* [PATCH 0/4] x86: fix syscall function type mismatches @ 2019-09-13 21:00 Sami Tolvanen 2019-09-13 21:00 ` [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen ` (5 more replies) 0 siblings, 6 replies; 35+ messages in thread From: Sami Tolvanen @ 2019-09-13 21:00 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen This patch set changes x64 and ia32 syscall wrappers and related functions to use function types that match sys_call_ptr_t. This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Sami Tolvanen (4): x86: use the correct function type in SYSCALL_DEFINE0 x86: use the correct function type for sys32_(rt_)sigreturn x86: use the correct function type for sys_ni_syscall x86: fix function types in COND_SYSCALL arch/x86/entry/syscall_32.c | 13 ++++++-- arch/x86/entry/syscall_64.c | 12 +++++-- arch/x86/entry/syscalls/syscall_32.tbl | 4 +-- arch/x86/ia32/ia32_signal.c | 4 +-- arch/x86/include/asm/syscall_wrapper.h | 44 ++++++++++++++++---------- 5 files changed, 51 insertions(+), 26 deletions(-) -- 2.23.0.237.gc6a4ce50a0-goog ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen @ 2019-09-13 21:00 ` Sami Tolvanen 2019-09-13 22:33 ` Andy Lutomirski 2019-09-13 21:00 ` [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn Sami Tolvanen ` (4 subsequent siblings) 5 siblings, 1 reply; 35+ messages in thread From: Sami Tolvanen @ 2019-09-13 21:00 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Although a syscall defined using SYSCALL_DEFINE0 doesn't accept parameters, use the correct function type to avoid type mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/include/asm/syscall_wrapper.h | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index e046a405743d..90eb70df0b18 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -48,12 +48,13 @@ * To keep the naming coherent, re-define SYSCALL_DEFINE0 to create an alias * named __ia32_sys_*() */ -#define SYSCALL_DEFINE0(sname) \ - SYSCALL_METADATA(_##sname, 0); \ - asmlinkage long __x64_sys_##sname(void); \ - ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ - SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ - asmlinkage long __x64_sys_##sname(void) + +#define SYSCALL_DEFINE0(sname) \ + SYSCALL_METADATA(_##sname, 0); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\ + ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ + SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) #define COND_SYSCALL(name) \ cond_syscall(__x64_sys_##name); \ @@ -181,11 +182,11 @@ * macros to work correctly. */ #ifndef SYSCALL_DEFINE0 -#define SYSCALL_DEFINE0(sname) \ - SYSCALL_METADATA(_##sname, 0); \ - asmlinkage long __x64_sys_##sname(void); \ - ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ - asmlinkage long __x64_sys_##sname(void) +#define SYSCALL_DEFINE0(sname) \ + SYSCALL_METADATA(_##sname, 0); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\ + ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) #endif #ifndef COND_SYSCALL -- 2.23.0.237.gc6a4ce50a0-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 2019-09-13 21:00 ` [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen @ 2019-09-13 22:33 ` Andy Lutomirski 0 siblings, 0 replies; 35+ messages in thread From: Andy Lutomirski @ 2019-09-13 22:33 UTC (permalink / raw) To: Sami Tolvanen Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML On Fri, Sep 13, 2019 at 2:00 PM Sami Tolvanen <samitolvanen@google.com> wrote: > > Although a syscall defined using SYSCALL_DEFINE0 doesn't accept > parameters, use the correct function type to avoid type mismatches > with Control-Flow Integrity (CFI) checking. Acked-by: Andy Lutomirski <luto@kernel.org> ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn 2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen 2019-09-13 21:00 ` [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen @ 2019-09-13 21:00 ` Sami Tolvanen 2019-09-13 22:44 ` Andy Lutomirski 2019-09-13 21:00 ` [PATCH 3/4] x86: use the correct function type for sys_ni_syscall Sami Tolvanen ` (3 subsequent siblings) 5 siblings, 1 reply; 35+ messages in thread From: Sami Tolvanen @ 2019-09-13 21:00 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Use the correct function type to avoid tripping Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/ia32/ia32_signal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c index 1cee10091b9f..878d8998ce6d 