From: Borislav Petkov <bp@alien8.de>
To: Andy Lutomirski <luto@kernel.org>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
Oleg Nesterov <oleg@redhat.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Brian Gerst <brgerst@gmail.com>
Subject: Re: [PATCH v2 07/10] x86/entry: Vastly simplify SYSENTER TF handling
Date: Sun, 6 Mar 2016 17:55:46 +0100 [thread overview]
Message-ID: <20160306165546.GA6902@pd.tnic> (raw)
In-Reply-To: <c7b7efc9e2e1e14f416b9736b95f90e47c4557b3.1457243356.git.luto@kernel.org>
On Sat, Mar 05, 2016 at 09:52:20PM -0800, Andy Lutomirski wrote:
> Due to a blatant design error, SYSENTER doesn't clear TF. As a result,
> if a user does SYSENTER with TF set, we will single-step through the
> kernel until something clears TF. There is absolutely nothing we can
> do to prevent this short of turning off SYSENTER [1].
>
> Simplify the handling considerably with two changes:
>
> 1. We already sanitize EFLAGS in SYSENTER to clear NT and AC. We can
> add TF to that list of flags to sanitize with no overhead whatsoever.
>
> 2. Teach do_debug to ignore single-step traps in the SYSENTER prologue.
>
> That's all we need to do.
>
> Don't get too excited -- our handling is still buggy on 32-bit
> kernels. There's nothing wrong with the SYSENTER code itself, but
> the #DB prologue has a clever fixup for traps on the very first
> instruction of entry_SYSENTER_32, and the fixup doesn't work quite
> correctly. The next two patches will fix that.
>
> [1] We could probably prevent it by forcing BTF on at all times and
> making sure we clear TF before any branches in the SYSENTER
> code. Needless to say, this is a bad idea.
>
> Signed-off-by: Andy Lutomirski <luto@kernel.org>
> ---
> arch/x86/entry/entry_32.S | 42 ++++++++++++++++++++++----------
> arch/x86/entry/entry_64_compat.S | 9 ++++++-
> arch/x86/include/asm/proto.h | 15 ++++++++++--
> arch/x86/kernel/traps.c | 52 +++++++++++++++++++++++++++++++++-------
> 4 files changed, 94 insertions(+), 24 deletions(-)
>
> diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
> index a8c3424c3392..7700cf695d8c 100644
> --- a/arch/x86/entry/entry_32.S
> +++ b/arch/x86/entry/entry_32.S
> @@ -287,7 +287,26 @@ need_resched:
> END(resume_kernel)
> #endif
>
> - # SYSENTER call handler stub
> +GLOBAL(__begin_SYSENTER_singlestep_region)
> +/*
> + * All code from here through __end_SYSENTER_singlestep_region is subject
> + * to being single-stepped if a user program sets TF and executes SYSENTER.
> + * There is absolutely nothing that we can do to prevent this from happening
> + * (thanks Intel!). To keep our handling of this situation as simple as
> + * possible, we handle TF just like AC and NT, except that our #DB handler
> + * will ignore all of the single-step traps generated in this range.
> + */
> +
> +#ifdef CONFIG_XEN
> +/*
> + * Xen doesn't set %esp to be precisely what the normal SYSENTER
> + * entry point expects, so fix it up before using the normal path.
> + */
> +ENTRY(xen_sysenter_target)
> + addl $5*4, %esp /* remove xen-provided frame */
> + jmp sysenter_past_esp
> +#endif
> +
> ENTRY(entry_SYSENTER_32)
> movl TSS_sysenter_sp0(%esp), %esp
> sysenter_past_esp:
Can you do this below (ontop of your diff) and get rid of those
__{begin,end}_SYSENTER_singlestep_region and __end_entry_SYSENTER_compat
globals and use the entry_SYSENTER_{32|compat} symbols instead?
