lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250729214433.734459-1-samuele@cerea.dev>
Date: Tue, 29 Jul 2025 23:44:33 +0200
From: Samuele Cerea <samuele@...ea.dev>
To: x86@...nel.org,
	linux-kernel@...r.kernel.org
Cc: tglx@...utronix.de,
	mingo@...hat.com,
	bp@...en8.de,
	dave.hansen@...ux.intel.com,
	Samuele Cerea <samuele@...ea.dev>
Subject: [PATCH] x86 Handle trap flag when instruction is emulated

When the kernel emulates an instruction (for UIMP instruction emulation
and iopl emulation) the trap flag (TF) is currently ignored. As a result no
SIGTRAP event is delivered when the instruction is emulated successfully,
breaking the expected behavior for signle-stepping in debuggers.

This patch checks if the TF is set and sends the expected SIGTRAP signal
to the user. Other exception take precedence over the trap flag the SIGTRAP
signal is sent only if the emulation was successful.

The bug can be reproduced by signle-stepping in this code:
    nop
    sldt rax
    sldt rax
    nop
The two sldt instruction will be skipped an the debugger will step directly
to the second nop instruction.

Signed-off-by: Samuele Cerea <samuele@...ea.dev>
---
 arch/x86/kernel/traps.c |  9 +++++++++
 arch/x86/kernel/umip.c  | 10 ++++++++++
 2 files changed, 19 insertions(+)

diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 36354b470590..6e7d07a5f587 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -705,6 +705,15 @@ static bool fixup_iopl_exception(struct pt_regs *regs)
 	}
 
 	regs->ip += 1;
+
+	/* If the instruction was emulated successfully, emulate trap flag */
+	if (regs->flags & X86_EFLAGS_TF) {
+		t->cr2 = regs->ip;
+		t->trap_nr = X86_TRAP_DB;
+		t->error_code = 0;
+		force_sig_fault(SIGTRAP, TRAP_TRACE, (void __user *)regs->ip);
+	}
+
 	return true;
 }
 
diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c
index 5a4b21389b1d..c4c462074f1d 100644
--- a/arch/x86/kernel/umip.c
+++ b/arch/x86/kernel/umip.c
@@ -342,6 +342,7 @@ bool fixup_umip_exception(struct pt_regs *regs)
 	unsigned long *reg_addr;
 	void __user *uaddr;
 	struct insn insn;
+	struct task_struct *tsk = current;
 
 	if (!regs)
 		return false;
@@ -407,5 +408,14 @@ bool fixup_umip_exception(struct pt_regs *regs)
 
 	/* increase IP to let the program keep going */
 	regs->ip += insn.length;
+
+	/* If the instruction was emulated successfully, emulate trap flag */
+	if (regs->flags & X86_EFLAGS_TF) {
+		tsk->thread.cr2 = regs->ip;
+		tsk->thread.trap_nr = X86_TRAP_DB;
+		tsk->thread.error_code = 0;
+		force_sig_fault(SIGTRAP, TRAP_TRACE, (void __user *)regs->ip);
+	}
+
 	return true;
 }
-- 
2.50.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