100644 --- a/arch/x86/ia32/ia32_signal.c +++ b/arch/x86/ia32/ia32_signal.c @@ -118,7 +118,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, return err; } -asmlinkage long sys32_sigreturn(void) +asmlinkage long sys32_sigreturn(const struct pt_regs *__unused) { struct pt_regs *regs = current_pt_regs(); struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); @@ -144,7 +144,7 @@ asmlinkage long sys32_sigreturn(void) return 0; } -asmlinkage long sys32_rt_sigreturn(void) +asmlinkage long sys32_rt_sigreturn(const struct pt_regs *__unused) { struct pt_regs *regs = current_pt_regs(); struct rt_sigframe_ia32 __user *frame; -- 2.23.0.237.gc6a4ce50a0-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn 2019-09-13 21:00 ` [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn Sami Tolvanen @ 2019-09-13 22:44 ` Andy Lutomirski 2019-09-13 23:29 ` Sami Tolvanen 0 siblings, 1 reply; 35+ messages in thread From: Andy Lutomirski @ 2019-09-13 22:44 UTC (permalink / raw) To: Sami Tolvanen Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML On Fri, Sep 13, 2019 at 2:00 PM Sami Tolvanen <samitolvanen@google.com> wrote: > > Use the correct function type to avoid tripping Control-Flow > Integrity (CFI) checking. > > Signed-off-by: Sami Tolvanen <samitolvanen@google.com> > --- > arch/x86/ia32/ia32_signal.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c > index 1cee10091b9f..878d8998ce6d 100644 > --- a/arch/x86/ia32/ia32_signal.c > +++ b/arch/x86/ia32/ia32_signal.c > @@ -118,7 +118,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, > return err; > } > > -asmlinkage long sys32_sigreturn(void) > +asmlinkage long sys32_sigreturn(const struct pt_regs *__unused) > { > struct pt_regs *regs = current_pt_regs(); > struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); > @@ -144,7 +144,7 @@ asmlinkage long sys32_sigreturn(void) > return 0; > } > > -asmlinkage long sys32_rt_sigreturn(void) > +asmlinkage long sys32_rt_sigreturn(const struct pt_regs *__unused) > { > struct pt_regs *regs = current_pt_regs(); > struct rt_sigframe_ia32 __user *frame; Shouldn't these be COMPAT_SYSCALL_DEFINE0? I think you should pick this patch up and add it to your series: https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/commit/?h=x86/syscalls&id=07daeef08d26728c120ecbe57a55cb5714810b84 with the obvious type fixup, of course. And then write a little patch to use COMPAT_SYSCALL_DEFINE0 for rt_sigreturn and sigreturn. > -- > 2.23.0.237.gc6a4ce50a0-goog > ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn 2019-09-13 22:44 ` Andy Lutomirski @ 2019-09-13 23:29 ` Sami Tolvanen 0 siblings, 0 replies; 35+ messages in thread From: Sami Tolvanen @ 2019-09-13 23:29 UTC (permalink / raw) To: Andy Lutomirski Cc: Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML On Fri, Sep 13, 2019 at 3:44 PM Andy Lutomirski <luto@kernel.org> wrote: > Shouldn't these be COMPAT_SYSCALL_DEFINE0? Sure, that would work too. > I think you should pick this patch up and add it to your series: > > https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/commit/?h=x86/syscalls&id=07daeef08d26728c120ecbe57a55cb5714810b84 > > with the obvious type fixup, of course. And then write a little patch > to use COMPAT_SYSCALL_DEFINE0 for rt_sigreturn and sigreturn. Thanks. I'll do that and send v2 next week once I get some more feedback on the other patches. Sami ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 3/4] x86: use the correct function type for sys_ni_syscall 2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen 2019-09-13 21:00 ` [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen 2019-09-13 21:00 ` [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn Sami Tolvanen @ 2019-09-13 21:00 ` Sami Tolvanen 2019-09-13 22:45 ` Andy Lutomirski 2019-09-13 21:00 ` [PATCH 4/4] x86: fix function types in COND_SYSCALL Sami Tolvanen ` (2 subsequent siblings) 5 siblings, 1 reply; 35+ messages in thread From: Sami Tolvanen @ 2019-09-13 21:00 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Use the correct function type for sys_ni_syscall in system call tables to fix indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/entry/syscall_32.c | 13 ++++++++++--- arch/x86/entry/syscall_64.c | 12 +++++++++--- arch/x86/entry/syscalls/syscall_32.tbl | 4 ++-- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c index