pretend it worked and carry on. */
+ regs->ip += 2;
+ return true;
+ } else {
+ /* Don't fix it up. */
+ return false;
+ }
+ }
+
+ return false;
+}
+
dotraplinkage void
do_general_protection(struct pt_regs *regs, long error_code)
{
@@ -456,6 +508,9 @@ do_general_protection(struct pt_regs *regs, long error_code)
if (fixup_exception(regs))
return;
+ if (paper_over_kernel_gpf(regs))
+ return;
+
tsk->thread.error_code = error_code;
tsk->thread.trap_nr = X86_TRAP_GP;
if (notify_die(DIE_GPF, "general protection fault", regs, error_code,
--
2.4.3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists