| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <SA1PR11MB673435C03F7245425DEB36E7A88C9@SA1PR11MB6734.namprd11.prod.outlook.com>
Date: Sat, 1 Apr 2023 08:12:45 +0000
From: "Li, Xin3" <xin3.li@...el.com>
To: Lai Jiangshan <jiangshanlai@...il.com>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"x86@...nel.org" <x86@...nel.org>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"mingo@...hat.com" <mingo@...hat.com>,
"bp@...en8.de" <bp@...en8.de>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
"hpa@...or.com" <hpa@...or.com>,
"peterz@...radead.org" <peterz@...radead.org>,
"andrew.cooper3@...rix.com" <andrew.cooper3@...rix.com>,
"Christopherson,, Sean" <seanjc@...gle.com>,
"pbonzini@...hat.com" <pbonzini@...hat.com>,
"Shankar, Ravi V" <ravi.v.shankar@...el.com>,
"Kang, Shan" <shan.kang@...el.com>
Subject: RE: [PATCH v6 27/33] x86/fred: fixup fault on ERETU by jumping to
fred_entrypoint_user
> > + /* Copy error code to uregs and adjust stack pointer accordingly */
> > + uregs->orig_ax = error_code;
>
> The address of uregs->orig_ax is below regs->sp, so I think some comments are
> needed here to state why it is safe to write to uregs->orig_ax (a.k.a it is not
> verlapped with regs).
Good point, because it's one of the nice FRED features.
The RSP used by FRED to push a stack frame is not the value in %rsp, it is
calculated from %rsp with the following 2 steps:
1) RSP = %rsp - (IA32_FRED_CONFIG & 0x1c0) // REDZONE of (N * 64) bytes
2) RSP = RSP & ~0x3f // Clearing RSP[5:0] to align to a 64-byte cache line
when the event delivery doesn't trigger a stack level change.
Thus the FRED stack frame error code, i.e., orig_ax, is _always_ on a 64-byte
cache line boundary, and a new stack frame is guaranteed to start below the
error code (An extra REDZONE of (N * 64) bytes may be pushed between), and
it is safe to write to uregs->orig_ax.
Here is an example with a N=1 REDZONE:
64-byte cache line ==> ______________
|___Reserved___|
|__Event_data__|
|_____SS_______|
|_____RSP______|
|_____FLAGS____|
|_____CS_______|
|_____IP_______| <== ERETU stack frame
64-byte cache line ==> |__Error_code__|
|______________|
|______________|
|______________|
|______________|
|______________|
|______________|
|______________| <== RSP after step 1)
64-byte cache line ==> |______________| <== RSP after step 2)
|___Reserved___|
|__Event_data__|
|_____SS_______|
|_____RSP______|
|_____FLAGS____|
|_____CS_______|
|_____IP_______| <== ERETS stack frame
64-byte cache line ==> |__Error_code__|
Xin
Powered by blists - more mailing lists