From: Thomas Garnier <thgarnie@google.com> To: "David Howells" <dhowells@redhat.com>, "Dave Hansen" <dave.hansen@intel.com>, "Arnd Bergmann" <arnd@arndb.de>, "Al Viro" <viro@zeniv.linux.org.uk>, "René Nyffenegger" <mail@renenyffenegger.ch>, "Thomas Garnier" <thgarnie@google.com>, "Andrew Morton" <akpm@linux-foundation.org>, "Kees Cook" <keescook@chromium.org>, "Paul E . McKenney" <paulmck@linux.vnet.ibm.com>, "David S . Miller" <davem@davemloft.net>, "Andy Lutomirski" <luto@kernel.org>, "Ard Biesheuvel" <ard.biesheuvel@linaro.org>, "Nicolas Pitre" <nicolas.pitre@linaro.org>, "Petr Mladek" <pmladek@suse.com>, "Sebastian Andrzej Siewior" <bigeasy@linutronix.de>, "Sergey Senozhatsky" <sergey.senozhatsky@gmail.com>, "Helge Deller" <deller@gmx.de>, "Rik van Riel" <riel@redhat.com>, "Ingo Molnar" <mingo@kernel.org>, "Oleg Nesterov" <oleg@redhat.com>, "John Stultz" <john.stultz@linaro.org>, "Thomas Gleixner" <tglx@linutronix.de> Cc: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com Subject: [PATCH v2 2/4] x86/syscalls: Specific usage of verify_pre_usermode_state Date: Wed, 8 Mar 2017 17:24:54 -0800 [thread overview] Message-ID: <20170309012456.5631-2-thgarnie@google.com> (raw) In-Reply-To: <20170309012456.5631-1-thgarnie@google.com> Implement specific usage of verify_pre_usermode_state for user-mode returns for x86. --- Based on next-20170308 --- arch/x86/Kconfig | 1 + arch/x86/entry/common.c | 3 +++ arch/x86/entry/entry_64.S | 19 +++++++++++++++++++ arch/x86/include/asm/pgtable_64_types.h | 11 +++++++++++ arch/x86/include/asm/processor.h | 11 ----------- 5 files changed, 34 insertions(+), 11 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 005df7c825f5..6d48e18e6f09 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -63,6 +63,7 @@ config X86 select ARCH_MIGHT_HAVE_ACPI_PDC if ACPI select ARCH_MIGHT_HAVE_PC_PARPORT select ARCH_MIGHT_HAVE_PC_SERIO + select ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE select ARCH_SUPPORTS_ATOMIC_RMW select ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT select ARCH_SUPPORTS_NUMA_BALANCING if X86_64 diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 370c42c7f046..525edbb77f03 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -22,6 +22,7 @@ #include <linux/context_tracking.h> #include <linux/user-return-notifier.h> #include <linux/uprobes.h> +#include <linux/syscalls.h> #include <asm/desc.h> #include <asm/traps.h> @@ -180,6 +181,8 @@ __visible inline void prepare_exit_to_usermode(struct pt_regs *regs) struct thread_info *ti = current_thread_info(); u32 cached_flags; + verify_pre_usermode_state(); + if (IS_ENABLED(CONFIG_PROVE_LOCKING) && WARN_ON(!irqs_disabled())) local_irq_disable(); diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index d2b2a2948ffe..b3527d31b91b 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -96,6 +96,19 @@ ENDPROC(native_usergs_sysret64) # define TRACE_IRQS_IRETQ_DEBUG TRACE_IRQS_IRETQ #endif +#ifdef CONFIG_BUG_ON_DATA_CORRUPTION +.macro VERIFY_PRE_USERMODE_STATE + call verify_pre_usermode_state +.endm +#else +/* Similar to set_fs(USER_DS) in verify_pre_usermode_state without a warning. */ +.macro VERIFY_PRE_USERMODE_STATE + movq PER_CPU_VAR(current_task), %rax + movq $TASK_SIZE_MAX, %rcx + movq %rcx, TASK_addr_limit(%rax) +.endm +#endif + /* * 64-bit SYSCALL instruction entry. Up to 6 arguments in registers. * @@ -201,6 +214,7 @@ entry_SYSCALL_64_fastpath: * It might end up jumping to the slow path. If it jumps, RAX * and all argument registers are clobbered. */ + call *sys_call_table(, %rax, 8) .Lentry_SYSCALL_64_after_fastpath_call: @@ -218,6 +232,11 @@ entry_SYSCALL_64_fastpath: testl $_TIF_ALLWORK_MASK, TASK_TI_flags(%r11) jnz 1f + /* + * Check user-mode state on fast path return, the same check is done + * under the slow path through syscall_return_slowpath. + */ + VERIFY_PRE_USERMODE_STATE LOCKDEP_SYS_EXIT TRACE_IRQS_ON /* user mode is traced as IRQs on */ movq RIP(%rsp), %rcx diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h index 3a264200c62f..0fbbb79d058c 100644 --- a/arch/x86/include/asm/pgtable_64_types.h +++ b/arch/x86/include/asm/pgtable_64_types.h @@ -76,4 +76,15 @@ typedef struct { pteval_t pte; } pte_t; #define EARLY_DYNAMIC_PAGE_TABLES 64 +/* + * User space process size. 47bits minus one guard page. The guard + * page is necessary on Intel CPUs: if a SYSCALL instruction is at + * the highest possible canonical userspace address, then that + * syscall will enter the kernel with a non-canonical return + * address, and SYSRET will explode dangerously. We avoid this + * particular problem by preventing anything from being mapped + * at the maximum canonical address. + */ +#define TASK_SIZE_MAX ((_AC(1, UL) << 47) - PAGE_SIZE) + #endif /* _ASM_X86_PGTABLE_64_DEFS_H */ diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h index f385eca5407a..9bc99d37133e 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -829,17 +829,6 @@ static inline void spin_lock_prefetch(const void *x) #define KSTK_ESP(task) (task_pt_regs(task)->sp) #else -/* - * User space process size. 47bits minus one guard page. The guard - * page is necessary on Intel CPUs: if a SYSCALL instruction is at - * the highest possible canonical userspace address, then that - * syscall will enter the kernel with a non-canonical return - * address, and SYSRET will explode dangerously. We avoid this - * particular problem by preventing anything from being mapped - * at the maximum canonical address. - */ -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE) - /* This decides where the kernel will search for a free chunk of vm * space during mmap's. */ -- 2.12.0.246.ga2ecc84866-goog
WARNING: multiple messages have this Message-ID (diff)
From: Thomas Garnier <thgarnie@google.com> To: "David Howells" <dhowells@redhat.com>, "Dave Hansen" <dave.hansen@intel.com>, "Arnd Bergmann" <arnd@arndb.de>, "Al Viro" <viro@zeniv.linux.org.uk>, "René Nyffenegger" <mail@renenyffenegger.ch>, "Thomas Garnier" <thgarnie@google.com>, "Andrew Morton" <akpm@linux-foundation.org>, "Kees Cook" <keescook@chromium.org>, "Paul E . McKenney" <paulmck@linux.vnet.ibm.com>, "David S . Miller" <davem@davemloft.net>, "Andy Lutomirski" <luto@kernel.org>, "Ard Biesheuvel" <ard.biesheuvel@linaro.org>, "Nicolas Pitre" <nicolas.pitre@linaro.org>, "Petr Mladek" <pmladek@suse.com>, "Sebastian Andrzej Siewior" <bigeasy@linutronix.de>, "Sergey Senozhatsky" <sergey.senozhatsky@gmail.com>, "Helge Deller" <deller@gmx.de>, "Rik