| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Nov 2019 13:14:47 +0100
From: Jann Horn <jannh@...gle.com>
To: Ingo Molnar <mingo@...nel.org>
Cc: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
"H. Peter Anvin" <hpa@...or.com>,
"the arch/x86 maintainers" <x86@...nel.org>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
kasan-dev <kasan-dev@...glegroups.com>,
kernel list <linux-kernel@...r.kernel.org>,
Andrey Konovalov <andreyknvl@...gle.com>,
Andy Lutomirski <luto@...nel.org>,
Sean Christopherson <sean.j.christopherson@...el.com>,
Andi Kleen <ak@...ux.intel.com>
Subject: Re: [PATCH v3 2/4] x86/traps: Print non-canonical address on #GP
On Wed, Nov 20, 2019 at 12:19 PM Ingo Molnar <mingo@...nel.org> wrote:
> * Jann Horn <jannh@...gle.com> wrote:
>
> > A frequent cause of #GP exceptions are memory accesses to non-canonical
> > addresses. Unlike #PF, #GP doesn't come with a fault address in CR2, so
> > the kernel doesn't currently print the fault address for #GP.
> > Luckily, we already have the necessary infrastructure for decoding X86
> > instructions and computing the memory address that is being accessed;
> > hook it up to the #GP handler so that we can figure out whether the #GP
> > looks like it was caused by a non-canonical address, and if so, print
> > that address.
[...]
> > +/*
> > + * On 64-bit, if an uncaught #GP occurs while dereferencing a non-canonical
> > + * address, return that address.
> > + */
> > +static unsigned long get_kernel_gp_address(struct pt_regs *regs)
> > +{
> > +#ifdef CONFIG_X86_64
> > + u8 insn_bytes[MAX_INSN_SIZE];
> > + struct insn insn;
> > + unsigned long addr_ref;
> > +
> > + if (probe_kernel_read(insn_bytes, (void *)regs->ip, MAX_INSN_SIZE))
> > + return 0;
> > +
> > + kernel_insn_init(&insn, insn_bytes, MAX_INSN_SIZE);
> > + insn_get_modrm(&insn);
> > + insn_get_sib(&insn);
> > + addr_ref = (unsigned long)insn_get_addr_ref(&insn, regs);
>
> I had to look twice to realize that the 'insn_bytes' isn't an integer
> that shows the number of bytes in the instruction, but the instruction
> buffer itself.
>
> Could we please do s/insn_bytes/insn_buf or such?
Will change it.
> > +
> > + /* Bail out if insn_get_addr_ref() failed or we got a kernel address. */
> > + if (addr_ref >= ~__VIRTUAL_MASK)
> > + return 0;
> > +
> > + /* Bail out if the entire operand is in the canonical user half. */
> > + if (addr_ref + insn.opnd_bytes - 1 <= __VIRTUAL_MASK)
> > + return 0;
>
> BTW., it would be nice to split this logic in two: return the faulting
> address to do_general_protection(), and print it out both for
> non-canonical and canonical addresses as well -and use the canonical
> check to *additionally* print out a short note when the operand is
> non-canonical?
You mean something like this?
========================
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 9b23c4bda243..16a6bdaccb51 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -516,32 +516,36 @@ dotraplinkage void do_bounds(struct pt_regs
*regs, long error_code)
* On 64-bit, if an uncaught #GP occurs while dereferencing a non-canonical
* address, return that address.
*/
-static unsigned long get_kernel_gp_address(struct pt_regs *regs)
+static bool get_kernel_gp_address(struct pt_regs *regs, unsigned long *addr,
+ bool *non_canonical)
{
#ifdef CONFIG_X86_64
u8 insn_buf[MAX_INSN_SIZE];
struct insn insn;
- unsigned long addr_ref;
if (probe_kernel_read(insn_buf, (void *)regs->ip, MAX_INSN_SIZE))
- return 0;
+ return false;
kernel_insn_init(&insn, insn_buf, MAX_INSN_SIZE);
insn_get_modrm(&insn);
insn_get_sib(&insn);
- addr_ref = (unsigned long)insn_get_addr_ref(&insn, regs);
+ *addr = (unsigned long)insn_get_addr_ref(&insn, regs);
- /* Bail out if insn_get_addr_ref() failed or we got a kernel address. */
- if (addr_ref >= ~__VIRTUAL_MASK)
- return 0;
+ if (*addr == (unsigned long)-1L)
+ return false;
- /* Bail out if the entire operand is in the canonical user half. */
- if (addr_ref + insn.opnd_bytes - 1 <= __VIRTUAL_MASK)
- return 0;
+ /*
+ * Check that:
+ * - the address is not in the kernel half or -1 (which means the
+ * decoder failed to decode it)
+ * - the last byte of the address is not in the user canonical half
+ */
+ *non_canonical = *addr < ~__VIRTUAL_MASK &&
+ *addr + insn.opnd_bytes - 1 > __VIRTUAL_MASK;
- return addr_ref;
+ return true;
#else
- return 0;
+ return false;
#endif
}
@@ -569,8 +573,10 @@ do_general_protection(struct pt_regs *regs, long
error_code)
tsk = current;
if (!user_mode(regs)) {
- unsigned long non_canonical_addr = 0;
+ bool addr_resolved = false;
+ unsigned long gp_addr;
unsigned long flags;
+ bool non_canonical;
int sig;
if (fixup_exception(regs, X86_TRAP_GP, error_code, 0))
@@ -595,18 +601,19 @@ do_general_protection(struct pt_regs *regs, long
error_code)
if (error_code)
snprintf(desc, sizeof(desc), "segment-related " GPFSTR);
else
- non_canonical_addr = get_kernel_gp_address(regs);
+ addr_resolved = get_kernel_gp_address(regs, &gp_addr,
+ &non_canonical);
- if (non_canonical_addr)
+ if (addr_resolved)
snprintf(desc, sizeof(desc),
- GPFSTR " probably for non-canonical address 0x%lx",
- non_canonical_addr);
+ GPFSTR " probably for %saddress 0x%lx",
+ non_canonical ? "non-canonical " : "", gp_addr);
flags = oops_begin();
sig = SIGSEGV;
__die_header(desc, regs, error_code);
- if (non_canonical_addr)
- kasan_non_canonical_hook(non_canonical_addr);
+ if (addr_resolved && non_canonical)
+ kasan_non_canonical_hook(gp_addr);
if (__die_body(desc, regs, error_code))
sig = 0;
oops_end(flags, regs, sig);
========================
I guess that could potentially be useful if a #GP is triggered by
something like an SSE alignment error? I'll add it in unless someone
else complains.
> > +#define GPFSTR "general protection fault"
> > dotraplinkage void
>
> Please separate macro and function definitions by an additional newline.
Will change it.
Powered by blists - more mailing lists