lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5dd74948-a951-4a7a-84ac-7e75cc26bb46@zytor.com>
Date: Wed, 17 Apr 2024 07:59:25 -0700
From: "H. Peter Anvin" <hpa@...or.com>
To: Borislav Petkov <bp@...en8.de>, "Xin Li (Intel)" <xin@...or.com>
Cc: linux-kernel@...r.kernel.org, luto@...nel.org, tglx@...utronix.de,
        mingo@...hat.com, dave.hansen@...ux.intel.com, x86@...nel.org
Subject: Re: [PATCH v3 1/1] x86/fred: Fix INT80 emulation for FRED

On 4/17/24 02:38, Borislav Petkov wrote:
> On Tue, Apr 16, 2024 at 11:30:01PM -0700, Xin Li (Intel) wrote:
>> 3) The FRED kernel entry handler does *NOT* dispatch INT instructions,
>>     which is of event type EVENT_TYPE_SWINT, so compared with
>>     do_int80_emulation(), there is no need to do any user mode check.
> 
> What does that mean?
> 
> An event handler doesn't dispatch INT insns?
> 
> /me is confused.

FRED has separate entry flows depending on if the event came from user 
space or kernel space:

asm_fred_entrypoint_user -> fred_entry_from_user

asm_fred_entrypoint_kernel -> fred_entry_from_kernel

fred_entry_from_kernel does not invoke fred_intx() if the event type is 
EVENT_TYPE_SWINT, instead it falls through to fred_bad_type(). Perhaps 
fred_intx() should be renamed fred_intx_user() for additional clarity.

(It might also we worth noting in that function that the reason int 
$0x03 and int $0x04 are dispatched as INT3 and INTO is to be fully user 
space compatible with legacy IDT, which behaves similarly.)

Thus, the int $0x80 code is simply not reachable from kernel space; if 
kernel code were to invoke int $0x80 or any other INT instruction it 
will error out before getting to this code.

>> +#ifdef CONFIG_X86_FRED
>> +/*
>> + * A FRED-specific INT80 handler fred_int80_emulation() is required:
>> + *
>> + * 1) As INT instructions and hardware interrupts are separate event
>> + *    types, FRED does not preclude the use of vector 0x80 for external
>> + *    interrupts. As a result the FRED setup code does *NOT* reserve
>> + *    vector 0x80 and calling int80_is_external() is not merely
>> + *    suboptimal but actively incorrect: it could cause a system call
>> + *    to be incorrectly ignored.
>> + *
>> + * 2) fred_int80_emulation(), only called for handling vector 0x80 of
>> + *    event type EVENT_TYPE_SWINT, will NEVER be called to handle any
>> + *    external interrupt (event type EVENT_TYPE_EXTINT).
>> + *
>> + * 3) The FRED kernel entry handler does *NOT* dispatch INT instructions,
>> + *    which is of event type EVENT_TYPE_SWINT, so compared with
>> + *    do_int80_emulation(), there is no need to do any user mode check.
>> + *
>> + * 4) int80_emulation() does a CLEAR_BRANCH_HISTORY, which is likely
>> + *    overkill for new x86 CPU implementations that support FRED.
>> + *
>> + * 5) int $0x80 is the FAST path for 32-bit system calls under FRED.
>> + *
>> + * A dedicated FRED INT80 handler duplicates quite a bit of the code in
>> + * do_int80_emulation(), but it avoids sprinkling more tests and seems
>> + * more readable. Just remember that we can always unify common stuff
>> + * later if it turns out that it won't diverge anymore, i.e., after the
>> + * FRED code settles.
>> + */
> 
> And this is talking about duplication above and that text is duplicated
> from the commit message. :)
> 
> I'll zap it when applying.
> 

I suggested putting it into a comment for future reference. Obviously no 
need to duplicate it in the commit message :)

	-hpa

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