From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Feng Wu <feng.wu@intel.com>
Cc: kevin.tian@intel.com, ian.campbell@citrix.com,
eddie.dong@intel.com, xen-devel@lists.xen.org, JBeulich@suse.com,
jun.nakajima@intel.com
Subject: Re: [PATCH v6 06/10] x86: Temporary disable SMAP to legally access user pages in kernel mode
Date: Wed, 7 May 2014 10:49:22 +0100 [thread overview]
Message-ID: <536A01A2.8080307@citrix.com> (raw)
In-Reply-To: <1399450782-14735-7-git-send-email-feng.wu@intel.com>
On 07/05/14 09:19, Feng Wu wrote:
> Use STAC/CLAC to temporarily disable SMAP to allow legal accesses to
> user pages in kernel mode
>
> STAC/CLAC is not needed for compat_create_bounce_frame, since in this
> chunk of code, it only accesses the pv guest's kernel stack, which is
> in ring 1 for 32-bit pv guests.
>
> Signed-off-by: Feng Wu <feng.wu@intel.com>
> Reviewed-by: Jan Beulich <jbeulich@suse.com>
> ---
> xen/arch/x86/traps.c | 12 ++++++++++++
> xen/arch/x86/usercopy.c | 6 ++++++
> xen/arch/x86/x86_64/entry.S | 2 ++
> xen/include/asm-x86/uaccess.h | 8 ++++++--
> xen/include/asm-x86/x86_64/system.h | 4 +++-
> 5 files changed, 29 insertions(+), 3 deletions(-)
>
> diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
> index 45070bb..19c96d5 100644
> --- a/xen/arch/x86/traps.c
> +++ b/xen/arch/x86/traps.c
> @@ -3811,6 +3811,18 @@ unsigned long do_get_debugreg(int reg)
>
> void asm_domain_crash_synchronous(unsigned long addr)
> {
> + /*
> + * We need clear AC bit here because in entry.S AC is set
> + * by ASM_STAC to temporarily allow accesses to user pages
> + * which is prevented by SMAP by default.
> + *
> + * For some code paths, where this function is called, clac()
> + * is not needed, but adding clac() here instead of each place
> + * asm_domain_crash_synchronous() is called can reduce the code
> + * redundancy, and it is harmless as well.
> + */
> + clac();
> +
> if ( addr == 0 )
> addr = this_cpu(last_extable_addr);
>
> diff --git a/xen/arch/x86/usercopy.c b/xen/arch/x86/usercopy.c
> index b79202b..4cc78f5 100644
> --- a/xen/arch/x86/usercopy.c
> +++ b/xen/arch/x86/usercopy.c
> @@ -14,6 +14,7 @@ unsigned long __copy_to_user_ll(void __user *to, const void *from, unsigned n)
> {
> unsigned long __d0, __d1, __d2, __n = n;
>
> + stac();
> asm volatile (
> " cmp $"STR(2*BYTES_PER_LONG-1)",%0\n"
> " jbe 1f\n"
> @@ -42,6 +43,7 @@ unsigned long __copy_to_user_ll(void __user *to, const void *from, unsigned n)
> : "=&c" (__n), "=&D" (__d0), "=&S" (__d1), "=&r" (__d2)
> : "0" (__n), "1" (to), "2" (from), "3" (__n)
> : "memory" );
> + clac();
>
> return __n;
> }
> @@ -51,6 +53,7 @@ __copy_from_user_ll(void *to, const void __user *from, unsigned n)
> {
> unsigned long __d0, __d1, __d2, __n = n;
>
> + stac();
> asm volatile (
> " cmp $"STR(2*BYTES_PER_LONG-1)",%0\n"
> " jbe 1f\n"
> @@ -85,6 +88,7 @@ __copy_from_user_ll(void *to, const void __user *from, unsigned n)
> : "=&c" (__n), "=&D" (__d0), "=&S" (__d1), "=&r" (__d2)
> : "0" (__n), "1" (to), "2" (from), "3" (__n)
> : "memory" );
> + clac();
>
> return __n;
> }
