From: Guenter Roeck <linux@roeck-us.net>
To: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Cc: linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org,
x86@kernel.org, ardb@kernel.org, tglx@linutronix.de,
gregkh@linuxfoundation.org, torvalds@linux-foundation.org,
Peter Zijlstra <peterz@infradead.org>,
Borislav Petkov <bp@suse.de>,
Josh Poimboeuf <jpoimboe@kernel.org>,
stable@vger.kernel.org
Subject: Re: [PATCH] efi/x86: use naked RET on mixed mode call wrapper
Date: Fri, 15 Jul 2022 15:51:23 -0700 [thread overview]
Message-ID: <20220715225123.GA2177570@roeck-us.net> (raw)
In-Reply-To: <20220715194550.793957-1-cascardo@canonical.com>
On Fri, Jul 15, 2022 at 04:45:50PM -0300, Thadeu Lima de Souza Cascardo wrote:
> When running with return thunks enabled under 32-bit EFI, the system
> crashes with:
>
> [ 0.137688] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
> [ 0.138136] BUG: unable to handle page fault for address: 000000005bc02900
> [ 0.138136] #PF: supervisor instruction fetch in kernel mode
> [ 0.138136] #PF: error_code(0x0011) - permissions violation
> [ 0.138136] PGD 18f7063 P4D 18f7063 PUD 18ff063 PMD 190e063 PTE 800000005bc02063
> [ 0.138136] Oops: 0011 [#1] PREEMPT SMP PTI
> [ 0.138136] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc6+ #166
> [ 0.138136] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
> [ 0.138136] RIP: 0010:0x5bc02900
> [ 0.138136] Code: Unable to access opcode bytes at RIP 0x5bc028d6.
> [ 0.138136] RSP: 0018:ffffffffb3203e10 EFLAGS: 00010046
> [ 0.138136] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000048
> [ 0.138136] RDX: 000000000190dfac RSI: 0000000000001710 RDI: 000000007eae823b
> [ 0.138136] RBP: ffffffffb3203e70 R08: 0000000001970000 R09: ffffffffb3203e28
> [ 0.138136] R10: 747563657865206c R11: 6c6977203a696665 R12: 0000000000001710
> [ 0.138136] R13: 0000000000000030 R14: 0000000001970000 R15: 0000000000000001
> [ 0.138136] FS: 0000000000000000(0000) GS:ffff8e013ca00000(0000) knlGS:0000000000000000
> [ 0.138136] CS: 0010 DS: 0018 ES: 0018 CR0: 0000000080050033
> [ 0.138136] CR2: 000000005bc02900 CR3: 0000000001930000 CR4: 00000000000006f0
> [ 0.138136] Call Trace:
> [ 0.138136] <TASK>
> [ 0.138136] ? efi_set_virtual_address_map+0x9c/0x175
> [ 0.138136] efi_enter_virtual_mode+0x4a6/0x53e
> [ 0.138136] start_kernel+0x67c/0x71e
> [ 0.138136] x86_64_start_reservations+0x24/0x2a
> [ 0.138136] x86_64_start_kernel+0xe9/0xf4
> [ 0.138136] secondary_startup_64_no_verify+0xe5/0xeb
> [ 0.138136] </TASK>
>
> That's because it cannot jump to the return thunk from the 32-bit code.
> Using a naked RET and marking it as safe allows the system to proceed
> booting.
>
> Fixes: aa3d480315ba ("x86: Use return-thunk in asm code")
> Reported-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
> Cc: Borislav Petkov <bp@suse.de>
> Cc: Josh Poimboeuf <jpoimboe@kernel.org>
> Cc: <stable@vger.kernel.org>
No more crashes with this patch applies on top of the mainline kernel
(sha e5d523f1ae8f).
Tested-by: Guenter Roeck <linux@roeck-us.net>
Guenter
next prev parent reply other threads:[~2022-07-15 22:51 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-15 19:45 [PATCH] efi/x86: use naked RET on mixed mode call wrapper Thadeu Lima de Souza Cascardo
2022-07-15 22:51 ` Guenter Roeck [this message]
2022-07-18 11:41 ` Peter Zijlstra
2022-07-18 13:59 ` Thadeu Lima de Souza Cascardo
2022-07-18 16:10 ` Peter Zijlstra
2022-07-18 16:28 ` Borislav Petkov
2022-07-18 16:38 ` Peter Zijlstra
2022-07-18 17:19 ` Andrew Cooper
2022-07-18 18:34 ` Linus Torvalds
2022-07-18 18:46 ` Borislav Petkov
2022-07-19 15:22 ` Ard Biesheuvel
2022-07-19 17:37 ` Borislav Petkov
2022-07-19 19:45 ` [tip: x86/urgent] x86/amd: Use IBPB for firmware calls tip-bot2 for Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220715225123.GA2177570@roeck-us.net \
--to=linux@roeck-us.net \
--cc=ardb@kernel.org \
--cc=bp@suse.de \
--cc=cascardo@canonical.com \
--cc=gregkh@linuxfoundation.org \
--cc=jpoimboe@kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox