| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <55592df6-a138-4995-5b2f-3720bedccf50@citrix.com>
Date: Wed, 5 Oct 2022 01:20:52 +0000
From: Andrew Cooper <Andrew.Cooper3@...rix.com>
To: Rick Edgecombe <rick.p.edgecombe@...el.com>,
"x86@...nel.org" <x86@...nel.org>,
"H . Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
"linux-api@...r.kernel.org" <linux-api@...r.kernel.org>,
Arnd Bergmann <arnd@...db.de>,
Andy Lutomirski <luto@...nel.org>,
Balbir Singh <bsingharora@...il.com>,
Borislav Petkov <bp@...en8.de>,
Cyrill Gorcunov <gorcunov@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Eugene Syromiatnikov <esyr@...hat.com>,
Florian Weimer <fweimer@...hat.com>,
"H . J . Lu" <hjl.tools@...il.com>, Jann Horn <jannh@...gle.com>,
Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Mike Kravetz <mike.kravetz@...cle.com>,
Nadav Amit <nadav.amit@...il.com>,
Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
Peter Zijlstra <peterz@...radead.org>,
Randy Dunlap <rdunlap@...radead.org>,
"Ravi V . Shankar" <ravi.v.shankar@...el.com>,
Weijiang Yang <weijiang.yang@...el.com>,
"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
"joao.moreira@...el.com" <joao.moreira@...el.com>,
John Allen <john.allen@....com>,
"kcc@...gle.com" <kcc@...gle.com>,
"eranian@...gle.com" <eranian@...gle.com>,
"rppt@...nel.org" <rppt@...nel.org>,
"jamorris@...ux.microsoft.com" <jamorris@...ux.microsoft.com>,
"dethoma@...rosoft.com" <dethoma@...rosoft.com>,
Andrew Cooper <Andrew.Cooper3@...rix.com>
CC: Yu-cheng Yu <yu-cheng.yu@...el.com>,
Michael Kerrisk <mtk.manpages@...il.com>
Subject: Re: [PATCH v2 07/39] x86/cet: Add user control-protection fault
handler
On 29/09/2022 23:29, Rick Edgecombe wrote:
> diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
> index d62b2cb85cea..b7dde8730236 100644
> --- a/arch/x86/kernel/traps.c
> +++ b/arch/x86/kernel/traps.c
> @@ -229,16 +223,74 @@ enum cp_error_code {
> CP_ENCL = 1 << 15,
> };
>
> -DEFINE_IDTENTRY_ERRORCODE(exc_control_protection)
> +#ifdef CONFIG_X86_SHADOW_STACK
> +static const char * const control_protection_err[] = {
> + "unknown",
> + "near-ret",
> + "far-ret/iret",
> + "endbranch",
> + "rstorssp",
> + "setssbsy",
> +};
These are a mix of SHSTK and IBT errors. They should be inside
CONFIG_X86_CET using Kees' suggestion.
Also, if you express this as
static const char errors[][10] = {
[0] = "unknown",
[1] = "near ret",
[2] = "far/iret",
[3] = "endbranch",
[4] = "rstorssp",
[5] = "setssbsy",
};
then you can encode all the strings in roughly the space it takes to lay
out the pointers above.
> +
> +static DEFINE_RATELIMIT_STATE(cpf_rate, DEFAULT_RATELIMIT_INTERVAL,
> + DEFAULT_RATELIMIT_BURST);
> +
> +static void do_user_control_protection_fault(struct pt_regs *regs,
> + unsigned long error_code)
> {
> - if (!cpu_feature_enabled(X86_FEATURE_IBT)) {
> - pr_err("Unexpected #CP\n");
> - BUG();
> + struct task_struct *tsk;
> + unsigned long ssp;
> +
> + /* Read SSP before enabling interrupts. */
> + rdmsrl(MSR_IA32_PL3_SSP, ssp);
> +
> + cond_local_irq_enable(regs);
> +
> + if (!cpu_feature_enabled(X86_FEATURE_SHSTK))
> + WARN_ONCE(1, "User-mode control protection fault with shadow support disabled\n");
So it's ok to get an unexpected #CP on CET-capable hardware, but not on
CET-incapable hardware?
The conditions for this WARN() (and others) probably want adjusting to
what the kernel has enabled, not what hardware is capable of.
> @@ -283,9 +335,29 @@ static int __init ibt_setup(char *str)
> }
>
> __setup("ibt=", ibt_setup);
> -
> +#else
> +static void do_kernel_control_protection_fault(struct pt_regs *regs)
> +{
> + WARN_ONCE(1, "Kernel-mode control protection fault with IBT disabled\n");
> +}
> #endif /* CONFIG_X86_KERNEL_IBT */
>
> +#if defined(CONFIG_X86_KERNEL_IBT) || defined(CONFIG_X86_SHADOW_STACK)
> +DEFINE_IDTENTRY_ERRORCODE(exc_control_protection)
> +{
> + if (!cpu_feature_enabled(X86_FEATURE_IBT) &&
> + !cpu_feature_enabled(X86_FEATURE_SHSTK)) {
> + pr_err("Unexpected #CP\n");
Do some future poor sole a favour and render the numeric error code
too. Without it, the error is ambiguous between SHSTK and IBT when %rip
points at a call/ret instruction.
~Andrew
Powered by blists - more mailing lists