| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZsMNwAsAWr2IxFns@arm.com>
Date: Mon, 19 Aug 2024 10:17:52 +0100
From: Catalin Marinas <catalin.marinas@....com>
To: Mark Brown <broonie@...nel.org>
Cc: Will Deacon <will@...nel.org>, Jonathan Corbet <corbet@....net>,
Andrew Morton <akpm@...ux-foundation.org>,
Marc Zyngier <maz@...nel.org>,
Oliver Upton <oliver.upton@...ux.dev>,
James Morse <james.morse@....com>,
Suzuki K Poulose <suzuki.poulose@....com>,
Arnd Bergmann <arnd@...db.de>, Oleg Nesterov <oleg@...hat.com>,
Eric Biederman <ebiederm@...ssion.com>,
Shuah Khan <shuah@...nel.org>,
"Rick P. Edgecombe" <rick.p.edgecombe@...el.com>,
Deepak Gupta <debug@...osinc.com>, Ard Biesheuvel <ardb@...nel.org>,
Szabolcs Nagy <Szabolcs.Nagy@....com>, Kees Cook <kees@...nel.org>,
"H.J. Lu" <hjl.tools@...il.com>,
Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
Florian Weimer <fweimer@...hat.com>,
Christian Brauner <brauner@...nel.org>,
Thiago Jung Bauermann <thiago.bauermann@...aro.org>,
Ross Burton <ross.burton@....com>,
linux-arm-kernel@...ts.infradead.org, linux-doc@...r.kernel.org,
kvmarm@...ts.linux.dev, linux-fsdevel@...r.kernel.org,
linux-arch@...r.kernel.org, linux-mm@...ck.org,
linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-riscv@...ts.infradead.org
Subject: Re: [PATCH v10 18/40] arm64/mm: Handle GCS data aborts
On Thu, Aug 01, 2024 at 01:06:45PM +0100, Mark Brown wrote:
> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
> index 451ba7cbd5ad..0973dd09f11a 100644
> --- a/arch/arm64/mm/fault.c
> +++ b/arch/arm64/mm/fault.c
> @@ -486,6 +486,14 @@ static void do_bad_area(unsigned long far, unsigned long esr,
> }
> }
>
> +static bool is_gcs_fault(unsigned long esr)
> +{
> + if (!esr_is_data_abort(esr))
> + return false;
> +
> + return ESR_ELx_ISS2(esr) & ESR_ELx_GCS;
> +}
> +
> static bool is_el0_instruction_abort(unsigned long esr)
> {
> return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_LOW;
> @@ -500,6 +508,25 @@ static bool is_write_abort(unsigned long esr)
> return (esr & ESR_ELx_WNR) && !(esr & ESR_ELx_CM);
> }
>
> +static bool is_invalid_gcs_access(struct vm_area_struct *vma, u64 esr)
> +{
> + if (!system_supports_gcs())
> + return false;
> +
> + if (unlikely(is_gcs_fault(esr))) {
> + /* GCS accesses must be performed on a GCS page */
> + if (!(vma->vm_flags & VM_SHADOW_STACK))
> + return true;
> + if (!(vma->vm_flags & VM_WRITE))
> + return true;
Do we need the VM_WRITE check here? Further down in do_page_fault(), we
already do the check as we set vm_flags = VM_WRITE.
> + } else if (unlikely(vma->vm_flags & VM_SHADOW_STACK)) {
> + /* Only GCS operations can write to a GCS page */
> + return is_write_abort(esr);
> + }
> +
> + return false;
> +}
> +
> static int __kprobes do_page_fault(unsigned long far, unsigned long esr,
> struct pt_regs *regs)
> {
> @@ -535,6 +562,14 @@ static int __kprobes do_page_fault(unsigned long far, unsigned long esr,
> /* It was exec fault */
> vm_flags = VM_EXEC;
> mm_flags |= FAULT_FLAG_INSTRUCTION;
> + } else if (is_gcs_fault(esr)) {
> + /*
> + * The GCS permission on a page implies both read and
> + * write so always handle any GCS fault as a write fault,
> + * we need to trigger CoW even for GCS reads.
> + */
> + vm_flags = VM_WRITE;
> + mm_flags |= FAULT_FLAG_WRITE;
> } else if (is_write_abort(esr)) {
> /* It was write fault */
> vm_flags = VM_WRITE;
> @@ -568,6 +603,13 @@ static int __kprobes do_page_fault(unsigned long far, unsigned long esr,
> if (!vma)
> goto lock_mmap;
>
> + if (is_invalid_gcs_access(vma, esr)) {
> + vma_end_read(vma);
> + fault = 0;
> + si_code = SEGV_ACCERR;
> + goto bad_area;
> + }
> +
> if (!(vma->vm_flags & vm_flags)) {
> vma_end_read(vma);
> fault = 0;
This check I mentioned above.
I was wondering whether we should prevent mprotect(PROT_READ) on the GCS
page. But I guess that's fine, we'll SIGSEGV later if we get an invalid
GCS access.
--
Catalin
Powered by blists - more mailing lists