> @@ -113,6 +117,7 @@ copy_to_user(void __user *to, const void *from, unsigned n)
> #define __do_clear_user(addr,size) \
> do { \
> long __d0; \
> + stac(); \
> __asm__ __volatile__( \
> "0: rep; stosl\n" \
> " movl %2,%0\n" \
> @@ -126,6 +131,7 @@ do { \
> _ASM_EXTABLE(1b,2b) \
> : "=&c"(size), "=&D" (__d0) \
> : "r"(size & 3), "0"(size / 4), "1"((long)addr), "a"(0)); \
> + clac(); \
> } while (0)
>
> /**
> diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
> index 205251d..dce6eb5 100644
> --- a/xen/arch/x86/x86_64/entry.S
> +++ b/xen/arch/x86/x86_64/entry.S
> @@ -379,6 +379,7 @@ __UNLIKELY_END(create_bounce_frame_bad_sp)
> movb TRAPBOUNCE_flags(%rdx),%cl
> subq $40,%rsi
> movq UREGS_ss+8(%rsp),%rax
> + ASM_STAC
> .Lft2: movq %rax,32(%rsi) # SS
> movq UREGS_rsp+8(%rsp),%rax
> .Lft3: movq %rax,24(%rsi) # RSP
> @@ -423,6 +424,7 @@ UNLIKELY_END(bounce_failsafe)
> .Lft12: movq %rax,8(%rsi) # R11
> movq UREGS_rcx+8(%rsp),%rax
> .Lft13: movq %rax,(%rsi) # RCX
> + ASM_CLAC
> /* Rewrite our stack frame and return to guest-OS mode. */
> /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
> /* Also clear AC: alignment checks shouldn't trigger in kernel mode. */
> diff --git a/xen/include/asm-x86/uaccess.h b/xen/include/asm-x86/uaccess.h
> index 88b4ba2..92bc322 100644
> --- a/xen/include/asm-x86/uaccess.h
> +++ b/xen/include/asm-x86/uaccess.h
> @@ -146,6 +146,7 @@ struct __large_struct { unsigned long buf[100]; };
> * aliasing issues.
> */
> #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
> + stac(); \
> __asm__ __volatile__( \
> "1: mov"itype" %"rtype"1,%2\n" \
> "2:\n" \
> @@ -155,9 +156,11 @@ struct __large_struct { unsigned long buf[100]; };
> ".previous\n" \
> _ASM_EXTABLE(1b, 3b) \
> : "=r"(err) \
> - : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err))
> + : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err)); \
> + clac();
Drop the trailing semicolon here. The final statement of these macro
shouldn't have one.
>
> #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
> + stac(); \
> __asm__ __volatile__( \
> "1: mov"itype" %2,%"rtype"1\n" \
> "2:\n" \
> @@ -168,7 +171,8 @@ struct __large_struct { unsigned long buf[100]; };
> ".previous\n" \
> _ASM_EXTABLE(1b, 3b) \
> : "=r"(err), ltype (x) \
> - : "m"(__m(addr)), "i"(errret), "0"(err))
> + : "m"(__m(addr)), "i"(errret), "0"(err)); \
> + clac();
And here...
>
> /**
> * __copy_to_user: - Copy a block of data into user space, with less checking
> diff --git a/xen/include/asm-x86/x86_64/system.h b/xen/include/asm-x86/x86_64/system.h
> index 20f038b..b6341ad1 100644
> --- a/xen/include/asm-x86/x86_64/system.h
> +++ b/xen/include/asm-x86/x86_64/system.h
> @@ -12,6 +12,7 @@
> * is the same as the initial value of _o then _n is written to location _p.
> */
> #define __cmpxchg_user(_p,_o,_n,_isuff,_oppre,_regtype) \
> + stac(); \
> asm volatile ( \
> "1: lock; cmpxchg"_isuff" %"_oppre"2,%3\n" \
> "2:\n" \
> @@ -22,7 +23,8 @@
> _ASM_EXTABLE(1b, 3b) \
> : "=a" (_o), "=r" (_rc) \
> : _regtype (_n), "m" (*__xg((volatile void *)_p)), "0" (_o), "1" (0) \
> - : "memory");
> + : "memory"); \
> + clac();
And here.
