lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87v85qo2fj.ffs@tglx>
Date: Wed, 13 Mar 2024 11:23:44 +0100
From: Thomas Gleixner <tglx@...utronix.de>
To: Pasha Tatashin <pasha.tatashin@...een.com>,
 linux-kernel@...r.kernel.org, linux-mm@...ck.org,
 akpm@...ux-foundation.org, x86@...nel.org, bp@...en8.de,
 brauner@...nel.org, bristot@...hat.com, bsegall@...gle.com,
 dave.hansen@...ux.intel.com, dianders@...omium.org,
 dietmar.eggemann@....com, eric.devolder@...cle.com, hca@...ux.ibm.com,
 hch@...radead.org, hpa@...or.com, jacob.jun.pan@...ux.intel.com,
 jgg@...pe.ca, jpoimboe@...nel.org, jroedel@...e.de, juri.lelli@...hat.com,
 kent.overstreet@...ux.dev, kinseyho@...gle.com,
 kirill.shutemov@...ux.intel.com, lstoakes@...il.com, luto@...nel.org,
 mgorman@...e.de, mic@...ikod.net, michael.christie@...cle.com,
 mingo@...hat.com, mjguzik@...il.com, mst@...hat.com, npiggin@...il.com,
 peterz@...radead.org, pmladek@...e.com, rick.p.edgecombe@...el.com,
 rostedt@...dmis.org, surenb@...gle.com, urezki@...il.com,
 vincent.guittot@...aro.org, vschneid@...hat.com, pasha.tatashin@...een.com
Subject: Re: [RFC 11/14] x86: add support for Dynamic Kernel Stacks

On Mon, Mar 11 2024 at 16:46, Pasha Tatashin wrote:
> @@ -413,6 +413,9 @@ DEFINE_IDTENTRY_DF(exc_double_fault)
>  	}
>  #endif
>  
> +	if (dynamic_stack_fault(current, address))
> +		return;
> +
>  	irqentry_nmi_enter(regs);
>  	instrumentation_begin();
>  	notify_die(DIE_TRAP, str, regs, error_code, X86_TRAP_DF, SIGSEGV);
> diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
> index d6375b3c633b..651c558b10eb 100644
> --- a/arch/x86/mm/fault.c
> +++ b/arch/x86/mm/fault.c
> @@ -1198,6 +1198,9 @@ do_kern_addr_fault(struct pt_regs *regs, unsigned long hw_error_code,
>  	if (is_f00f_bug(regs, hw_error_code, address))
>  		return;
>  
> +	if (dynamic_stack_fault(current, address))
> +		return;

T1 schedules out with stack used close to the fault boundary.

   switch_to(T2)

Now T1 schedules back in

   switch_to(T1)
     __switch_to_asm()
        ...
        switch_stacks()         <- SP on T1 stack
!        ...                    
!       jmp __switch_to()
!    __switch_to()
!       ...
!       raw_cpu_write(pcpu_hot.current_task, next_p);

After switching SP to T1's stack and up to the point where
pcpu_hot.current_task (aka current) is updated to T1 a stack fault will
invoke dynamic_stack_fault(T2, address) which will return false here:

	/* check if address is inside the kernel stack area */
	stack = (unsigned long)tsk->stack;
	if (address < stack || address >= stack + THREAD_SIZE)
		return false;

because T2's stack does obviously not cover the faulting address on T1's
stack. As a consequence double fault will panic the machine.

Thanks,

        tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