Re: [PATCH v4 RESEND] x86/asm/entry/32, selftests: Add 'test_syscall_vdso' test

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Denys Vlasenko <dvlasenk@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Ingo Molnar <mingo@kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Steven Rostedt <rostedt@goodmis.org>,
	Borislav Petkov <bp@alien8.de>, "H. Peter Anvin" <hpa@zytor.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Frederic Weisbecker <fweisbec@gmail.com>,
	Alexei Starovoitov <ast@plumgrid.com>,
	Will Drewry <wad@chromium.org>, Kees Cook <keescook@chromium.org>,
	X86 ML <x86@kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v4 RESEND] x86/asm/entry/32, selftests: Add 'test_syscall_vdso' test
Date: Thu, 10 Sep 2015 21:04:39 +0200	[thread overview]
Message-ID: <55F1D447.6030703@redhat.com> (raw)
In-Reply-To: <CALCETrVf9PpW_Y9=dYeP2607gk7FfT7jfjG_SAgqLRgARq=DWw@mail.gmail.com>

On 09/10/2015 12:01 AM, Andy Lutomirski wrote:
> On Mon, Sep 7, 2015 at 8:56 AM, Denys Vlasenko <dvlasenk@redhat.com> wrote:
>> This new test checks that all x86 registers are preserved across
>> 32-bit syscalls. It tests syscalls through VDSO (if available)
>> and through INT 0x80, normally and under ptrace.
>>
>> If kernel is a 64-bit one, high registers (r8..r15) are poisoned
>> before the syscall is called and are checked afterwards.
>>
>> They must be either preserved, or cleared to zero (but r11 is special);
>> r12..15 must be preserved for INT 0x80.
>>
>> EFLAGS is checked for changes too, but change there is not
>> considered to be a bug (paravirt kernels do not preserve
>> arithmetic flags).
>>
>> Run-tested on 64-bit kernel:
>>
>> $ ./test_syscall_vdso_32
>> [RUN]   Executing 6-argument 32-bit syscall via VDSO
>> [OK]    Arguments are preserved across syscall
>> [NOTE]  R11 has changed:0000000000200ed7 - assuming clobbered by SYSRET insn
>> [OK]    R8..R15 did not leak kernel data
>> [RUN]   Executing 6-argument 32-bit syscall via INT 80
>> [OK]    Arguments are preserved across syscall
>> [OK]    R8..R15 did not leak kernel data
>> [RUN]   Running tests under ptrace
>> [RUN]   Executing 6-argument 32-bit syscall via VDSO
>> [OK]    Arguments are preserved across syscall
>> [OK]    R8..R15 did not leak kernel data
>> [RUN]   Executing 6-argument 32-bit syscall via INT 80
>> [OK]    Arguments are preserved across syscall
>> [OK]    R8..R15 did not leak kernel data
>>
>> On 32-bit paravirt kernel:
>>
>> $ ./test_syscall_vdso_32
>> [NOTE]  Not a 64-bit kernel, won't test R8..R15 leaks
>> [RUN]   Executing 6-argument 32-bit syscall via VDSO
>> [WARN]  Flags before=0000000000200ed7 id 0 00 o d i s z 0 a 0 p 1 c
>> [WARN]  Flags  after=0000000000200246 id 0 00 i z 0 0 p 1
>> [WARN]  Flags change=0000000000000c91 0 00 o d s 0 a 0 0 c
>> [OK]    Arguments are preserved across syscall
>> [RUN]   Executing 6-argument 32-bit syscall via INT 80
>> [OK]    Arguments are preserved across syscall
>> [RUN]   Running tests under ptrace
>> [RUN]   Executing 6-argument 32-bit syscall via VDSO
>> [OK]    Arguments are preserved across syscall
>> [RUN]   Executing 6-argument 32-bit syscall via INT 80
>> [OK]    Arguments are preserved across syscall
>>
>> Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
>> CC: Linus Torvalds <torvalds@linux-foundation.org>
>> CC: Steven Rostedt <rostedt@goodmis.org>
>> CC: Ingo Molnar <mingo@kernel.org>
>> CC: Borislav Petkov <bp@alien8.de>
>> CC: "H. Peter Anvin" <hpa@zytor.com>
>> CC: Andy Lutomirski <luto@amacapital.net>
>> CC: Oleg Nesterov <oleg@redhat.com>
>> CC: Frederic Weisbecker <fweisbec@gmail.com>
>> CC: Alexei Starovoitov <ast@plumgrid.com>
>> CC: Will Drewry <wad@chromium.org>
>> CC: Kees Cook <keescook@chromium.org>
>> CC: x86@kernel.org
>> CC: linux-kernel@vger.kernel.org
> 
> Acked-by: Andy Lutomirski <luto@kernel.org>
> 
> with minor caveats below, none of which are show-stoppers...
> 
>> +                       /* INT80 syscall entrypoint can be used by
>> +                        * 64-bit programs too, unlike SYSCALL/SYSENTER.
>> +                        * Therefore it must preserve R12+
>> +                        * (they are callee-saved registers in 64-bit C ABI).
>> +                        *
>> +                        * This was probably historically not intended,
>> +                        * but R8..11 are clobbered (cleared to 0).
>> +                        * IOW: they are the only registers which aren't
>> +                        * preserved across INT80 syscall.
>> +                        */
>> +                       if (*r64 == 0 && num <= 11)
>> +                               continue;
> 
> Ugh.  I'll change my big entry patchset to preserve these and maybe to
> preserve all of the 64-bit regs.

If you do that, this won't change the ABI: we don't _promise_
to save them. If we accidentally do, that means nothing.

If you do that, the test won't fail. The code above does
not require regs to be 0 - there is further code which
also allow them to be unchanged.

(I'm not very comfortable about additional six push/pops
which are necessary for this to happen. I'm surprised
maintainers tentatively agreed to that -
I was grilled and asked to prove with measurements
that *one* additional push+pop wasn't adding significant overhead).

next prev parent reply	other threads:[~2015-09-10 19:04 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-07 15:56 [PATCH v4 RESEND] x86/asm/entry/32, selftests: Add 'test_syscall_vdso' test Denys Vlasenko
2015-09-09 22:01 ` Andy Lutomirski
2015-09-10 19:04   ` Denys Vlasenko [this message]
2015-09-10 19:17     ` Andy Lutomirski
2015-09-14  8:26       ` Ingo Molnar
2015-09-14 17:54         ` Andy Lutomirski
2015-09-14  8:15     ` Ingo Molnar
2015-09-14 17:55       ` Andy Lutomirski
2015-09-15  5:59         ` Ingo Molnar
2015-09-15 18:14           ` Andy Lutomirski
2015-09-16  9:51             ` Ingo Molnar
2015-09-15  6:05 ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55F1D447.6030703@redhat.com \
    --to=dvlasenk@redhat.com \
    --cc=ast@plumgrid.com \
    --cc=bp@alien8.de \
    --cc=fweisbec@gmail.com \
    --cc=hpa@zytor.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mingo@kernel.org \
    --cc=oleg@redhat.com \
    --cc=rostedt@goodmis.org \
    --cc=torvalds@linux-foundation.org \
    --cc=wad@chromium.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.