aa3336a7cb15..1cbdfff116d1 100644 --- a/arch/x86/entry/syscall_32.c +++ b/arch/x86/entry/syscall_32.c @@ -11,12 +11,19 @@ /* On X86_64, we use struct pt_regs * to pass parameters to syscalls */ #define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *); -/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */ -extern asmlinkage long sys_ni_syscall(const struct pt_regs *); +extern asmlinkage long sys_ni_syscall(void); + +asmlinkage long __ia32_sys_ni_syscall(const struct pt_regs *__unused) +{ + return sys_ni_syscall(); +} + +#define __sys_ni_syscall __ia32_sys_ni_syscall #else /* CONFIG_IA32_EMULATION */ #define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); extern asmlinkage long sys_ni_syscall(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); +#define __sys_ni_syscall sys_ni_syscall #endif /* CONFIG_IA32_EMULATION */ #include <asm/syscalls_32.h> @@ -29,6 +36,6 @@ __visible const sys_call_ptr_t ia32_sys_call_table[__NR_syscall_compat_max+1] = * Smells like a compiler bug -- it doesn't work * when the & below is removed. */ - [0 ... __NR_syscall_compat_max] = &sys_ni_syscall, + [0 ... __NR_syscall_compat_max] = &__sys_ni_syscall, #include <asm/syscalls_32.h> }; diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c index d5252bc1e380..0341b3e7fede 100644 --- a/arch/x86/entry/syscall_64.c +++ b/arch/x86/entry/syscall_64.c @@ -4,11 +4,17 @@ #include <linux/linkage.h> #include <linux/sys.h> #include <linux/cache.h> +#include <linux/syscalls.h> #include <asm/asm-offsets.h> #include <asm/syscall.h> -/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */ -extern asmlinkage long sys_ni_syscall(const struct pt_regs *); +extern asmlinkage long sys_ni_syscall(void); + +asmlinkage long __x64_sys_ni_syscall(const struct pt_regs *__unused) +{ + return sys_ni_syscall(); +} + #define __SYSCALL_64(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *); #include <asm/syscalls_64.h> #undef __SYSCALL_64 @@ -20,6 +26,6 @@ asmlinkage const sys_call_ptr_t sys_call_table[__NR_syscall_max+1] = { * Smells like a compiler bug -- it doesn't work * when the & below is removed. */ - [0 ... __NR_syscall_max] = &sys_ni_syscall, + [0 ... __NR_syscall_max] = &__x64_sys_ni_syscall, #include <asm/syscalls_64.h> }; diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index c00019abd076..9514f2fe456a 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -124,7 +124,7 @@ 110 i386 iopl sys_iopl __ia32_sys_iopl 111 i386 vhangup sys_vhangup __ia32_sys_vhangup 112 i386 idle -113 i386 vm86old sys_vm86old sys_ni_syscall +113 i386 vm86old sys_vm86old __ia32_sys_ni_syscall 114 i386 wait4 sys_wait4 __ia32_compat_sys_wait4 115 i386 swapoff sys_swapoff __ia32_sys_swapoff 116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo @@ -177,7 +177,7 @@ 163 i386 mremap sys_mremap __ia32_sys_mremap 164 i386 setresuid sys_setresuid16 __ia32_sys_setresuid16 165 i386 getresuid sys_getresuid16 __ia32_sys_getresuid16 -166 i386 vm86 sys_vm86 sys_ni_syscall +166 i386 vm86 sys_vm86 __ia32_sys_ni_syscall 167 i386 query_module 168 i386 poll sys_poll __ia32_sys_poll 169 i386 nfsservctl -- 2.23.0.237.gc6a4ce50a0-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 3/4] x86: use the correct function type for sys_ni_syscall 2019-09-13 21:00 ` [PATCH 3/4] x86: use the correct function type for sys_ni_syscall Sami Tolvanen @ 2019-09-13 22:45 ` Andy Lutomirski 2019-09-13 23:26 ` Sami Tolvanen 0 siblings, 1 reply; 35+ messages in thread From: Andy Lutomirski @ 2019-09-13 22:45 UTC (permalink / raw) To: Sami Tolvanen Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML On Fri, Sep 13, 2019 at 2:00 PM Sami Tolvanen <samitolvanen@google.com> wrote: > > Use the correct function type for sys_ni_syscall in system > call tables to fix indirect call mismatches with Control-Flow > Integrity (CFI) checking. Should this be SYSCALL_DEFINE0? ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 3/4] x86: use the correct function type for sys_ni_syscall 2019-09-13 22:45 ` Andy Lutomirski @ 2019-09-13 23:26 ` Sami Tolvanen 2019-09-14 0:27 ` Andy Lutomirski 0 siblings, 1 reply; 35+ messages in thread From: Sami Tolvanen @ 2019-09-13 23:26 UTC (permalink / raw) To: Andy Lutomirski Cc: Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML On Fri, Sep 13, 2019 at 3:45 PM Andy Lutomirski <luto@kernel.org> wrote: > Should this be SYSCALL_DEFINE0? It can be, and that would also fix the issue. However, it does result in unnecessary error injection to be hooked up here, which is why arm64 preferred to avoid the macro when I fixed it there. S390 uses SYSCALL_DEFINE0 for this though and since sys_ni_syscall always returns -ENOSYS, it shouldn't be a huge problem. Thoughts? Sami ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 3/4] x86: use the correct function type for sys_ni_syscall 2019-09-13 23:26 ` Sami Tolvanen @ 2019-09-14 0:27 ` Andy Lutomirski 2019-09-16 20:43 ` Will Deacon 0 siblings, 1 reply; 35+ messages in thread From: Andy Lutomirski @ 2019-09-14 0:27 UTC (permalink / raw) To: Sami Tolvanen Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML, will.deacon > On Sep 13, 2019, at 4:26 PM, Sami Tolvanen <samitolvanen@google.com> wrote: > >> On Fri, Sep 13, 2019 at 3:45 PM Andy Lutomirski <luto@kernel.org> wrote: >> Should this be SYSCALL_DEFINE0? > > It can be, and that would also fix the issue. However, it does result > in unnecessary error injection to be hooked up here, which is why > arm64 preferred to avoid the macro when I fixed it there. S390 uses > SYSCALL_DEFINE0 for this though and since sys_ni_syscall always > returns -ENOSYS, it shouldn't be a huge problem. Thoughts? > I don’t see why all syscalls except these few should have error injection hooked up. It’s also IMO nicer from a maintenance perspective to have all syscalls use the same macros. Will, is there something I’m missing? ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 3/4] x86: use the correct function type for sys_ni_syscall 2019-09-14 0:27 ` Andy Lutomirski @ 2019-09-16 20:43 ` Will Deacon 0 siblings, 0 replies; 35+ messages in thread From: Will Deacon @ 2019-09-16 20:43 UTC (permalink / raw) To: Andy Lutomirski Cc: Sami Tolvanen, Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML, will.deacon, mark.rutland On Fri, Sep 13, 2019 at 05:27:40PM -0700, Andy Lutomirski wrote: > > On Sep 13, 2019, at 4:26 PM, Sami Tolvanen <samitolvanen@google.com> wrote: > >> On Fri, Sep 13, 2019 at 3:45 PM Andy Lutomirski <luto@kernel.org> wrote: > >> Should this be SYSCALL_DEFINE0? > > > > It can be, and that would also fix the issue. However, it does result > > in unnecessary error injection to be hooked up here, which is why > > arm64 preferred to avoid the macro when I fixed it there. S390 uses > > SYSCALL_DEFINE0 for this though and since sys_ni_syscall always > > returns -ENOSYS, it shouldn't be a huge problem. Thoughts? > > > > I don’t see why all syscalls except these few should have error injection > hooked up. It’s also IMO nicer from a maintenance perspective to have all > syscalls use the same macros. > > Will, is there something I’m missing? There was a reasonable request from Mark (CC'd) not to allow error injection for unimplemented system calls, so that's why we took the approach that we did. There was also a vague plan to fix this for everybody [1] but evidently nobody found the time :( Will [1] https://lore.kernel.org/lkml/20190524215821.GA37129@google.com/T/#m6519b2aad06d8c384de1f55256f08687c83d8796 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 4/4] x86: fix function types in COND_SYSCALL 2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen ` (2 preceding siblings ...) 2019-09-13 21:00 ` [PATCH 3/4] x86: use the correct function type for sys_ni_syscall Sami Tolvanen @ 2019-09-13 21:00 ` Sami Tolvanen 2019-09-13 22:46 ` Andy Lutomirski 2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen 5 siblings, 1 reply; 35+ messages in thread From: Sami Tolvanen @ 2019-09-13 21:00 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Define a weak function in COND_SYSCALL instead of a weak alias to sys_ni_syscall, which has an incompatible type. This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/include/asm/syscall_wrapper.h | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index 90eb70df0b18..9a595a544017 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -6,6 +6,8 @@ #ifndef _ASM_X86_SYSCALL_WRAPPER_H #define _ASM_X86_SYSCALL_WRAPPER_H +struct pt_regs; + /* Mapping of registers to parameters for syscalls on x86-64 and x32 */ #define SC_X86_64_REGS_TO_ARGS(x, ...) \ __MAP(x,__SC_ARGS \ @@ -56,9 +58,15 @@ SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) -#define COND_SYSCALL(name) \ - cond_syscall(__x64_sys_##name); \ - cond_syscall(__ia32_sys_##name) +#define COND_SYSCALL(name) \ + asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \ + { \ + return sys_ni_syscall(); \ + } \ + asmlinkage __weak long __ia32_sys_##name(const struct pt_regs *__unused)\ + { \ + return sys_ni_syscall(); \ + } #define SYS_NI(name) \ SYSCALL_ALIAS(__x64_sys_##name, sys_ni_posix_timers); \ @@ -190,7 +198,11 @@ #endif #ifndef COND_SYSCALL -#define COND_SYSCALL(name) cond_syscall(__x64_sys_##name) +#define COND_SYSCALL(name) \ + asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \ + { \ + return sys_ni_syscall(); \ + } #endif #ifndef SYS_NI @@ -202,7 +214,6 @@ * For VSYSCALLS, we need to declare these three syscalls with the new * pt_regs-based calling convention for in-kernel use. */ -struct pt_regs; asmlinkage long __x64_sys_getcpu(const struct pt_regs *regs); asmlinkage long __x64_sys_gettimeofday(const struct pt_regs *regs); asmlinkage long __x64_sys_time(const struct pt_regs *regs); -- 2.23.0.237.gc6a4ce50a0-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 4/4] x86: fix function types in COND_SYSCALL 2019-09-13 21:00 ` [PATCH 4/4] x86: fix function types in COND_SYSCALL Sami Tolvanen @ 2019-09-13 22:46 ` Andy Lutomirski 2019-09-13 23:28 ` Sami Tolvanen 0 siblings, 1 reply; 35+ messages in thread From: Andy Lutomirski @ 2019-09-13 22:46 UTC (permalink / raw) To: Sami Tolvanen Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML On Fri, Sep 13, 2019 at 2:00 PM Sami Tolvanen <samitolvanen@google.com> wrote: > > Define a weak function in COND_SYSCALL instead of a weak alias to > sys_ni_syscall, which has an incompatible type. This fixes indirect > call mismatches with Control-Flow Integrity (CFI) checking. > Didn't you just fix the type of sys_ni_syscall? What am I missing here? ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/4] x86: fix function types in COND_SYSCALL 2019-09-13 22:46 ` Andy Lutomirski @ 2019-09-13 23:28 ` Sami Tolvanen 2019-09-14 0:28 ` Andy Lutomirski 0 siblings, 1 reply; 35+ messages in thread From: Sami Tolvanen @ 2019-09-13 23:28 UTC (permalink / raw) To: Andy Lutomirski Cc: Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML On Fri, Sep 13, 2019 at 3:46 PM Andy Lutomirski <luto@kernel.org> wrote: > Didn't you just fix the type of sys_ni_syscall? What am I missing here? The other patch fixes indirect call type mismatches when the function is called through the syscall table. However, cond_syscall creates an alias to the actual sys_ni_syscall function defined in kernel/sys_ni.c, which still has the wrong type. Sami ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/4] x86: fix function types in COND_SYSCALL 2019-09-13 23:28 ` Sami Tolvanen @ 2019-09-14 0:28 ` Andy Lutomirski 2019-09-17 22:44 ` Sami Tolvanen 0 siblings, 1 reply; 35+ messages in thread From: Andy Lutomirski @ 2019-09-14 0:28 UTC (permalink / raw) To: Sami Tolvanen Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML > On Sep 13, 2019, at 4:28 PM, Sami Tolvanen <samitolvanen@google.com> wrote: > >> On Fri, Sep 13, 2019 at 3:46 PM Andy Lutomirski <luto@kernel.org> wrote: >> Didn't you just fix the type of sys_ni_syscall? What am I missing here? > > The other patch fixes indirect call type mismatches when the function > is called through the syscall table. However, cond_syscall creates an > alias to the actual sys_ni_syscall function defined in > kernel/sys_ni.c, which still has the wrong type. > Ah, I get it. Doesn’t this cause a little bit of code bloat, though? What if you made __x86_ni_syscall, etc (possibly using the *DEFINE_SYSCALL0 macros) and then generate weak aliases to those? ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/4] x86: fix function types in COND_SYSCALL 2019-09-14 0:28 ` Andy Lutomirski @ 2019-09-17 22:44 ` Sami Tolvanen 0 siblings, 0 replies; 35+ messages in thread From: Sami Tolvanen @ 2019-09-17 22:44 UTC (permalink / raw) To: Andy Lutomirski Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML On Fri, Sep 13, 2019 at 5:28 PM Andy Lutomirski <luto@amacapital.net> wrote: > Ah, I get it. Doesn’t this cause a little bit of code bloat, though? A little bit yes, a few extra functions for syscalls that are not otherwise implemented. > What if you made __x86_ni_syscall, etc (possibly using the *DEFINE_SYSCALL0 macros) and then generate weak aliases to