From: Mark Rutland <mark.rutland@arm.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: linux-arm-kernel@lists.infradead.org,
kernel-hardening@lists.openwall.com, labbott@fedoraproject.org,
will.deacon@arm.com, dave.martin@arm.com,
catalin.marinas@arm.com
Subject: Re: [kernel-hardening] Re: [RFC PATCH 10/10] arm64: kernel: add support for virtually mapped stacks
Date: Thu, 13 Jul 2017 10:12:59 +0100 [thread overview]
Message-ID: <20170713091259.GA26194@leverpostej> (raw)
In-Reply-To: <20170712225937.GA25816@leverpostej>
On Wed, Jul 12, 2017 at 11:59:38PM +0100, Mark Rutland wrote:
> On Wed, Jul 12, 2017 at 03:44:23PM +0100, Ard Biesheuvel wrote:
> > diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> > index 2ba3185b1c78..4c3e82d6e2f2 100644
> > --- a/arch/arm64/kernel/entry.S
> > +++ b/arch/arm64/kernel/entry.S
> > @@ -392,6 +392,20 @@ ENDPROC(el1_error_invalid)
> > */
> > .align 6
> > el1_sync:
> > +#ifdef CONFIG_VMAP_STACK
> > + /*
> > + * When taking an exception from EL1, we need to check whether it is
> > + * caused by a faulting out-of-bounds access to the virtually mapped
> > + * stack before we can attempt to preserve the interrupted context.
> > + */
> > + msr tpidrro_el0, x0 // stash x0
> > + mrs x0, far_el1 // get faulting address
> > + tbnz x0, #63, .Lcheck_stack_ovf // check if not user address
>
> One thing I don't like about this is that we're reading FAR_EL1 even
> though we don't know whether it's valid. It could contain junk, and we
> could spuriously jump into the slow path. That's liable to make
> performance erratic.
Once I sent this, I realised what I said wasn't quite right.
It's true that FAR_EL1 is UNKNOWN in some cases, but today those are all
fatal (e.g. if we take an UNDEFINED exception due to a bad instruction
at EL1).
So my performance concern was spurious; sorry for the noise.
However, so as to not mis-report those fatal cases, we either need to
inspect the SP or ESR_EL1 to determine that FAR_EL1 is valid and/or this
was a stack-overflow
If we follow the approach of this series, we can move those checks into
the check_stack_ovf slow path.
Thanks,
Mark.
WARNING: multiple messages have this Message-ID (diff)
From: mark.rutland@arm.com (Mark Rutland)
To: linux-arm-kernel@lists.infradead.org
Subject: [kernel-hardening] Re: [RFC PATCH 10/10] arm64: kernel: add support for virtually mapped stacks
Date: Thu, 13 Jul 2017 10:12:59 +0100 [thread overview]
Message-ID: <20170713091259.GA26194@leverpostej> (raw)
In-Reply-To: <20170712225937.GA25816@leverpostej>
On Wed, Jul 12, 2017 at 11:59:38PM +0100, Mark Rutland wrote:
> On Wed, Jul 12, 2017 at 03:44:23PM +0100, Ard Biesheuvel wrote:
> > diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> > index 2ba3185b1c78..4c3e82d6e2f2 100644
> > --- a/arch/arm64/kernel/entry.S
> > +++ b/arch/arm64/kernel/entry.S
> > @@ -392,6 +392,20 @@ ENDPROC(el1_error_invalid)
> > */
> > .align 6
> > el1_sync:
> > +#ifdef CONFIG_VMAP_STACK
> > + /*
> > + * When taking an exception from EL1, we need to check whether it is
> > + * caused by a faulting out-of-bounds access to the virtually mapped
> > + * stack before we can attempt to preserve the interrupted context.
> > + */
> > + msr tpidrro_el0, x0 // stash x0
> > + mrs x0, far_el1 // get faulting address
> > + tbnz x0, #63, .Lcheck_stack_ovf // check if not user address
>
> One thing I don't like about this is that we're reading FAR_EL1 even
> though we don't know whether it's valid. It could contain junk, and we
> could spuriously jump into the slow path. That's liable to make
> performance erratic.
Once I sent this, I realised what I said wasn't quite right.
It's true that FAR_EL1 is UNKNOWN in some cases, but today those are all
fatal (e.g. if we take an UNDEFINED exception due to a bad instruction
at EL1).
So my performance concern was spurious; sorry for the noise.
