lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrUa4iw+y+EXSqq_ibJQAfR0+U52Q=tO8_bj1YJgtMUP+Q@mail.gmail.com>
Date:   Wed, 21 Nov 2018 07:24:05 -0800
From:   Andy Lutomirski <luto@...nel.org>
To:     Jan Beulich <JBeulich@...e.com>
Cc:     Ingo Molnar <mingo@...e.hu>, Thomas Gleixner <tglx@...utronix.de>,
        "H. Peter Anvin" <hpa@...or.com>,
        Andrew Lutomirski <luto@...nel.org>,
        xen-devel <xen-devel@...ts.xenproject.org>,
        Boris Ostrovsky <boris.ostrovsky@...cle.com>,
        Juergen Gross <jgross@...e.com>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] x86-64/Xen: fix stack switching

On Wed, Nov 21, 2018 at 2:10 AM Jan Beulich <JBeulich@...e.com> wrote:
>
> While in the native case entry into the kernel happens on the trampoline
> stack, PV Xen kernels get entered with the current thread stack right
> away. Hence source and destination stacks are identical in that case,
> and special care is needed.
>
> Other than in sync_regs() the copying done on the INT80 path as well as
> on the NMI path itself isn't NMI / #MC safe, as either of these events
> occurring in the middle of the stack copying would clobber data on the
> (source) stack. (Of course, in the NMI case only #MC could break
> things.)
>
> I'm not altering the similar code in interrupt_entry(), as that code
> path is unreachable afaict when running PV Xen guests.
>
> Fixes: 7f2590a110b837af5679d08fc25c6227c5a8c497
> Signed-off-by: Jan Beulich <jbeulich@...e.com>
> Cc: stable@...nel.org
> ---
> v2: Correct placement of .Lint80_keep_stack label.
> ---
>  arch/x86/entry/entry_64.S        |    8 ++++++++
>  arch/x86/entry/entry_64_compat.S |   10 ++++++++--
>  2 files changed, 16 insertions(+), 2 deletions(-)
>
> --- 4.20-rc3/arch/x86/entry/entry_64.S
> +++ 4.20-rc3-x86_64-stack-switch-Xen/arch/x86/entry/entry_64.S
> @@ -1380,6 +1380,12 @@ ENTRY(nmi)
>         swapgs
>         cld
>         SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx
> +
> +       movq    PER_CPU_VAR(cpu_current_top_of_stack), %rdx
> +       subq    $8, %rdx
> +       xorq    %rsp, %rdx
> +       shrq    $PAGE_SHIFT, %rdx
> +       jz      .Lnmi_keep_stack

This code shouldn't even be reachable on Xen:

commit 43e4111086a70c78bedb6ad990bee97f17b27a6e
Author: Juergen Gross <jgross@...e.com>
Date:   Thu Nov 2 00:59:07 2017 -0700

    xen, x86/entry/64: Add xen NMI trap entry

    Instead of trying to execute any NMI via the bare metal's NMI trap
    handler use a Xen specific one for PV domains, like we do for e.g.
    debug traps. As in a PV domain the NMI is handled via the normal
    kernel stack this is the correct thing to do.

    This will enable us to get rid of the very fragile and questionable
    dependencies between the bare metal NMI handler and Xen assumptions
    believed to be broken anyway.


>         movq    %rsp, %rdx
>         movq    PER_CPU_VAR(cpu_current_top_of_stack), %rsp
>         UNWIND_HINT_IRET_REGS base=%rdx offset=8
> @@ -1389,6 +1395,8 @@ ENTRY(nmi)
>         pushq   2*8(%rdx)       /* pt_regs->cs */
>         pushq   1*8(%rdx)       /* pt_regs->rip */
>         UNWIND_HINT_IRET_REGS
> +.Lnmi_keep_stack:
> +
>         pushq   $-1             /* pt_regs->orig_ax */
>         PUSH_AND_CLEAR_REGS rdx=(%rdx)
>         ENCODE_FRAME_POINTER
> --- 4.20-rc3/arch/x86/entry/entry_64_compat.S
> +++ 4.20-rc3-x86_64-stack-switch-Xen/arch/x86/entry/entry_64_compat.S
> @@ -361,17 +361,23 @@ ENTRY(entry_INT80_compat)
>
>         /* Need to switch before accessing the thread stack. */
>         SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
> +
> +       movq    PER_CPU_VAR(cpu_current_top_of_stack), %rdi
> +       subq    $8, %rdi
> +       xorq    %rsp, %rdi
> +       shrq    $PAGE_SHIFT, %rdi
> +       jz      .Lint80_keep_stack

This comparison is IMO the wrong test entirely.  How about something like:

/* On Xen PV, entry_INT80_compat is called on the thread stack, so
rewinding to the top of the thread stack would allow an NMI to
overwrite the hardware frame before we copy it. */
ALTERNATIVE "", "jmp .Lint80_keep_stack", X86_FEATURE_XENPV

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