>From a quick scan, kallsyms can give you the symbol size too so that you
can compute where it ends:
readelf -a vmlinux | grep entry_SYSENTER
55454: ffffffff8170aff0 99 FUNC GLOBAL DEFAULT 1 entry_SYSENTER_compat
62596: ffffffff8170b053 0 NOTYPE GLOBAL DEFAULT 1 __end_entry_SYSENTER_comp
0xffffffff8170aff0 + 99 = 0xffffffff8170b053
---
Index: b/arch/x86/entry/entry_32.S
===================================================================
--- a/arch/x86/entry/entry_32.S 2016-03-06 17:47:10.059733163 +0100
+++ b/arch/x86/entry/entry_32.S 2016-03-06 17:46:52.235733410 +0100
@@ -297,18 +297,13 @@ GLOBAL(__begin_SYSENTER_singlestep_regio
* will ignore all of the single-step traps generated in this range.
*/
+ENTRY(entry_SYSENTER_32)
#ifdef CONFIG_XEN
-/*
- * Xen doesn't set %esp to be precisely what the normal SYSENTER
- * entry point expects, so fix it up before using the normal path.
- */
-ENTRY(xen_sysenter_target)
addl $5*4, %esp /* remove xen-provided frame */
jmp sysenter_past_esp
-#endif
-
-ENTRY(entry_SYSENTER_32)
+#else
movl TSS_sysenter_sp0(%esp), %esp
+#endif
sysenter_past_esp:
pushl $__USER_DS /* pt_regs->ss */
pushl %ebp /* pt_regs->sp (stashed in bp) */
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
next prev parent reply other threads:[~2016-03-06 16:56 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-06 5:52 [PATCH 00/10] x86: Various SYSENTER/SYSEXIT/#DB fixes and cleanups Andy Lutomirski
2016-03-06 5:52 ` [PATCH v2 01/10] selftests/x86: In syscall_nt, test NT|TF as well Andy Lutomirski
2016-03-06 5:52 ` [PATCH v2 02/10] x86/entry/compat: In SYSENTER, sink AC clearing below the existing FLAGS test Andy Lutomirski
2016-03-06 5:52 ` [PATCH v2 03/10] x86/entry/32: Filter NT and speed up AC filtering in SYSENTER Andy Lutomirski
2016-03-06 5:52 ` [PATCH v2 04/10] x86/entry/32: Restore FLAGS on SYSEXIT Andy Lutomirski
2016-03-06 5:52 ` [PATCH v2 05/10] x86/traps: Clear TIF_BLOCKSTEP on all debug exceptions Andy Lutomirski
2016-03-06 5:52 ` [PATCH v2 06/10] x86/traps: Clear DR6 early in do_debug and improve the comment Andy Lutomirski
2016-03-06 5:52 ` [PATCH v2 07/10] x86/entry: Vastly simplify SYSENTER TF handling Andy Lutomirski
2016-03-06 16:55 ` Borislav Petkov [this message]
2016-03-06 17:30 ` Brian Gerst
2016-03-06 17:36 ` Andy Lutomirski
2016-03-06 18:01 ` Borislav Petkov
2016-03-06 18:20 ` Andrew Cooper
2016-03-07 17:17 ` Brian Gerst
2016-03-07 18:03 ` Andy Lutomirski
2016-03-07 18:41 ` Brian Gerst
2016-03-07 18:46 ` Andy Lutomirski
2016-03-06 5:52 ` [PATCH v2 08/10] x86/entry: Only allocate space for SYSENTER_stack if needed Andy Lutomirski
2016-03-06 5:52 ` [PATCH v2 09/10] x86/entry/32: Simplify and fix up the SYSENTER stack #DB/NMI fixup Andy Lutomirski
2016-03-08 6:36 ` Borislav Petkov
2016-03-06 5:52 ` [PATCH v2 10/10] x86/entry/32: Add and check a stack canary for the SYSENTER stack Andy Lutomirski
2016-03-08 6:40 ` Borislav Petkov
2016-03-09 21:22 ` Andy Lutomirski
2016-03-06 8:22 ` [PATCH 00/10] x86: Various SYSENTER/SYSEXIT/#DB fixes and cleanups Ingo Molnar
2016-03-06 16:16 ` Andy Lutomirski
2016-03-07 8:29 ` Ingo Molnar
2016-03-06 8:31 ` Ingo Molnar
2016-03-06 16:16 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160306165546.GA6902@pd.tnic \
--to=bp@alien8.de \
--cc=andrew.cooper3@citrix.com \
--cc=brgerst@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=oleg@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.