[PATCH] x86-64: don't leak kernel register values to 32-bit processes

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] x86-64: don't leak kernel register values to 32-bit processes
@ 2009-09-30 10:22 Jan Beulich
  2009-10-01  9:59 ` [tip:x86/urgent] x86: Don't leak 64-bit " tip-bot for Jan Beulich
  2009-10-07  9:44 ` [PATCH] x86-64: don't leak " Pavel Machek
  0 siblings, 2 replies; 6+ messages in thread
From: Jan Beulich @ 2009-09-30 10:22 UTC (permalink / raw)
  To: mingo, tglx, hpa; +Cc: linux-kernel

While 32-bit processes can't directly access R8...R15, they can gain
access to these registers by temporarily switching themselves into
64-bit mode. Therefore, registers not preserved anyway by called C
functions (i.e. R8...R11) must be cleared prior to returning to user
mode.

Signed-off-by: Jan Beulich <jbeulich@novell.com>

---
 arch/x86/ia32/ia32entry.S |   36 +++++++++++++++++++++++-------------
 1 file changed, 23 insertions(+), 13 deletions(-)

--- linux-2.6.32-rc1/arch/x86/ia32/ia32entry.S	2009-09-30 11:48:25.000000000 +0200
+++ 2.6.32-rc1-x86_64-ia32-syscall-reg-leak/arch/x86/ia32/ia32entry.S	2009-09-28 16:16:44.000000000 +0200
@@ -21,8 +21,8 @@
 #define __AUDIT_ARCH_LE	   0x40000000
 
 #ifndef CONFIG_AUDITSYSCALL
-#define sysexit_audit int_ret_from_sys_call
-#define sysretl_audit int_ret_from_sys_call
+#define sysexit_audit ia32_ret_from_sys_call
+#define sysretl_audit ia32_ret_from_sys_call
 #endif
 
 #define IA32_NR_syscalls ((ia32_syscall_end - ia32_sys_call_table)/8)
@@ -39,12 +39,12 @@
 	.endm 
 
 	/* clobbers %eax */	
-	.macro  CLEAR_RREGS _r9=rax
+	.macro  CLEAR_RREGS offset=0, _r9=rax
 	xorl 	%eax,%eax
-	movq	%rax,R11(%rsp)
-	movq	%rax,R10(%rsp)
-	movq	%\_r9,R9(%rsp)
-	movq	%rax,R8(%rsp)
+	movq	%rax,\offset+R11(%rsp)
+	movq	%rax,\offset+R10(%rsp)
+	movq	%\_r9,\offset+R9(%rsp)
+	movq	%rax,\offset+R8(%rsp)
 	.endm
 
 	/*
@@ -172,6 +172,10 @@ sysexit_from_sys_call:
 	movl	RIP-R11(%rsp),%edx		/* User %eip */
 	CFI_REGISTER rip,rdx
 	RESTORE_ARGS 1,24,1,1,1,1
+	xorq	%r8,%r8
+	xorq	%r9,%r9
+	xorq	%r10,%r10
+	xorq	%r11,%r11
 	popfq
 	CFI_ADJUST_CFA_OFFSET -8
 	/*CFI_RESTORE rflags*/
@@ -202,7 +206,7 @@ sysexit_from_sys_call:
 
 	.macro auditsys_exit exit,ebpsave=RBP
 	testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
-	jnz int_ret_from_sys_call
+	jnz ia32_ret_from_sys_call
 	TRACE_IRQS_ON
 	sti
 	movl %eax,%esi		/* second arg, syscall return value */
@@ -218,8 +222,9 @@ sysexit_from_sys_call:
 	cli
 	TRACE_IRQS_OFF
 	testl %edi,TI_flags(%r10)
-	jnz int_with_check
-	jmp \exit
+	jz \exit
+	CLEAR_RREGS -ARGOFFSET
+	jmp int_with_check
 	.endm
 