~Andrew
>
> #define cmpxchg_user(_p,_o,_n) \
> ({ \
next prev parent reply other threads:[~2014-05-07 9:49 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-07 8:19 [PATCH v6 00/10] x86: Enable Supervisor Mode Access Prevention (SMAP) Feng Wu
2014-05-07 8:19 ` [PATCH v6 01/10] x86: define macros CPUINFO_features and CPUINFO_FEATURE_OFFSET Feng Wu
2014-05-07 8:19 ` [PATCH v6 02/10] x86: move common_interrupt to entry.S Feng Wu
2014-05-07 8:19 ` [PATCH v6 03/10] x86: merge stuff from asm-x86/x86_64/asm_defns.h to asm-x86/asm_defns.h Feng Wu
2014-05-07 8:19 ` [PATCH v6 04/10] x86: Add support for STAC/CLAC instructions Feng Wu
2014-05-07 9:36 ` Andrew Cooper
2014-05-07 8:19 ` [PATCH v6 05/10] Clear AC bit in RFLAGS to protect Xen itself by SMAP Feng Wu
2014-05-07 9:44 ` Andrew Cooper
2014-05-07 11:40 ` Jan Beulich
2014-05-07 11:53 ` Andrew Cooper
2014-05-08 1:41 ` Wu, Feng
2014-05-08 1:57 ` Andrew Cooper
2014-05-08 2:02 ` Wu, Feng
2014-05-08 6:40 ` Jan Beulich
2014-05-08 6:49 ` Wu, Feng
2014-05-08 6:54 ` Jan Beulich
2014-05-08 6:58 ` Wu, Feng
2014-05-08 7:08 ` Jan Beulich
2014-05-08 7:13 ` Wu, Feng
2014-05-08 9:48 ` Andrew Cooper
2014-05-07 8:19 ` [PATCH v6 06/10] x86: Temporary disable SMAP to legally access user pages in kernel mode Feng Wu
2014-05-07 9:49 ` Andrew Cooper [this message]
2014-05-08 1:14 ` Tian, Kevin
2014-05-07 8:19 ` [PATCH v6 07/10] VMX: Disable SMAP feature when guest is in non-paging mode Feng Wu
2014-05-08 1:16 ` Tian, Kevin
2014-05-07 8:19 ` [PATCH v6 08/10] x86: Enable Supervisor Mode Access Prevention (SMAP) for Xen Feng Wu
2014-05-07 10:26 ` Andrew Cooper
2014-05-07 11:44 ` Jan Beulich
2014-05-07 11:47 ` Andrew Cooper
2014-05-08 2:32 ` Wu, Feng
2014-05-08 1:20 ` Tian, Kevin
2014-05-08 6:25 ` Wu, Feng
2014-05-08 7:06 ` Jan Beulich
2014-05-07 8:19 ` [PATCH v6 09/10] x86/hvm: Add SMAP support to HVM guest Feng Wu
2014-05-07 10:46 ` Andrew Cooper
2014-05-07 11:47 ` Jan Beulich
2014-05-08 1:22 ` Tian, Kevin
2014-05-07 8:19 ` [PATCH v6 10/10] x86/tools: Expose SMAP to HVM guests Feng Wu
2014-05-07 8:35 ` [PATCH v6 00/10] x86: Enable Supervisor Mode Access Prevention (SMAP) Jan Beulich
2014-05-07 9:00 ` Wu, Feng
2014-05-07 9:33 ` Jan Beulich
2014-05-07 8:57 ` Ian Campbell
2014-05-07 8:59 ` Wu, Feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=536A01A2.8080307@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=eddie.dong@intel.com \
--cc=feng.wu@intel.com \
--cc=ian.campbell@citrix.com \
--cc=jun.nakajima@intel.com \
--cc=kevin.tian@intel.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.