lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <F554C5FE-5074-410A-B0B5-EFE983D57946@zytor.com>
Date:   Mon, 23 Jan 2023 11:43:35 -0800
From:   "H. Peter Anvin" <hpa@...or.com>
To:     Ammar Faizi <ammarfaizi2@...weeb.org>
CC:     Dave Hansen <dave.hansen@...el.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        "Li, Xin3" <xin3.li@...el.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        Peter Zijlstra <peterz@...radead.org>,
        "x86@...nel.org" <x86@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: the x86 sysret_rip test fails on the Intel FRED architecture

On January 23, 2023 1:02:22 AM PST, Ammar Faizi <ammarfaizi2@...weeb.org> wrote:
>On 1/23/23 6:45 AM, H. Peter Anvin wrote:
>> static enum regs_ok check_regs_syscall(int syscall,
>>      unsigned long arg1, unsigned long arg2)
>> {
>> 
>>      register unsigned long r11 asm("%r11");
>>      unsigned long rcx, rbx, tmp;
>
>tmp is unused.
>
>>      r11 = r11_sentinel;
>>      rcx = rcx_sentinel;
>> 
>>      asm volatile("push %3; popf; "
>>               "lea 1f(%%rip),%2; "
>>               "syscall; "
>>               "1:"
>>               : "+r" (r11), "+c" (rcx), "=b" (rbx)
>>               : "g" (rflags_sentinel),
>>                 "a" (syscall), "D" (arg1), "S" (arg2));
>
>BTW, I just realized this "push" is unsafe for userspace code if the
>compiler decides to inline this inside a leaf function that uses the
>redzone.
>
>Reason: Because this "push;" clobbers redzone.
>
>It doesn't always happen, but when that happens it can be confusing to
>debug.
>
>A simple workaround is: just compile it with "-mno-red-zone" flag.
>
>Alternative, without using that flag, maybe preserve the value like:
>
>    movq    -8(%rsp), %r12
>    pushq   %[rflags_sentinel]
>    popf
>    movq    %r12, -8(%rsp)
>    syscall
>
>with "r12" and "memory" added to the clobber list.
>
>What do you think?
>

Good spotting. %rax needs to be marked clobbered, too.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