lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 1 Apr 2023 08:12:45 +0000
From:   "Li, Xin3" <xin3.li@...el.com>
To:     Lai Jiangshan <jiangshanlai@...il.com>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "x86@...nel.org" <x86@...nel.org>,
        "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "bp@...en8.de" <bp@...en8.de>,
        "dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
        "hpa@...or.com" <hpa@...or.com>,
        "peterz@...radead.org" <peterz@...radead.org>,
        "andrew.cooper3@...rix.com" <andrew.cooper3@...rix.com>,
        "Christopherson,, Sean" <seanjc@...gle.com>,
        "pbonzini@...hat.com" <pbonzini@...hat.com>,
        "Shankar, Ravi V" <ravi.v.shankar@...el.com>,
        "Kang, Shan" <shan.kang@...el.com>
Subject: RE: [PATCH v6 27/33] x86/fred: fixup fault on ERETU by jumping to
 fred_entrypoint_user

> > +       /* Copy error code to uregs and adjust stack pointer accordingly */
> > +       uregs->orig_ax = error_code;
> 
> The address of uregs->orig_ax is below regs->sp, so I think some comments are
> needed here to state why it is safe to write to uregs->orig_ax (a.k.a it is not
> verlapped with regs).

Good point, because it's one of the nice FRED features.

The RSP used by FRED to push a stack frame is not the value in %rsp, it is
calculated from %rsp with the following 2 steps:
  1) RSP = %rsp - (IA32_FRED_CONFIG & 0x1c0) // REDZONE of (N * 64) bytes
  2) RSP = RSP & ~0x3f // Clearing RSP[5:0] to align to a 64-byte cache line
when the event delivery doesn't trigger a stack level change.

Thus the FRED stack frame error code, i.e., orig_ax, is _always_ on a 64-byte
cache line boundary, and a new stack frame is guaranteed to start below the
error code (An extra REDZONE of (N * 64) bytes may be pushed between), and
it is safe to write to uregs->orig_ax.

Here is an example with a N=1 REDZONE:

  64-byte cache line ==>  ______________
                         |___Reserved___|
                         |__Event_data__|
                         |_____SS_______|
                         |_____RSP______|
                         |_____FLAGS____|
                         |_____CS_______|
                         |_____IP_______|  <== ERETU stack frame
  64-byte cache line ==> |__Error_code__|
                         |______________|
                         |______________|
                         |______________|
                         |______________|
                         |______________|
                         |______________|
                         |______________|  <== RSP after step 1)
  64-byte cache line ==> |______________|  <== RSP after step 2)
                         |___Reserved___|
                         |__Event_data__|
                         |_____SS_______|
                         |_____RSP______|
                         |_____FLAGS____|
                         |_____CS_______|
                         |_____IP_______|  <== ERETS stack frame
  64-byte cache line ==> |__Error_code__|

    Xin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