 sysenter_auditsys:
@@ -329,6 +334,9 @@ sysretl_from_sys_call:
 	CFI_REGISTER rip,rcx
 	movl EFLAGS-ARGOFFSET(%rsp),%r11d	
 	/*CFI_REGISTER rflags,r11*/
+	xorq	%r10,%r10
+	xorq	%r9,%r9
+	xorq	%r8,%r8
 	TRACE_IRQS_ON
 	movl RSP-ARGOFFSET(%rsp),%esp
 	CFI_RESTORE rsp
@@ -353,7 +361,7 @@ cstar_tracesys:
 #endif
 	xchgl %r9d,%ebp
 	SAVE_REST
-	CLEAR_RREGS r9
+	CLEAR_RREGS 0, r9
 	movq $-ENOSYS,RAX(%rsp)	/* ptrace can change this for a bad syscall */
 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
 	call syscall_trace_enter
@@ -425,6 +433,8 @@ ia32_do_call:
 	call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
 ia32_sysret:
 	movq %rax,RAX-ARGOFFSET(%rsp)
+ia32_ret_from_sys_call:
+	CLEAR_RREGS -ARGOFFSET
 	jmp int_ret_from_sys_call 
 
 ia32_tracesys:			 
@@ -442,8 +452,8 @@ END(ia32_syscall)
 
 ia32_badsys:
 	movq $0,ORIG_RAX-ARGOFFSET(%rsp)
-	movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
-	jmp int_ret_from_sys_call
+	movq $-ENOSYS,%rax
+	jmp ia32_sysret
 
 quiet_ni_syscall:
 	movq $-ENOSYS,%rax




^ permalink raw reply	[flat|nested] 6+ messages in thread

* [tip:x86/urgent] x86: Don't leak 64-bit kernel register values to 32-bit processes
  2009-09-30 10:22 [PATCH] x86-64: don't leak kernel register values to 32-bit processes Jan Beulich
@ 2009-10-01  9:59 ` tip-bot for Jan Beulich
  2009-10-07  9:44 ` [PATCH] x86-64: don't leak " Pavel Machek
  1 sibling, 0 replies; 6+ messages in thread
From: tip-bot for Jan Beulich @ 2009-10-01  9:59 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: linux-kernel, hpa, mingo, jbeulich, stable, JBeulich, tglx, mingo

Commit-ID:  24e35800cdc4350fc34e2bed37b608a9e13ab3b6
Gitweb:     http://git.kernel.org/tip/24e35800cdc4350fc34e2bed37b608a9e13ab3b6
Author:     Jan Beulich <JBeulich@novell.com>
AuthorDate: Wed, 30 Sep 2009 11:22:11 +0100
Committer:  Ingo Molnar <mingo@elte.hu>
CommitDate: Thu, 1 Oct 2009 11:24:26 +0200

x86: Don't leak 64-bit kernel register values to 32-bit processes

While 32-bit processes can't directly access R8...R15, they can
gain access to these registers by temporarily switching themselves
into 64-bit mode.

Therefore, registers not preserved anyway by called C functions
(i.e. R8...R11) must be cleared prior to returning to user mode.

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Cc: <stable@kernel.org>
LKML-Reference: <4AC34D73020000780001744A@vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>


---
 arch/x86/ia32/ia32entry.S |   36 +++++++++++++++++++++++-------------
 1 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 74619c4..1733f9f 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -21,8 +21,8 @@
 #define __AUDIT_ARCH_LE	   0x40000000
 
 #ifndef CONFIG_AUDITSYSCALL
-#define sysexit_audit int_ret_from_sys_call
-#define sysretl_audit int_ret_from_sys_call
+#define sysexit_audit ia32_ret_from_sys_call
+#define sysretl_audit ia32_ret_from_sys_call
 #endif
 
 #define IA32_NR_syscalls ((ia32_syscall_end - ia32_sys_call_table)/8)
@@ -39,12 +39,12 @@
 	.endm 
 
 	/* clobbers %eax */	
-	.macro  CLEAR_RREGS _r9=rax
+	.macro  CLEAR_RREGS offset=0, _r9=rax
 	xorl 	%eax,%eax
-	movq	%rax,R11(%rsp)
-	movq	%rax,R10(%rsp)
-	movq	%\_r9,R9(%rsp)
-	movq	%rax,R8(%rsp)
+	movq	%rax,\offset+R11(%rsp)
+	movq	%rax,\offset+R10(%rsp)
+	movq	%\_r9,\offset+R9(%rsp)
+	movq	%rax,\offset+R8(%rsp)
 	.endm
 