van Riel" <riel@redhat.com>, "Ingo Molnar" <mingo@kernel.org>, "Oleg Nesterov" <oleg@redhat.com>, "John Stultz" <john.stultz@linaro.org>, "Thomas Gleixner" <tglx@linutronix.de>, "Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>, "Frederic Weisbecker" <fweisbec@gmail.com>, "Stephen Smalley" <sds@tycho.nsa.gov>, "Stanislav Kinsburskiy" <skinsbursky@virtuozzo.com>, "Ingo Molnar" <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>, "Paolo Bonzini" <pbonzini@redhat.com>, "Borislav Petkov" <bp@alien8.de>, "Josh Poimboeuf" <jpoimboe@redhat.com>, "Brian Gerst" <brgerst@gmail.com>, "Jan Beulich" <JBeulich@suse.com>, "Christian Borntraeger" <borntraeger@de.ibm.com>, "Luis R . Rodriguez" <mcgrof@kernel.org>, "He Chen" <he.chen@linux.intel.com>, "Russell King" <linux@armlinux.org.uk>, "Will Deacon" <will.deacon@arm.com>, "Catalin Marinas" <catalin.marinas@arm.com>, "Mark Rutland" <mark.rutland@arm.com>, "James Morse" <james.morse@arm.com>, "Pratyush Anand" <panand@redhat.com>, "Vladimir Murzin" <vladimir.murzin@arm.com>, "Chris Metcalf" <cmetcalf@mellanox.com>, "Andre Przywara" <andre.przywara@arm.com> Cc: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com Subject: [kernel-hardening] [PATCH v2 2/4] x86/syscalls: Specific usage of verify_pre_usermode_state Date: Wed, 8 Mar 2017 17:24:54 -0800 [thread overview] Message-ID: <20170309012456.5631-2-thgarnie@google.com> (raw) In-Reply-To: <20170309012456.5631-1-thgarnie@google.com> Implement specific usage of verify_pre_usermode_state for user-mode returns for x86. --- Based on next-20170308 --- arch/x86/Kconfig | 1 + arch/x86/entry/common.c | 3 +++ arch/x86/entry/entry_64.S | 19 +++++++++++++++++++ arch/x86/include/asm/pgtable_64_types.h | 11 +++++++++++ arch/x86/include/asm/processor.h | 11 ----------- 5 files changed, 34 insertions(+), 11 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 005df7c825f5..6d48e18e6f09 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -63,6 +63,7 @@ config X86 select ARCH_MIGHT_HAVE_ACPI_PDC if ACPI select ARCH_MIGHT_HAVE_PC_PARPORT select ARCH_MIGHT_HAVE_PC_SERIO + select ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE select ARCH_SUPPORTS_ATOMIC_RMW select ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT select ARCH_SUPPORTS_NUMA_BALANCING if X86_64 diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 370c42c7f046..525edbb77f03 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -22,6 +22,7 @@ #include <linux/context_tracking.h> #include <linux/user-return-notifier.h> #include <linux/uprobes.h> +#include <linux/syscalls.h> #include <asm/desc.h> #include <asm/traps.h> @@ -180,6 +181,8 @@ __visible inline void prepare_exit_to_usermode(struct pt_regs *regs) struct thread_info *ti = current_thread_info(); u32 cached_flags; + verify_pre_usermode_state(); + if (IS_ENABLED(CONFIG_PROVE_LOCKING) && WARN_ON(!irqs_disabled())) local_irq_disable(); diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index d2b2a2948ffe..b3527d31b91b 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -96,6 +96,19 @@ ENDPROC(native_usergs_sysret64) # define TRACE_IRQS_IRETQ_DEBUG TRACE_IRQS_IRETQ #endif +#ifdef CONFIG_BUG_ON_DATA_CORRUPTION +.macro VERIFY_PRE_USERMODE_STATE + call verify_pre_usermode_state +.endm +#else +/* Similar to set_fs(USER_DS) in verify_pre_usermode_state without a warning. */ +.macro VERIFY_PRE_USERMODE_STATE + movq PER_CPU_VAR(current_task), %rax + movq $TASK_SIZE_MAX, %rcx + movq %rcx, TASK_addr_limit(%rax) +.endm +#endif + /* * 64-bit SYSCALL instruction entry. Up to 6 arguments in registers. * @@ -201,6 +214,7 @@ entry_SYSCALL_64_fastpath: * It might end up jumping to the slow path. If it jumps, RAX * and all argument registers are clobbered. */ + call *sys_call_table(, %rax, 8) .Lentry_SYSCALL_64_after_fastpath_call: @@ -218,6 +232,11 @@ entry_SYSCALL_64_fastpath: testl $_TIF_ALLWORK_MASK, TASK_TI_flags(%r11) jnz 1f + /* + * Check user-mode state on fast path return, the same check is done + * under the slow path through syscall_return_slowpath. + */ + VERIFY_PRE_USERMODE_STATE LOCKDEP_SYS_EXIT TRACE_IRQS_ON /* user mode is traced as IRQs on */ movq RIP(%rsp), %rcx diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h index 3a264200c62f..0fbbb79d058c 100644 --- a/arch/x86/include/asm/pgtable_64_types.h +++ b/arch/x86/include/asm/pgtable_64_types.h @@ -76,4 +76,15 @@ typedef struct { pteval_t pte; } pte_t; #define EARLY_DYNAMIC_PAGE_TABLES 64 +/* + * User space process size. 47bits minus one guard page. The guard + * page is necessary on Intel CPUs: if a SYSCALL instruction is at + * the highest possible canonical userspace address, then that + * syscall will enter the kernel with a non-canonical return + * address, and SYSRET will explode dangerously. We avoid this + * particular problem by preventing anything from being mapped + * at the maximum canonical address. + */ +#define TASK_SIZE_MAX ((_AC(1, UL) << 47) - PAGE_SIZE) + #endif /* _ASM_X86_PGTABLE_64_DEFS_H */ diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h index f385eca5407a..9bc99d37133e 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -829,17 +829,6 @@ static inline void spin_lock_prefetch(const void *x) #define KSTK_ESP(task) (task_pt_regs(task)->sp) #else -/* - * User space process size. 47bits minus one guard page. The guard - * page is necessary on Intel CPUs: if a SYSCALL instruction is at - * the highest possible canonical userspace address, then that - * syscall will enter the kernel with a non-canonical return - * address, and SYSRET will explode dangerously. We avoid this - * particular problem by preventing anything from being mapped - * at the maximum canonical address. - */ -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE) - /* This decides where the kernel will search for a free chunk of vm * space during mmap's. */ -- 2.12.0.246.ga2ecc84866-goog
next prev parent reply other threads:[~2017-03-09 1:24 UTC|newest] Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-03-09 1:24 [PATCH v2 1/4] syscalls: Restore address limit after a syscall Thomas Garnier 2017-03-09 1:24 ` [kernel-hardening] " Thomas Garnier 2017-03-09 1:24 ` Thomas Garnier [this message] 2017-03-09 1:24 ` [kernel-hardening] [PATCH v2 2/4] x86/syscalls: Specific usage of verify_pre_usermode_state Thomas Garnier 2017-03-09 1:24 ` [PATCH v2 3/4] arm/syscalls: " Thomas Garnier 2017-03-09 1:24 ` [kernel-hardening] " Thomas Garnier 2017-03-09 1:24 ` [PATCH v2 4/4] arm64/syscalls: " Thomas