[PATCH] x86/asm/entry/32: Reinstate clearing of pt_regs->r8..r11 on EFAULT path

[PATCH] x86/asm/entry/32: Reinstate clearing of pt_regs->r8..r11 on EFAULT path

[Denys Vlasenko]

I broke this recently when I changed pt_regs->r8..r11 clearing logic
in INT 80 code path.

There is a branch from SYSENTER/SYSCALL code to INT 80 code:
if we fail to retrieve arg6, we return EFAULT. Before this patch,
in this case we don't clear pt_regs->r8..r11.

This patch fixes this. The resulting code is smaller and simpler.

While at it, remove incorrect comment about syscall dispatching CALL insn:
it does not use RIP-relative addressing form (the comment was meant to be
"TODO: make this rip-relative", and morphed since then, dropping "TODO").

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
CC: Linus Torvalds <torvalds@linux-foundation.org>
CC: Steven Rostedt <rostedt@goodmis.org>
CC: Ingo Molnar <mingo@kernel.org>
CC: Borislav Petkov <bp@alien8.de>
CC: "H. Peter Anvin" <hpa@zytor.com>
CC: Andy Lutomirski <luto@amacapital.net>
CC: Oleg Nesterov <oleg@redhat.com>
CC: Frederic Weisbecker <fweisbec@gmail.com>
CC: Alexei Starovoitov <ast@plumgrid.com>
CC: Will Drewry <wad@chromium.org>
CC: Kees Cook <keescook@chromium.org>
CC: x86@kernel.org
CC: linux-kernel@vger.kernel.org
---
 arch/x86/entry/entry_64_compat.S | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
index 9558dac..b80f8d4 100644
--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -413,9 +413,7 @@ END(ia32_cstar_target)
 
 ia32_badarg:
 	ASM_CLAC
-	movq	$-EFAULT, %rax
-	jmp	ia32_sysret
-
+	movq	$-EFAULT, RAX(%rsp)
 ia32_ret_from_sys_call:
 	xorl	%eax, %eax		/* Do not leak kernel information */
 	movq	%rax, R11(%rsp)
@@ -486,9 +484,7 @@ ia32_do_call:
 	cmpq	$(IA32_NR_syscalls-1), %rax
 	ja	1f
 
-	call	*ia32_sys_call_table(, %rax, 8) /* RIP relative */
-
-ia32_sysret:
+	call	*ia32_sys_call_table(, %rax, 8)
 	movq	%rax, RAX(%rsp)
 1:
 	jmp	int_ret_from_sys_call
-- 
1.8.1.4

Re: [PATCH] x86/asm/entry/32: Reinstate clearing of pt_regs->r8..r11 on EFAULT path

[Ingo Molnar]

* Denys Vlasenko <dvlasenk@redhat.com> wrote:

> I broke this recently when I changed pt_regs->r8..r11 clearing logic
> in INT 80 code path.
> 
> There is a branch from SYSENTER/SYSCALL code to INT 80 code:
> if we fail to retrieve arg6, we return EFAULT. Before this patch,
> in this case we don't clear pt_regs->r8..r11.
> 
> This patch fixes this. The resulting code is smaller and simpler.

So how did you notice this bug - through actual info leak testing, or review?

Thanks,

	Ingo

Re: [PATCH] x86/asm/entry/32: Reinstate clearing of pt_regs->r8..r11 on EFAULT path

[Denys Vlasenko]

On 06/08/2015 08:50 AM, Ingo Molnar wrote:
> * Denys Vlasenko <dvlasenk@redhat.com> wrote:
> 
>> I broke this recently when I changed pt_regs->r8..r11 clearing logic
>> in INT 80 code path.
>>
>> There is a branch from SYSENTER/SYSCALL code to INT 80 code:
>> if we fail to retrieve arg6, we return EFAULT. Before this patch,
>> in this case we don't clear pt_regs->r8..r11.
>>
>> This patch fixes this. The resulting code is smaller and simpler.
> 
> So how did you notice this bug - through actual info leak testing, or review?

By reviewing my own patch.

[tip:x86/asm] x86/asm/entry/32: Reinstate clearing of pt_regs-> r8..r11 on EFAULT path

[tip-bot for Denys Vlasenko]

Commit-ID:  eb47854415825a69b1c578e7487da571227ba25a
Gitweb:     http://git.kernel.org/tip/eb47854415825a69b1c578e7487da571227ba25a
Author:     Denys Vlasenko <dvlasenk@redhat.com>
AuthorDate: Sun, 7 Jun 2015 20:24:30 +0200
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Mon, 8 Jun 2015 23:43:37 +0200

x86/asm/entry/32: Reinstate clearing of pt_regs->r8..r11 on EFAULT path

I broke this recently when I changed pt_regs->r8..r11 clearing
logic in INT 80 code path.

There is a branch from SYSENTER/SYSCALL code to INT 80 code:
if we fail to retrieve arg6, we return EFAULT. Before this
patch, in this case we don't clear pt_regs->r8..r11.

This patch fixes this. The resulting code is smaller and
simpler.

While at it, remove incorrect comment about syscall dispatching
CALL insn: it does not use RIP-relative addressing form (the
comment was meant to be "TODO: make this rip-relative", and
morphed since then, dropping "TODO").

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Drewry <wad@chromium.org>
Link: http://lkml.kernel.org/r/1433701470-28800-1-git-send-email-dvlasenk@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 arch/x86/entry/entry_64_compat.S | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
index 59840e3..5757dde 100644
--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -413,9 +413,7 @@ END(entry_SYSCALL_compat)
 
 ia32_badarg:
 	ASM_CLAC
-	movq	$-EFAULT, %rax
-	jmp	ia32_sysret
-
+	movq	$-EFAULT, RAX(%rsp)
 ia32_ret_from_sys_call:
 	xorl	%eax, %eax		/* Do not leak kernel information */
 	movq	%rax, R11(%rsp)
@@ -486,9 +484,7 @@ ia32_do_call:
 	cmpq	$(IA32_NR_syscalls-1), %rax
 	ja	1f
 
-	call	*ia32_sys_call_table(, %rax, 8) /* RIP relative */
-
-ia32_sysret:
+	call	*ia32_sys_call_table(, %rax, 8)
 	movq	%rax, RAX(%rsp)
 1:
 	jmp	int_ret_from_sys_call