 	/*
@@ -172,6 +172,10 @@ sysexit_from_sys_call:
 	movl	RIP-R11(%rsp),%edx		/* User %eip */
 	CFI_REGISTER rip,rdx
 	RESTORE_ARGS 1,24,1,1,1,1
+	xorq	%r8,%r8
+	xorq	%r9,%r9
+	xorq	%r10,%r10
+	xorq	%r11,%r11
 	popfq
 	CFI_ADJUST_CFA_OFFSET -8
 	/*CFI_RESTORE rflags*/
@@ -202,7 +206,7 @@ sysexit_from_sys_call:
 
 	.macro auditsys_exit exit,ebpsave=RBP
 	testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
-	jnz int_ret_from_sys_call
+	jnz ia32_ret_from_sys_call
 	TRACE_IRQS_ON
 	sti
 	movl %eax,%esi		/* second arg, syscall return value */
@@ -218,8 +222,9 @@ sysexit_from_sys_call:
 	cli
 	TRACE_IRQS_OFF
 	testl %edi,TI_flags(%r10)
-	jnz int_with_check
-	jmp \exit
+	jz \exit
+	CLEAR_RREGS -ARGOFFSET
+	jmp int_with_check
 	.endm
 
 sysenter_auditsys:
@@ -329,6 +334,9 @@ sysretl_from_sys_call:
 	CFI_REGISTER rip,rcx
 	movl EFLAGS-ARGOFFSET(%rsp),%r11d	
 	/*CFI_REGISTER rflags,r11*/
+	xorq	%r10,%r10
+	xorq	%r9,%r9
+	xorq	%r8,%r8
 	TRACE_IRQS_ON
 	movl RSP-ARGOFFSET(%rsp),%esp
 	CFI_RESTORE rsp
@@ -353,7 +361,7 @@ cstar_tracesys:
 #endif
 	xchgl %r9d,%ebp
 	SAVE_REST
-	CLEAR_RREGS r9
+	CLEAR_RREGS 0, r9
 	movq $-ENOSYS,RAX(%rsp)	/* ptrace can change this for a bad syscall */
 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
 	call syscall_trace_enter
@@ -425,6 +433,8 @@ ia32_do_call:
 	call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
 ia32_sysret:
 	movq %rax,RAX-ARGOFFSET(%rsp)
+ia32_ret_from_sys_call:
+	CLEAR_RREGS -ARGOFFSET
 	jmp int_ret_from_sys_call 
 
 ia32_tracesys:			 
@@ -442,8 +452,8 @@ END(ia32_syscall)
 
 ia32_badsys:
 	movq $0,ORIG_RAX-ARGOFFSET(%rsp)
-	movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
-	jmp int_ret_from_sys_call
+	movq $-ENOSYS,%rax
+	jmp ia32_sysret
 
 quiet_ni_syscall:
 	movq $-ENOSYS,%rax

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] x86-64: don't leak kernel register values to 32-bit processes
  2009-09-30 10:22 [PATCH] x86-64: don't leak kernel register values to 32-bit processes Jan Beulich
  2009-10-01  9:59 ` [tip:x86/urgent] x86: Don't leak 64-bit " tip-bot for Jan Beulich
@ 2009-10-07  9:44 ` Pavel Machek
  2009-10-08 11:41   ` Jan Beulich
  2009-10-08 18:58   ` H. Peter Anvin
  1 sibling, 2 replies; 6+ messages in thread
From: Pavel Machek @ 2009-10-07  9:44 UTC (permalink / raw)
  To: Jan Beulich; +Cc: mingo, tglx, hpa, linux-kernel

Hi!

> While 32-bit processes can't directly access R8...R15, they can gain
> access to these registers by temporarily switching themselves into
> 64-bit mode. Therefore, registers not preserved anyway by called C
> functions (i.e. R8...R11) must be cleared prior to returning to user
> mode.

How can userspace "temporarily switch itself" to 64bit mode?

Such ability would lead to very interesting behaviour on 32-bit
kernel, I'd say...

