| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f260ddf9-be67-48e0-8121-6f58d46f7978@citrix.com>
Date: Tue, 5 Dec 2023 12:25:25 +0000
From: Andrew Cooper <andrew.cooper3@...rix.com>
To: Xin Li <xin3.li@...el.com>, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-edac@...r.kernel.org,
linux-hyperv@...r.kernel.org, kvm@...r.kernel.org,
xen-devel@...ts.xenproject.org
Cc: tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
luto@...nel.org, pbonzini@...hat.com, seanjc@...gle.com,
peterz@...radead.org, jgross@...e.com, ravi.v.shankar@...el.com,
mhiramat@...nel.org, jiangshanlai@...il.com, nik.borisov@...e.com,
shan.kang@...el.com
Subject: Re: [PATCH v13 26/35] x86/fred: FRED entry/exit and dispatch code
On 05/12/2023 10:50 am, Xin Li wrote:
> diff --git a/arch/x86/entry/entry_fred.c b/arch/x86/entry/entry_fred.c
> new file mode 100644
> index 000000000000..215883e90f94
> --- /dev/null
> +++ b/arch/x86/entry/entry_fred.c
> @@ -0,0 +1,230 @@
> ...
> +static noinstr void fred_intx(struct pt_regs *regs)
> +{
> + switch (regs->fred_ss.vector) {
> + /* INT0 */
INTO (for overflow), not INT-zero. However...
> + case X86_TRAP_OF:
> + exc_overflow(regs);
> + return;
> +
> + /* INT3 */
> + case X86_TRAP_BP:
> + exc_int3(regs);
> + return;
... neither OF nor BP will ever enter fred_intx() because they're type
SWEXC not SWINT.
SWINT is strictly the INT $imm8 instruction.
> ...
> +static noinstr void fred_extint(struct pt_regs *regs)
> +{
> + unsigned int vector = regs->fred_ss.vector;
> +
> + if (WARN_ON_ONCE(vector < FIRST_EXTERNAL_VECTOR))
> + return;
> +
> + if (likely(vector >= FIRST_SYSTEM_VECTOR)) {
> + irqentry_state_t state = irqentry_enter(regs);
> +
> + instrumentation_begin();
> + sysvec_table[vector - FIRST_SYSTEM_VECTOR](regs);
array_index_mask_nospec()
This is easy for an attacker to abuse, to install non-function-pointer
targets into the indirect predictor.
> + instrumentation_end();
> + irqentry_exit(regs, state);
> + } else {
> + common_interrupt(regs, vector);
> + }
> +}
> +
> +static noinstr void fred_exception(struct pt_regs *regs, unsigned long error_code)
> +{
> + /* Optimize for #PF. That's the only exception which matters performance wise */
> + if (likely(regs->fred_ss.vector == X86_TRAP_PF)) {
> + exc_page_fault(regs, error_code);
> + return;
> + }
> +
> + switch (regs->fred_ss.vector) {
> + case X86_TRAP_DE: return exc_divide_error(regs);
> + case X86_TRAP_DB: return fred_exc_debug(regs);
> + case X86_TRAP_BP: return exc_int3(regs);
> + case X86_TRAP_OF: return exc_overflow(regs);
Depending on what you want to do with BP/OF vs fred_intx(), this may
need adjusting.
If you are cross-checking type and vector, then these should be rejected
for not being of type HWEXC.
> + case X86_TRAP_BR: return exc_bounds(regs);
> + case X86_TRAP_UD: return exc_invalid_op(regs);
> + case X86_TRAP_NM: return exc_device_not_available(regs);
> + case X86_TRAP_DF: return exc_double_fault(regs, error_code);
> + case X86_TRAP_TS: return exc_invalid_tss(regs, error_code);
> + case X86_TRAP_NP: return exc_segment_not_present(regs, error_code);
> + case X86_TRAP_SS: return exc_stack_segment(regs, error_code);
> + case X86_TRAP_GP: return exc_general_protection(regs, error_code);
> + case X86_TRAP_MF: return exc_coprocessor_error(regs);
> + case X86_TRAP_AC: return exc_alignment_check(regs, error_code);
> + case X86_TRAP_XF: return exc_simd_coprocessor_error(regs);
> +
> +#ifdef CONFIG_X86_MCE
> + case X86_TRAP_MC: return fred_exc_machine_check(regs);
> +#endif
> +#ifdef CONFIG_INTEL_TDX_GUEST
> + case X86_TRAP_VE: return exc_virtualization_exception(regs);
> +#endif
> +#ifdef CONFIG_X86_KERNEL_IBT
CONFIG_X86_CET
Userspace can use CET even if the kernel isn't compiled with IBT, so
this exception needs handling.
> + case X86_TRAP_CP: return exc_control_protection(regs, error_code);
> +#endif
> + default: return fred_bad_type(regs, error_code);
> + }
> +}
> +
> +__visible noinstr void fred_entry_from_user(struct pt_regs *regs)
> +{
> + unsigned long error_code = regs->orig_ax;
> +
> + /* Invalidate orig_ax so that syscall_get_nr() works correctly */
> + regs->orig_ax = -1;
> +
> + switch (regs->fred_ss.type) {
> + case EVENT_TYPE_EXTINT:
> + return fred_extint(regs);
> + case EVENT_TYPE_NMI:
> + return fred_exc_nmi(regs);
> + case EVENT_TYPE_SWINT:
> + return fred_intx(regs);
> + case EVENT_TYPE_HWEXC:
> + case EVENT_TYPE_SWEXC:
> + case EVENT_TYPE_PRIV_SWEXC:
> + return fred_exception(regs, error_code);
PRIV_SWEXC should have it's own function and not fall into fred_exception().
It is strictly only the ICEBP (INT1) instruction at the moment, so
should fall into bad_type() for any vector other than X86_TRAP_DB.
> + case EVENT_TYPE_OTHER:
> + return fred_other(regs);
> + default:
> + return fred_bad_type(regs, error_code);
> + }
> +}
~Andrew
Powered by blists - more mailing lists