From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753251AbbDBMYm (ORCPT ); Thu, 2 Apr 2015 08:24:42 -0400 Received: from mx1.redhat.com ([209.132.183.28]:54796 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753227AbbDBMYj (ORCPT ); Thu, 2 Apr 2015 08:24:39 -0400 Message-ID: <551D3503.6000508@redhat.com> Date: Thu, 02 Apr 2015 14:24:35 +0200 From: Denys Vlasenko User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Brian Gerst , Ingo Molnar CC: Andy Lutomirski , the arch/x86 maintainers , Linux Kernel Mailing List , Borislav Petkov , Linus Torvalds , Borislav Petkov Subject: Re: [PATCH urgent v2] x86, asm: Disable opportunistic SYSRET if regs->flags has TF set References: <9472f1ca4c19a38ecda45bba9c91b7168135fcfa.1427923514.git.luto@kernel.org> <20150402090744.GA26846@gmail.com> <551D14D3.1070907@redhat.com> <20150402103735.GA21105@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04/02/2015 01:14 PM, Brian Gerst wrote: >>>> So I merged this as it's an obvious bugfix, but in hindsight I'm >>>> really uneasy about the whole opportunistic SYSRET concept: it appears >>>> that the chance that %rcx matches return-%rip is astronomical - this >>>> is why this bug wasn't noticed live so far. >>>> >>>> So should we really be doing this? >>> >>> Andy does this not for the off-chance that userspace's RCX is equal >>> to return address and R11 == RFLAGS. The chances of that are >>> astronomically small. >>> >>> This code path triggers when ptrace/audit/seccomp is active. Instead >>> of torturing ourselves trying to not divert into IRET return, now >>> code is steered that way. But then immediately before actual IRET, >>> we check again: "do we really need IRET?" IOW "did ptrace really >>> touch pt_regs->ss? ->flags? ->rip? ->rcx?" which in vast majority of >>> cases will not be true. >> >> I keep forgetting about that, my test systems have the audit muck >> turned off ;-) >> >> Fair enough - and it's sensible to share the IRET path between >> interrupts and complex-return system calls, even though the check >> is unnecessary overhead for the pure interrupt return path... > > > Maybe we could reintroduce TIF_IRET for this purpose instead of > (ab)using TIF_NOTIFY_RESUME. Then we would only do the opportunistic > check for those cases (ptrace, audit, exec, sigreturn, etc.), and skip > it for interrupts. The very first check in the existing code, pt_regs->cx == pt_regs->ip, will fail for interrupt returns. You hardly can save anything by placing a (ti->flags & TIF_TRY_SYSRET) check in front of it, it's almost as expensive.