| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANXhq0oZz=TTT=py=1BO3OZf45Wg=-bFyNpn+JRLNufHceLjcQ@mail.gmail.com>
Date: Wed, 16 Jul 2025 10:06:28 +0800
From: Zong Li <zong.li@...ive.com>
To: Deepak Gupta <debug@...osinc.com>
Cc: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>, Andrew Morton <akpm@...ux-foundation.org>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>, Vlastimil Babka <vbabka@...e.cz>,
Lorenzo Stoakes <lorenzo.stoakes@...cle.com>, Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>, Albert Ou <aou@...s.berkeley.edu>,
Conor Dooley <conor@...nel.org>, Rob Herring <robh@...nel.org>,
Krzysztof Kozlowski <krzk+dt@...nel.org>, Arnd Bergmann <arnd@...db.de>,
Christian Brauner <brauner@...nel.org>, Peter Zijlstra <peterz@...radead.org>,
Oleg Nesterov <oleg@...hat.com>, Eric Biederman <ebiederm@...ssion.com>, Kees Cook <kees@...nel.org>,
Jonathan Corbet <corbet@....net>, Shuah Khan <shuah@...nel.org>, Jann Horn <jannh@...gle.com>,
Conor Dooley <conor+dt@...nel.org>, Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>, Boqun Feng <boqun.feng@...il.com>,
Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Benno Lossin <benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...nel.org>,
Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-mm@...ck.org,
linux-riscv@...ts.infradead.org, devicetree@...r.kernel.org,
linux-arch@...r.kernel.org, linux-doc@...r.kernel.org,
linux-kselftest@...r.kernel.org, alistair.francis@....com,
richard.henderson@...aro.org, jim.shu@...ive.com, andybnac@...il.com,
kito.cheng@...ive.com, charlie@...osinc.com, atishp@...osinc.com,
evan@...osinc.com, cleger@...osinc.com, alexghiti@...osinc.com,
samitolvanen@...gle.com, broonie@...nel.org, rick.p.edgecombe@...el.com,
rust-for-linux@...r.kernel.org
Subject: Re: [PATCH v17 15/27] riscv/traps: Introduce software check exception
and uprobe handling
On Wed, Jul 16, 2025 at 5:34 AM Deepak Gupta <debug@...osinc.com> wrote:
>
> Hi Zong,
>
>
> On Thu, Jun 19, 2025 at 7:16 PM Zong Li <zong.li@...ive.com> wrote:
> >
> > On Mon, Jun 16, 2025 at 3:31 PM Zong Li <zong.li@...ive.com> wrote:
> > >
> > > On Thu, Jun 5, 2025 at 1:17 AM Deepak Gupta <debug@...osinc.com> wrote:
> > > >
> > > > zicfiss / zicfilp introduces a new exception to priv isa `software check
> > > > exception` with cause code = 18. This patch implements software check
> > > > exception.
> > > >
> .....
>
> > > When a user mode CFI violation occurs, the ELP state should be 1, and
> > > the system traps into supervisor mode. During this trap, sstatus.SPELP
> > > is set to 1, and the ELP state is reset to 0. If we don’t clear
> > > sstatus.SPELP, the ELP state will become 1 again after executing the
> > > sret instruction. As a result, the system might trigger another
> > > forward CFI violation upon executing the next instruction in the user
> > > program, unless it happens to be a lpad instruction.
> > >
> > > The previous patch was tested on QEMU, but QEMU does not set the
> > > sstatus.SPELP bit to 1 when a forward CFI violation occurs. Therefore,
> > > I suspect that QEMU might also require some fixes.
> >
> > Hi Deepak,
> > The issue with QEMU was that the sw-check exception bit in medeleg
> > couldn't be set. This has been fixed in the latest QEMU mainline. I
> > have re-tested the latest QEMU version, and it works.
>
> What was this issue, can you point me to the patch in mainline?
Hi Deepak
The issue was that my QEMU setup somehow missed the change of
`target/riscv/csr.c` in your following patch:
https://github.com/qemu/qemu/commit/6031102401ae8a69a87b20fbec2aae666625d96a
After I upgraded to the latest QEMU source, I found the kernel issue
if we didn't clear sstatus.SPELP in the handler
Thanks
>
> >
> > >
> > > Thanks
> > >
> > > > +
> > > > + if (is_fcfi || is_bcfi) {
> > > > + do_trap_error(regs, SIGSEGV, SEGV_CPERR, regs->epc,
> > > > + "Oops - control flow violation");
> > > > + return true;
> > > > + }
> > > > +
> > > > + return false;
> > > > +}
> > > > +
> > > > +/*
> > > > + * software check exception is defined with risc-v cfi spec. Software check
> > > > + * exception is raised when:-
> > > > + * a) An indirect branch doesn't land on 4 byte aligned PC or `lpad`
> > > > + * instruction or `label` value programmed in `lpad` instr doesn't
> > > > + * match with value setup in `x7`. reported code in `xtval` is 2.
> > > > + * b) `sspopchk` instruction finds a mismatch between top of shadow stack (ssp)
> > > > + * and x1/x5. reported code in `xtval` is 3.
> > > > + */
> > > > +asmlinkage __visible __trap_section void do_trap_software_check(struct pt_regs *regs)
> > > > +{
> > > > + if (user_mode(regs)) {
> > > > + irqentry_enter_from_user_mode(regs);
> > > > +
> > > > + /* not a cfi violation, then merge into flow of unknown trap handler */
> > > > + if (!handle_user_cfi_violation(regs))
> > > > + do_trap_unknown(regs);
> > > > +
> > > > + irqentry_exit_to_user_mode(regs);
> > > > + } else {
> > > > + /* sw check exception coming from kernel is a bug in kernel */
> > > > + die(regs, "Kernel BUG");
> > > > + }
> > > > +}
> > > > +
> > > > #ifdef CONFIG_MMU
> > > > asmlinkage __visible noinstr void do_page_fault(struct pt_regs *regs)
> > > > {
> > > >
> > > > --
> > > > 2.43.0
> > > >
Powered by blists - more mailing lists