From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753171AbbDBSKS (ORCPT ); Thu, 2 Apr 2015 14:10:18 -0400 Received: from mail-wi0-f171.google.com ([209.85.212.171]:37399 "EHLO mail-wi0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752431AbbDBSKQ (ORCPT ); Thu, 2 Apr 2015 14:10:16 -0400 Date: Thu, 2 Apr 2015 20:10:11 +0200 From: Ingo Molnar To: Denys Vlasenko Cc: Andy Lutomirski , Borislav Petkov , x86@kernel.org, linux-kernel@vger.kernel.org, Linus Torvalds Subject: Re: [PATCH] x86/asm/entry/64: better check for canonical address Message-ID: <20150402181011.GB8503@gmail.com> References: <1427373731-13056-1-git-send-email-dvlasenk@redhat.com> <551D7E43.7030904@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <551D7E43.7030904@redhat.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Denys Vlasenko wrote: > On 03/26/2015 01:42 PM, Denys Vlasenko wrote: > > This change makes the check exact (no more false positives > > on kernel addresses). > > > > It isn't really important to be fully correct here - > > almost all addresses we'll ever see will be userspace ones, > > but OTOH it looks to be cheap enough: > > the new code uses two more ALU ops but preserves %rcx, > > allowing to not reload it from pt_regs->cx again. > > On disassembly level, the changes are: > > > > cmp %rcx,0x80(%rsp) -> mov 0x80(%rsp),%r11; cmp %rcx,%r11 > > shr $0x2f,%rcx -> shl $0x10,%rcx; sar $0x10,%rcx; cmp %rcx,%r11 > > mov 0x58(%rsp),%rcx -> (eliminated) > > > > > .ifne __VIRTUAL_MASK_SHIFT - 47 > > .error "virtual address width changed -- sysret checks need update" > > .endif > > - shr $__VIRTUAL_MASK_SHIFT, %rcx > > - jnz opportunistic_sysret_failed > > + /* Change top 16 bits to be a sign-extension of the rest */ > > + shl $(64 - (__VIRTUAL_MASK_SHIFT+1)), %rcx > > + sar $(64 - (__VIRTUAL_MASK_SHIFT+1)), %rcx > > + /* If this changed %rcx, it was not canonical */ > > + cmpq %rcx, %r11 > > + jne opportunistic_sysret_failed > > > Another thing we can do here is to just canonicalize the address. > IOW: same code as above but without last two insns. > > The difference would be that if userspace gives us bogus, > noncanonical return address, we would return to a different address > instead of SIGSEGV. So in general it's better to be proactive with such things and generate an error as early as possible, making it easier to debug user-space bugs. > There is no security implications in doing this as far as I can see, > and no sane program uses noncanonical addresses. > Apart from not having any legitimate need to do so, it's also quite > complicated to achieve. > > So it should not break any real-world cases. It would make user-space debugging harder though, so it's a quality of implmentation issue. Thanks, Ingo