lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 27 Aug 2017 18:39:24 +0200
From:   Borislav Petkov <bp@...en8.de>
To:     X86 ML <x86@...nel.org>
Cc:     Tom Lendacky <thomas.lendacky@....com>,
        LKML <linux-kernel@...r.kernel.org>,
        Brijesh Singh <brijesh.singh@....com>
Subject: [PATCH] x86/mm: Fix SME encryption stack ptr handling

From: Borislav Petkov <bp@...e.de>

sme_encrypt_execute() stashes the stack pointer on entry into %rbp
because it allocates a one-page stack in the non-encrypted area for the
encryption routine to use. When the latter is done, it restores it from
%rbp again, before returning.

However, it uses the FRAME_* macros partially but restores %rsp from
%rbp explicitly with a MOV. And this is fine as long as the macros
*actually* do something.

Unless, you do a !CONFIG_FRAME_POINTER build where those macros
are empty. Then, we still restore %rsp from %rbp but %rbp contains
*something* and this leads to a stack corruption. The manifestation
being a triple-fault during early boot when testing SME. Good luck to me
debugging this with the clumsy endless-loop-in-asm method and narrowing
it down gradually. :-(

So, long story short, open-code the frame macros so that there's no
monkey business and we avoid subtly breaking SME depending on the
.config.

Signed-off-by: Borislav Petkov <bp@...e.de>
Acked-by: Tom Lendacky <thomas.lendacky@....com>
Cc: Brijesh Singh <brijesh.singh@....com>
---
 arch/x86/mm/mem_encrypt_boot.S | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/mm/mem_encrypt_boot.S b/arch/x86/mm/mem_encrypt_boot.S
index b327e0472448..730e6d541df1 100644
--- a/arch/x86/mm/mem_encrypt_boot.S
+++ b/arch/x86/mm/mem_encrypt_boot.S
@@ -15,7 +15,6 @@
 #include <asm/page.h>
 #include <asm/processor-flags.h>
 #include <asm/msr-index.h>
-#include <asm/frame.h>
 
 	.text
 	.code64
@@ -33,7 +32,8 @@ ENTRY(sme_encrypt_execute)
 	 *    R8 - physcial address of the pagetables to use for encryption
 	 */
 
-	FRAME_BEGIN			/* RBP now has original stack pointer */
+	push	%rbp
+	movq	%rsp, %rbp		/* RBP now has original stack pointer */
 
 	/* Set up a one page stack in the non-encrypted memory area */
 	movq	%rcx, %rax		/* Workarea stack page */
@@ -64,7 +64,7 @@ ENTRY(sme_encrypt_execute)
 	pop	%r12
 
 	movq	%rbp, %rsp		/* Restore original stack pointer */
-	FRAME_END
+	pop	%rbp
 
 	ret
 ENDPROC(sme_encrypt_execute)
-- 
2.13.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