| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5q2zbkzyjknusd3feqolycqialetqfe52yfyzasnr6zp24pmej@4cg2r2hi4pf2>
Date: Wed, 2 Jul 2025 13:17:10 +0300
From: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
To: "H. Peter Anvin" <hpa@...or.com>
Cc: Sohil Mehta <sohil.mehta@...el.com>, Andy Lutomirski <luto@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, Peter Zijlstra <peterz@...radead.org>,
Ard Biesheuvel <ardb@...nel.org>, "Paul E. McKenney" <paulmck@...nel.org>,
Josh Poimboeuf <jpoimboe@...nel.org>, Xiongwei Song <xiongwei.song@...driver.com>,
Xin Li <xin3.li@...el.com>, "Mike Rapoport (IBM)" <rppt@...nel.org>,
Brijesh Singh <brijesh.singh@....com>, Michael Roth <michael.roth@....com>,
Tony Luck <tony.luck@...el.com>, Alexey Kardashevskiy <aik@....com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>, Jonathan Corbet <corbet@....net>, Ingo Molnar <mingo@...nel.org>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, Daniel Sneddon <daniel.sneddon@...ux.intel.com>,
Kai Huang <kai.huang@...el.com>, Sandipan Das <sandipan.das@....com>,
Breno Leitao <leitao@...ian.org>, Rick Edgecombe <rick.p.edgecombe@...el.com>,
Alexei Starovoitov <ast@...nel.org>, Hou Tao <houtao1@...wei.com>, Juergen Gross <jgross@...e.com>,
Vegard Nossum <vegard.nossum@...cle.com>, Kees Cook <kees@...nel.org>, Eric Biggers <ebiggers@...gle.com>,
Jason Gunthorpe <jgg@...pe.ca>, "Masami Hiramatsu (Google)" <mhiramat@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>, Luis Chamberlain <mcgrof@...nel.org>,
Yuntao Wang <ytcoode@...il.com>, Rasmus Villemoes <linux@...musvillemoes.dk>,
Christophe Leroy <christophe.leroy@...roup.eu>, Tejun Heo <tj@...nel.org>, Changbin Du <changbin.du@...wei.com>,
Huang Shijie <shijie@...amperecomputing.com>, Geert Uytterhoeven <geert+renesas@...der.be>,
Namhyung Kim <namhyung@...nel.org>, Arnaldo Carvalho de Melo <acme@...hat.com>,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org,
linux-mm@...ck.org
Subject: Re: [PATCHv8 14/17] x86/traps: Handle LASS thrown #SS
On Tue, Jul 01, 2025 at 07:06:10PM -0700, H. Peter Anvin wrote:
> On July 1, 2025 6:35:40 PM PDT, Sohil Mehta <sohil.mehta@...el.com> wrote:
> >On 7/1/2025 2:58 AM, Kirill A. Shutemov wrote:
> >> LASS throws a #GP for any violations except for stack register accesses,
> >> in which case it throws a #SS instead. Handle this similarly to how other
> >> LASS violations are handled.
> >>
> >
> >Maybe I've misunderstood something:
> >
> >Is the underlying assumption here that #SS were previously only
> >generated by userspace, but now they can also be generated by the
> >kernel? And we want the kernel generated #SS to behave the same as the #GP?
> >
> >> In case of FRED, before handling #SS as LASS violation, kernel has to
> >> check if there's a fixup for the exception. It can address #SS due to
> >> invalid user context on ERETU. See 5105e7687ad3 ("x86/fred: Fixup
> >> fault on ERETU by jumping to fred_entrypoint_user") for more details.
> >>
> >> Co-developed-by: Alexander Shishkin <alexander.shishkin@...ux.intel.com>
> >> Signed-off-by: Alexander Shishkin <alexander.shishkin@...ux.intel.com>
> >> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
> >> ---
> >> arch/x86/kernel/traps.c | 39 +++++++++++++++++++++++++++++++++------
> >> 1 file changed, 33 insertions(+), 6 deletions(-)
> >>
> >> diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
> >> index ceb091f17a5b..f9ca5b911141 100644
> >> --- a/arch/x86/kernel/traps.c
> >> +++ b/arch/x86/kernel/traps.c
> >> @@ -418,12 +418,6 @@ DEFINE_IDTENTRY_ERRORCODE(exc_segment_not_present)
> >> SIGBUS, 0, NULL);
> >> }
> >>
> >> -DEFINE_IDTENTRY_ERRORCODE(exc_stack_segment)
> >> -{
> >> - do_error_trap(regs, error_code, "stack segment", X86_TRAP_SS, SIGBUS,
> >> - 0, NULL);
> >> -}
> >> -
> >> DEFINE_IDTENTRY_ERRORCODE(exc_alignment_check)
> >> {
> >> char *str = "alignment check";
> >> @@ -866,6 +860,39 @@ DEFINE_IDTENTRY_ERRORCODE(exc_general_protection)
> >> cond_local_irq_disable(regs);
> >> }
> >>
> >> +#define SSFSTR "stack segment fault"
> >> +
> >> +DEFINE_IDTENTRY_ERRORCODE(exc_stack_segment)
> >> +{
> >> + if (user_mode(regs))
> >> + goto error_trap;
> >> +
> >> + if (cpu_feature_enabled(X86_FEATURE_FRED) &&
> >> + fixup_exception(regs, X86_TRAP_SS, error_code, 0))
> >> + return;
> >> +
> >> + if (cpu_feature_enabled(X86_FEATURE_LASS)) {
> >> + enum kernel_exc_hint hint;
> >> + unsigned long exc_addr;
> >> +
> >> + hint = get_kernel_exc_address(regs, &exc_addr);
> >> + if (hint != EXC_NO_HINT) {
> >
> >The brackets are not needed for singular statements. Also the max line
> >length is longer now. You can fit this all in a single line.
> >
> >> + printk(SSFSTR ", %s 0x%lx", kernel_exc_hint_help[hint],
> >> + exc_addr);
> >> + }
> >> +
> >
> >> + if (hint != EXC_NON_CANONICAL)
> >> + exc_addr = 0;
> >> +
> >> + die_addr(SSFSTR, regs, error_code, exc_addr);
> >
> >The variable names in die_addr() should be generalized as well. They
> >seem to assume the caller to be a #GP handler.
> >
> >> + return;
> >> + }
> >> +
> >> +error_trap:
> >> + do_error_trap(regs, error_code, "stack segment", X86_TRAP_SS, SIGBUS,
> >> + 0, NULL);
> >> +}
> >> +
> >> static bool do_int3(struct pt_regs *regs)
> >> {
> >> int res;
> >
>
> Note: for a FRED system, ERETU can generate #SS for a non-canonical user space RSP even in the absence of LASS, so if that is not currently handled that is an active bug.
It is handled by fixup code inside do_error_trap(). We need to add
explicit fixup before LASS handling to avoid treating bad userspace RSP as
kernel LASS violation.
--
Kiryl Shutsemau / Kirill A. Shutemov
Powered by blists - more mailing lists