However, so as to not mis-report those fatal cases, we either need to
inspect the SP or ESR_EL1 to determine that FAR_EL1 is valid and/or this
was a stack-overflow
If we follow the approach of this series, we can move those checks into
the check_stack_ovf slow path.
Thanks,
Mark.
next prev parent reply other threads:[~2017-07-13 9:12 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-12 14:44 [kernel-hardening] [RFC PATCH 00/10] arm64: allow virtually mapped stacks to be enabled Ard Biesheuvel
2017-07-12 14:44 ` Ard Biesheuvel
2017-07-12 14:44 ` [kernel-hardening] [RFC PATCH 01/10] arm64/lib: copy_page: use consistent prefetch stride Ard Biesheuvel
2017-07-12 14:44 ` Ard Biesheuvel
2017-07-12 14:44 ` [kernel-hardening] [RFC PATCH 02/10] arm64/lib: copy_page: avoid x18 register in assembler code Ard Biesheuvel
2017-07-12 14:44 ` Ard Biesheuvel
2017-07-12 14:44 ` [kernel-hardening] [RFC PATCH 03/10] arm64: crypto: avoid register x18 in scalar AES code Ard Biesheuvel
2017-07-12 14:44 ` Ard Biesheuvel
2017-07-12 14:44 ` [kernel-hardening] [RFC PATCH 04/10] arm64: kvm: stop treating register x18 as caller save Ard Biesheuvel
2017-07-12 14:44 ` Ard Biesheuvel
2017-07-12 14:44 ` [kernel-hardening] [RFC PATCH 05/10] arm64: kernel: avoid x18 as an arbitrary temp register Ard Biesheuvel
2017-07-12 14:44 ` Ard Biesheuvel
2017-07-12 14:44 ` [kernel-hardening] [RFC PATCH 06/10] arm64: kbuild: reserve reg x18 from general allocation by the compiler Ard Biesheuvel
2017-07-12 14:44 ` Ard Biesheuvel
2017-07-12 14:44 ` [kernel-hardening] [RFC PATCH 07/10] arm64: kernel: switch to register x18 as a task struct pointer Ard Biesheuvel
2017-07-12 14:44 ` Ard Biesheuvel
2017-07-13 10:41 ` [kernel-hardening] " Dave Martin
2017-07-13 10:41 ` Dave Martin
2017-07-13 12:27 ` [kernel-hardening] " Ard Biesheuvel
2017-07-13 12:27 ` Ard Biesheuvel
2017-07-13 14:11 ` [kernel-hardening] " Dave Martin
2017-07-13 14:11 ` Dave Martin
2017-07-12 14:44 ` [kernel-hardening] [RFC PATCH 08/10] arm64/kernel: dump entire stack if sp points elsewhere Ard Biesheuvel
2017-07-12 14:44 ` Ard Biesheuvel
2017-07-12 14:44 ` [kernel-hardening] [RFC PATCH 09/10] arm64: mm: add C level handling for stack overflows Ard Biesheuvel
2017-07-12 14:44 ` Ard Biesheuvel
2017-07-12 14:44 ` [kernel-hardening] [RFC PATCH 10/10] arm64: kernel: add support for virtually mapped stacks Ard Biesheuvel
2017-07-12 14:44 ` Ard Biesheuvel
2017-07-12 22:59 ` [kernel-hardening] " Mark Rutland
2017-07-12 22:59 ` Mark Rutland
2017-07-13 9:12 ` Mark Rutland [this message]
2017-07-13 9:12 ` [kernel-hardening] " Mark Rutland
2017-07-13 10:35 ` Dave Martin
2017-07-13 10:35 ` Dave Martin
2017-07-12 20:12 ` [kernel-hardening] Re: [RFC PATCH 00/10] arm64: allow virtually mapped stacks to be enabled Laura Abbott
2017-07-12 20:12 ` Laura Abbott
2017-07-12 20:49 ` [kernel-hardening] " Ard Biesheuvel
2017-07-12 20:49 ` Ard Biesheuvel
2017-07-12 21:32 ` [kernel-hardening] " Andy Lutomirski
2017-07-12 21:32 ` Andy Lutomirski
2017-07-12 22:47 ` [kernel-hardening] " Mark Rutland
2017-07-12 22:47 ` Mark Rutland
2017-07-13 6:51 ` [kernel-hardening] " Ard Biesheuvel
2017-07-13 6:51 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170713091259.GA26194@leverpostej \
--to=mark.rutland@arm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=dave.martin@arm.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@fedoraproject.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.