| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Nov 2020 12:23:12 +0100
From: Alexandre Chartre <alexandre.chartre@...cle.com>
To: "tglx@...utronix.de"@userv0121.oracle.com,
"mingo@...hat.com"@userv0121.oracle.com,
"bp@...en8.de"@userv0121.oracle.com,
"hpa@...or.com"@userv0121.oracle.com,
"x86@...nel.org"@userv0121.oracle.com,
"dave.hansen@...ux.intel.com"@userv0121.oracle.com,
"luto@...nel.org"@userv0121.oracle.com,
"peterz@...radead.org"@userv0121.oracle.com,
"linux-kernel@...r.kernel.org"@userv0121.oracle.com,
"thomas.lendacky@....com"@userv0121.oracle.com,
"jroedel@...e.de"@userv0121.oracle.com
Cc: "konrad.wilk@...cle.com"@userv0121.oracle.com,
"jan.setjeeilers@...cle.com"@userv0121.oracle.com,
"junaids@...gle.com"@userv0121.oracle.com,
"oweisse@...gle.com"@userv0121.oracle.com,
"rppt@...ux.vnet.ibm.com"@userv0121.oracle.com,
"graf@...zon.de"@userv0121.oracle.com,
"mgross@...ux.intel.com"@userv0121.oracle.com,
"kuzuno@...il.com"@userv0121.oracle.com,
"alexandre.chartre@...cle.com"@userv0121.oracle.com
Subject: [RFC][PATCH 17/24] x86/pti: Execute IDT handlers with error code on the kernel stack
After an interrupt/exception in userland, the kernel is entered
and it switches the stack to the PTI stack which is mapped both in
the kernel and in the user page-table. When executing the interrupt
function, switch to the kernel stack (which is mapped only in the
kernel page-table) so that no kernel data leak to the userland
through the stack.
Changes IDT handlers which have an error code.
Signed-off-by: Alexandre Chartre <alexandre.chartre@...cle.com>
---
arch/x86/include/asm/idtentry.h | 18 ++++++++++++++++--
arch/x86/kernel/traps.c | 2 +-
2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/asm/idtentry.h b/arch/x86/include/asm/idtentry.h
index 3595a31947b3..a82e31b45442 100644
--- a/arch/x86/include/asm/idtentry.h
+++ b/arch/x86/include/asm/idtentry.h
@@ -25,6 +25,12 @@ void idtentry_exit_nmi(struct pt_regs *regs, bool irq_state);
(void (*)(void))(func), (void *)(arg1)) : \
func(arg1))
+#define CALL_ON_STACK_2(stack, func, arg1, arg2) \
+ ((stack) ? \
+ asm_call_on_stack_2(stack, \
+ (void (*)(void))(func), (void *)(arg1), (void *)(arg2)) : \
+ func(arg1, arg2))
+
/*
* Functions to return the top of the kernel stack if we are using the
* user page-table (and thus not running with the kernel stack). If we
@@ -53,6 +59,13 @@ void run_idt(void (*func)(struct pt_regs *), struct pt_regs *regs)
CALL_ON_STACK_1(pti_kernel_stack(regs), func, regs);
}
+static __always_inline
+void run_idt_errcode(void (*func)(struct pt_regs *, unsigned long),
+ struct pt_regs *regs, unsigned long error_code)
+{
+ CALL_ON_STACK_2(pti_kernel_stack(regs), func, regs, error_code);
+}
+
/**
* DECLARE_IDTENTRY - Declare functions for simple IDT entry points
* No error code pushed by hardware
@@ -141,7 +154,7 @@ __visible noinstr void func(struct pt_regs *regs, \
irqentry_state_t state = irqentry_enter(regs); \
\
instrumentation_begin(); \
- __##func (regs, error_code); \
+ run_idt_errcode(__##func, regs, error_code); \
instrumentation_end(); \
irqentry_exit(regs, state); \
} \
@@ -239,7 +252,8 @@ __visible noinstr void func(struct pt_regs *regs, \
instrumentation_begin(); \
irq_enter_rcu(); \
kvm_set_cpu_l1tf_flush_l1d(); \
- __##func (regs, (u8)error_code); \
+ run_idt_errcode((void (*)(struct pt_regs *, unsigned long))__##func, \
+ regs, (u8)error_code); \
irq_exit_rcu(); \
instrumentation_end(); \
irqentry_exit(regs, state); \
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 5161385b3670..9a51aa016fb3 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -979,7 +979,7 @@ DEFINE_IDTENTRY_DEBUG(exc_debug)
/* User entry, runs on regular task stack */
DEFINE_IDTENTRY_DEBUG_USER(exc_debug)
{
- exc_debug_user(regs, debug_read_clear_dr6());
+ run_idt_errcode(exc_debug_user, regs, debug_read_clear_dr6());
}
#else
/* 32 bit does not have separate entry points. */
--
2.18.4
Powered by blists - more mailing lists