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] x86-64: don't leak kernel register values to 32-bit processes
  2009-10-07  9:44 ` [PATCH] x86-64: don't leak " Pavel Machek
@ 2009-10-08 11:41   ` Jan Beulich
  2009-10-10 13:27     ` Pavel Machek
  2009-10-08 18:58   ` H. Peter Anvin
  1 sibling, 1 reply; 6+ messages in thread
From: Jan Beulich @ 2009-10-08 11:41 UTC (permalink / raw)
  To: Pavel Machek; +Cc: mingo, tglx, linux-kernel, hpa

>>> Pavel Machek <pavel@ucw.cz> 07.10.09 11:44 >>>
>How can userspace "temporarily switch itself" to 64bit mode?

By just determining (or guessing) the 64-bit user mode CS value, and far-
jumping/calling to an address with this CS as the selector.

>Such ability would lead to very interesting behaviour on 32-bit
>kernel, I'd say...

That won't work - you have to have a 64-bit kernel: EFER.LME and the L
bit of some user mode code segment descriptor must be set (or settable).

Consequently a 64-bit kernel could, if it wanted to, make it impossible for
user mode code to do such switching (and an example of this, where
security requires it, is 64-bit Xen disallowing 32-bit para-virtual guests
[kernel or user mode] to switch themselves into 64-bit mode).

Jan

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] x86-64: don't leak kernel register values to 32-bit processes
  2009-10-08 11:41   ` Jan Beulich
@ 2009-10-10 13:27     ` Pavel Machek
  0 siblings, 0 replies; 6+ messages in thread
From: Pavel Machek @ 2009-10-10 13:27 UTC (permalink / raw)
  To: Jan Beulich; +Cc: mingo, tglx, linux-kernel, hpa

On Thu 2009-10-08 12:41:27, Jan Beulich wrote:
> >>> Pavel Machek <pavel@ucw.cz> 07.10.09 11:44 >>>
> >How can userspace "temporarily switch itself" to 64bit mode?
> 
> By just determining (or guessing) the 64-bit user mode CS value, and far-
> jumping/calling to an address with this CS as the selector.
> 
> >Such ability would lead to very interesting behaviour on 32-bit
> >kernel, I'd say...
> 
> That won't work - you have to have a 64-bit kernel: EFER.LME and the L
> bit of some user mode code segment descriptor must be set (or settable).
> 
> Consequently a 64-bit kernel could, if it wanted to, make it impossible for
> user mode code to do such switching (and an example of this, where
> security requires it, is 64-bit Xen disallowing 32-bit para-virtual guests
> [kernel or user mode] to switch themselves into 64-bit mode).

I guess we should do just that -- 32-bit application temporary going
64-bit is asking for trouble. How will attached gdb behave? What if I
try the same code on 32-bit machine?

It seems only useful for malware... 
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] x86-64: don't leak kernel register values to 32-bit processes
  2009-10-07  9:44 ` [PATCH] x86-64: don't leak " Pavel Machek
  2009-10-08 11:41   ` Jan Beulich
@ 2009-10-08 18:58   ` H. Peter Anvin
  1 sibling, 0 replies; 6+ messages in thread
From: H. Peter Anvin @ 2009-10-08 18:58 UTC (permalink / raw)
  To: Pavel Machek; +Cc: Jan Beulich, mingo, tglx, linux-kernel

On 10/07/2009 02:44 AM, Pavel Machek wrote:
> Hi!
> 
>> While 32-bit processes can't directly access R8...R15, they can gain
>> access to these registers by temporarily switching themselves into
>> 64-bit mode. Therefore, registers not preserved anyway by called C
>> functions (i.e. R8...R11) must be cleared prior to returning to user
>> mode.
> 
> How can userspace "temporarily switch itself" to 64bit mode?
> 
> Such ability would lead to very interesting behaviour on 32-bit
> kernel, I'd say...

You can only do so with a 64-bit kernel, but on a 64-bit kernel you can
do it by executing a far jump to segment USER_CS (0x33).

	-hpa


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2009-10-10 13:27 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-09-30 10:22 [PATCH] x86-64: don't leak kernel register values to 32-bit processes Jan Beulich
2009-10-01  9:59 ` [tip:x86/urgent] x86: Don't leak 64-bit " tip-bot for Jan Beulich
2009-10-07  9:44 ` [PATCH] x86-64: don't leak " Pavel Machek
2009-10-08 11:41   ` Jan Beulich
2009-10-10 13:27     ` Pavel Machek
2009-10-08 18:58   ` H. Peter Anvin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.