| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4DE45AFD-C1E0-4FB8-BE01-44A72C5C6E1E@zytor.com>
Date: Tue, 01 Jul 2025 19:06:10 -0700
From: "H. Peter Anvin" <hpa@...or.com>
To: Sohil Mehta <sohil.mehta@...el.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Andy Lutomirski <luto@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
Peter Zijlstra <peterz@...radead.org>,
Ard Biesheuvel <ardb@...nel.org>,
"Paul E. McKenney" <paulmck@...nel.org>,
Josh Poimboeuf <jpoimboe@...nel.org>,
Xiongwei Song <xiongwei.song@...driver.com>,
Xin Li <xin3.li@...el.com>, "Mike Rapoport (IBM)" <rppt@...nel.org>,
Brijesh Singh <brijesh.singh@....com>,
Michael Roth <michael.roth@....com>, Tony Luck <tony.luck@...el.com>,
Alexey Kardashevskiy <aik@....com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>
CC: Jonathan Corbet <corbet@....net>, Ingo Molnar <mingo@...nel.org>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
Daniel Sneddon <daniel.sneddon@...ux.intel.com>,
Kai Huang <kai.huang@...el.com>, Sandipan Das <sandipan.das@....com>,
Breno Leitao <leitao@...ian.org>,
Rick Edgecombe <rick.p.edgecombe@...el.com>,
Alexei Starovoitov <ast@...nel.org>, Hou Tao <houtao1@...wei.com>,
Juergen Gross <jgross@...e.com>,
Vegard Nossum <vegard.nossum@...cle.com>, Kees Cook <kees@...nel.org>,
Eric Biggers <ebiggers@...gle.com>, Jason Gunthorpe <jgg@...pe.ca>,
"Masami Hiramatsu (Google)" <mhiramat@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Luis Chamberlain <mcgrof@...nel.org>, Yuntao Wang <ytcoode@...il.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>,
Christophe Leroy <christophe.leroy@...roup.eu>,
Tejun Heo <tj@...nel.org>, Changbin Du <changbin.du@...wei.com>,
Huang Shijie <shijie@...amperecomputing.com>,
Geert Uytterhoeven <geert+renesas@...der.be>,
Namhyung Kim <namhyung@...nel.org>,
Arnaldo Carvalho de Melo <acme@...hat.com>, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org,
linux-mm@...ck.org
Subject: Re: [PATCHv8 14/17] x86/traps: Handle LASS thrown #SS
On July 1, 2025 6:35:40 PM PDT, Sohil Mehta <sohil.mehta@...el.com> wrote:
>On 7/1/2025 2:58 AM, Kirill A. Shutemov wrote:
>> LASS throws a #GP for any violations except for stack register accesses,
>> in which case it throws a #SS instead. Handle this similarly to how other
>> LASS violations are handled.
>>
>
>Maybe I've misunderstood something:
>
>Is the underlying assumption here that #SS were previously only
>generated by userspace, but now they can also be generated by the
>kernel? And we want the kernel generated #SS to behave the same as the #GP?
>
>> In case of FRED, before handling #SS as LASS violation, kernel has to
>> check if there's a fixup for the exception. It can address #SS due to
>> invalid user context on ERETU. See 5105e7687ad3 ("x86/fred: Fixup
>> fault on ERETU by jumping to fred_entrypoint_user") for more details.
>>
>> Co-developed-by: Alexander Shishkin <alexander.shishkin@...ux.intel.com>
>> Signed-off-by: Alexander Shishkin <alexander.shishkin@...ux.intel.com>
>> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
>> ---
>> arch/x86/kernel/traps.c | 39 +++++++++++++++++++++++++++++++++------
>> 1 file changed, 33 insertions(+), 6 deletions(-)
>>
>> diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
>> index ceb091f17a5b..f9ca5b911141 100644
>> --- a/arch/x86/kernel/traps.c
>> +++ b/arch/x86/kernel/traps.c
>> @@ -418,12 +418,6 @@ DEFINE_IDTENTRY_ERRORCODE(exc_segment_not_present)
>> SIGBUS, 0, NULL);
>> }
>>
>> -DEFINE_IDTENTRY_ERRORCODE(exc_stack_segment)
>> -{
>> - do_error_trap(regs, error_code, "stack segment", X86_TRAP_SS, SIGBUS,
>> - 0, NULL);
>> -}
>> -
>> DEFINE_IDTENTRY_ERRORCODE(exc_alignment_check)
>> {
>> char *str = "alignment check";
>> @@ -866,6 +860,39 @@ DEFINE_IDTENTRY_ERRORCODE(exc_general_protection)
>> cond_local_irq_disable(regs);
>> }
>>
>> +#define SSFSTR "stack segment fault"
>> +
>> +DEFINE_IDTENTRY_ERRORCODE(exc_stack_segment)
>> +{
>> + if (user_mode(regs))
>> + goto error_trap;
>> +
>> + if (cpu_feature_enabled(X86_FEATURE_FRED) &&
>> + fixup_exception(regs, X86_TRAP_SS, error_code, 0))
>> + return;
>> +
>> + if (cpu_feature_enabled(X86_FEATURE_LASS)) {
>> + enum kernel_exc_hint hint;
>> + unsigned long exc_addr;
>> +
>> + hint = get_kernel_exc_address(regs, &exc_addr);
>> + if (hint != EXC_NO_HINT) {
>
>The brackets are not needed for singular statements. Also the max line
>length is longer now. You can fit this all in a single line.
>
>> + printk(SSFSTR ", %s 0x%lx", kernel_exc_hint_help[hint],
>> + exc_addr);
>> + }
>> +
>
>> + if (hint != EXC_NON_CANONICAL)
>> + exc_addr = 0;
>> +
>> + die_addr(SSFSTR, regs, error_code, exc_addr);
>
>The variable names in die_addr() should be generalized as well. They
>seem to assume the caller to be a #GP handler.
>
>> + return;
>> + }
>> +
>> +error_trap:
>> + do_error_trap(regs, error_code, "stack segment", X86_TRAP_SS, SIGBUS,
>> + 0, NULL);
>> +}
>> +
>> static bool do_int3(struct pt_regs *regs)
>> {
>> int res;
>
Note: for a FRED system, ERETU can generate #SS for a non-canonical user space RSP even in the absence of LASS, so if that is not currently handled that is an active bug.
Powered by blists - more mailing lists