Garnier 2017-03-09 1:24 ` [kernel-hardening] " Thomas Garnier 2017-03-09 12:23 ` Mark Rutland 2017-03-09 12:23 ` [kernel-hardening] " Mark Rutland 2017-03-09 12:23 ` Mark Rutland 2017-03-09 15:56 ` Thomas Garnier 2017-03-09 15:56 ` [kernel-hardening] " Thomas Garnier 2017-03-09 15:56 ` Thomas Garnier 2017-03-09 16:05 ` Mark Rutland 2017-03-09 16:05 ` [kernel-hardening] " Mark Rutland 2017-03-09 16:05 ` Mark Rutland 2017-03-09 16:19 ` Thomas Garnier 2017-03-09 16:19 ` [kernel-hardening] " Thomas Garnier 2017-03-09 16:19 ` Thomas Garnier 2017-03-09 16:26 ` Russell King - ARM Linux 2017-03-09 16:26 ` [kernel-hardening] " Russell King - ARM Linux 2017-03-09 16:26 ` Russell King - ARM Linux 2017-03-09 16:35 ` Thomas Garnier 2017-03-09 16:35 ` [kernel-hardening] " Thomas Garnier 2017-03-09 16:35 ` Thomas Garnier 2017-03-09 17:05 ` Russell King - ARM Linux 2017-03-09 17:05 ` [kernel-hardening] " Russell King - ARM Linux 2017-03-09 17:05 ` Russell King - ARM Linux 2017-03-09 8:42 ` [PATCH v2 1/4] syscalls: Restore address limit after a syscall Borislav Petkov 2017-03-09 8:42 ` [kernel-hardening] " Borislav Petkov 2017-03-09 8:42 ` Borislav Petkov 2017-03-09 15:48 ` Thomas Garnier 2017-03-09 15:48 ` [kernel-hardening] " Thomas Garnier 2017-03-09 15:48 ` Thomas Garnier 2017-03-09 17:27 ` Andy Lutomirski 2017-03-09 17:27 ` [kernel-hardening] " Andy Lutomirski 2017-03-09 17:41 ` Thomas Garnier 2017-03-09 17:41 ` [kernel-hardening] " Thomas Garnier 2017-03-09 10:39 ` Sergey Senozhatsky 2017-03-09 10:39 ` [kernel-hardening] " Sergey Senozhatsky 2017-03-09 12:09 ` Mark Rutland 2017-03-09 12:09 ` [kernel-hardening] " Mark Rutland 2017-03-09 12:09 ` Mark Rutland 2017-03-09 13:44 ` Russell King - ARM Linux 2017-03-09 13:44 ` [kernel-hardening] " Russell King - ARM Linux 2017-03-09 13:44 ` Russell King - ARM Linux 2017-03-09 15:21 ` Mark Rutland 2017-03-09 15:21 ` [kernel-hardening] " Mark Rutland 2017-03-09 15:21 ` Mark Rutland 2017-03-09 15:54 ` Thomas Garnier 2017-03-09 15:54 ` [kernel-hardening] " Thomas Garnier 2017-03-09 15:54 ` Thomas Garnier 2017-03-09 15:52 ` Thomas Garnier 2017-03-09 15:52 ` [kernel-hardening] " Thomas Garnier 2017-03-09 15:52 ` Thomas Garnier 2017-03-09 12:32 ` Christian Borntraeger 2017-03-09 12:32 ` [kernel-hardening] " Christian Borntraeger 2017-03-09 15:53 ` Thomas Garnier 2017-03-09 15:53 ` [kernel-hardening] " Thomas Garnier
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20170309012456.5631-2-thgarnie@google.com \ --to=thgarnie@google.com \ --cc=akpm@linux-foundation.org \ --cc=ard.biesheuvel@linaro.org \ --cc=arnd@arndb.de \ --cc=bigeasy@linutronix.de \ --cc=dave.hansen@intel.com \ --cc=davem@davemloft.net \ --cc=deller@gmx.de \ --cc=dhowells@redhat.com \ --cc=john.stultz@linaro.org \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-api@vger.kernel.org \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=luto@kernel.org \ --cc=mail@renenyffenegger.ch \ --cc=mingo@kernel.org \ --cc=nicolas.pitre@linaro.org \ --cc=oleg@redhat.com \ --cc=paulmck@linux.vnet.ibm.com \ --cc=pmladek@suse.com \ --cc=riel@redhat.com \ --cc=sergey.senozhatsky@gmail.com \ --cc=tglx@linutronix.de \ --cc=viro@zeniv.linux.org.uk \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.