From: mark.rutland@arm.com (Mark Rutland)
To: linux-arm-kernel@lists.infradead.org
Subject: [kernel-hardening] Re: [RFC PATCH 10/10] arm64: kernel: add support for virtually mapped stacks
Date: Thu, 13 Jul 2017 10:12:59 +0100 [thread overview]
Message-ID: <20170713091259.GA26194@leverpostej> (raw)
In-Reply-To: <20170712225937.GA25816@leverpostej>
On Wed, Jul 12, 2017 at 11:59:38PM +0100, Mark Rutland wrote:
> On Wed, Jul 12, 2017 at 03:44:23PM +0100, Ard Biesheuvel wrote:
> > diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> > index 2ba3185b1c78..4c3e82d6e2f2 100644
> > --- a/arch/arm64/kernel/entry.S
> > +++ b/arch/arm64/kernel/entry.S
> > @@ -392,6 +392,20 @@ ENDPROC(el1_error_invalid)
> > */
> > .align 6
> > el1_sync:
> > +#ifdef CONFIG_VMAP_STACK
> > + /*
> > + * When taking an exception from EL1, we need to check whether it is
> > + * caused by a faulting out-of-bounds access to the virtually mapped
> > + * stack before we can attempt to preserve the interrupted context.
> > + */
> > + msr tpidrro_el0, x0 // stash x0
> > + mrs x0, far_el1 // get faulting address
> > + tbnz x0, #63, .Lcheck_stack_ovf // check if not user address
>
> One thing I don't like about this is that we're reading FAR_EL1 even
> though we don't know whether it's valid. It could contain junk, and we
> could spuriously jump into the slow path. That's liable to make
> performance erratic.
Once I sent this, I realised what I said wasn't quite right.
It's true that FAR_EL1 is UNKNOWN in some cases, but today those are all
fatal (e.g. if we take an UNDEFINED exception due to a bad instruction
at EL1).
So my performance concern was spurious; sorry for the noise.
However, so as to not mis-report those fatal cases, we either need to
inspect the SP or ESR_EL1 to determine that FAR_EL1 is valid and/or this
was a stack-overflow
If we follow the approach of this series, we can move those checks into
the check_stack_ovf slow path.
Thanks,
Mark.
next prev parent reply other threads:[~2017-07-13 9:12 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-12 14:44 [RFC PATCH 00/10] arm64: allow virtually mapped stacks to be enabled Ard Biesheuvel
2017-07-12 14:44 ` [RFC PATCH 01/10] arm64/lib: copy_page: use consistent prefetch stride Ard Biesheuvel
2017-07-12 14:44 ` [RFC PATCH 02/10] arm64/lib: copy_page: avoid x18 register in assembler code Ard Biesheuvel
2017-07-12 14:44 ` [RFC PATCH 03/10] arm64: crypto: avoid register x18 in scalar AES code Ard Biesheuvel
2017-07-12 14:44 ` [RFC PATCH 04/10] arm64: kvm: stop treating register x18 as caller save Ard Biesheuvel
2017-07-12 14:44 ` [RFC PATCH 05/10] arm64: kernel: avoid x18 as an arbitrary temp register Ard Biesheuvel
2017-07-12 14:44 ` [RFC PATCH 06/10] arm64: kbuild: reserve reg x18 from general allocation by the compiler Ard Biesheuvel
2017-07-12 14:44 ` [RFC PATCH 07/10] arm64: kernel: switch to register x18 as a task struct pointer Ard Biesheuvel
2017-07-13 10:41 ` Dave Martin
2017-07-13 12:27 ` Ard Biesheuvel
2017-07-13 14:11 ` Dave Martin
2017-07-12 14:44 ` [RFC PATCH 08/10] arm64/kernel: dump entire stack if sp points elsewhere Ard Biesheuvel
2017-07-12 14:44 ` [RFC PATCH 09/10] arm64: mm: add C level handling for stack overflows Ard Biesheuvel
2017-07-12 14:44 ` [RFC PATCH 10/10] arm64: kernel: add support for virtually mapped stacks Ard Biesheuvel
2017-07-12 22:59 ` Mark Rutland
2017-07-13 9:12 ` Mark Rutland [this message]
2017-07-13 10:35 ` Dave Martin
2017-07-12 20:12 ` [RFC PATCH 00/10] arm64: allow virtually mapped stacks to be enabled Laura Abbott
2017-07-12 20:49 ` Ard Biesheuvel
2017-07-12 21:32 ` Andy Lutomirski
2017-07-12 22:47 ` Mark Rutland
2017-07-13 6:51 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170713091259.GA26194@leverpostej \
--to=mark.rutland@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).