those? That would be convenient, but COND_SYSCALL is used in kernel/sys_ni.c, and we can't create an alias to a function defined elsewhere: $ cat test.c long b(void); long a(void) __attribute__((alias("b"))); $ gcc -c test.c test.c:2:6: error: ‘a’ aliased to undefined symbol ‘b’ long a(void) __attribute__((alias("b"))); ^ Curiously, when we use inline assembly to create the alias (similarly to the current cond_syscall), gcc just quietly drops the alias if the function is not defined. Sami ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH v2 0/5] x86: fix syscall function type mismatches 2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen ` (3 preceding siblings ...) 2019-09-13 21:00 ` [PATCH 4/4] x86: fix function types in COND_SYSCALL Sami Tolvanen @ 2019-09-18 22:46 ` Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen ` (4 more replies) 2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen 5 siblings, 5 replies; 35+ messages in thread From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen This patch set changes x86 syscall wrappers and related functions to use function types that match sys_call_ptr_t. This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Changes since v1: - Use SYSCALL_DEFINE0 for __x64_sys_ni_syscall. - Include Andy's COMPAT_SYSCALL_DEFINE0 patch and use the macro for (rt_)sigreturn. Andy Lutomirski (1): x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen (4): x86: use the correct function type in SYSCALL_DEFINE0 x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn x86: use the correct function type for sys_ni_syscall x86: fix function types in COND_SYSCALL arch/x86/entry/syscall_32.c | 8 +-- arch/x86/entry/syscall_64.c | 14 +++-- arch/x86/entry/syscalls/syscall_32.tbl | 8 +-- arch/x86/ia32/ia32_signal.c | 5 +- arch/x86/include/asm/syscall_wrapper.h | 76 ++++++++++++++++++++------ 5 files changed, 78 insertions(+), 33 deletions(-) -- 2.23.0.351.gc4317032e6-goog ^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen @ 2019-09-18 22:46 ` Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen ` (3 subsequent siblings) 4 siblings, 0 replies; 35+ messages in thread From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Although a syscall defined using SYSCALL_DEFINE0 doesn't accept parameters, use the correct function type to avoid type mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Acked-by: Andy Lutomirski <luto@kernel.org> --- arch/x86/include/asm/syscall_wrapper.h | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index e046a405743d..90eb70df0b18 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -48,12 +48,13 @@ * To keep the naming coherent, re-define SYSCALL_DEFINE0 to create an alias * named __ia32_sys_*() */ -#define SYSCALL_DEFINE0(sname) \ - SYSCALL_METADATA(_##sname, 0); \ - asmlinkage long __x64_sys_##sname(void); \ - ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ - SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ - asmlinkage long __x64_sys_##sname(void) + +#define SYSCALL_DEFINE0(sname) \ + SYSCALL_METADATA(_##sname, 0); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\ + ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ + SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) #define COND_SYSCALL(name) \ cond_syscall(__x64_sys_##name); \ @@ -181,11 +182,11 @@ * macros to work correctly. */ #ifndef SYSCALL_DEFINE0 -#define SYSCALL_DEFINE0(sname) \ - SYSCALL_METADATA(_##sname, 0); \ - asmlinkage long __x64_sys_##sname(void); \ - ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ - asmlinkage long __x64_sys_##sname(void) +#define SYSCALL_DEFINE0(sname) \ + SYSCALL_METADATA(_##sname, 0); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\ + ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) #endif #ifndef COND_SYSCALL -- 2.23.0.351.gc4317032e6-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen @ 2019-09-18 22:46 ` Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen ` (2 subsequent siblings) 4 siblings, 0 replies; 35+ messages in thread From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen From: Andy Lutomirski <luto@kernel.org> x86 has special handling for COMPAT_SYSCALL_DEFINEx, but there was no override for COMPAT_SYSCALL_DEFINE0. Wire it up so that we can use it for rt_sigreturn. Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/include/asm/syscall_wrapper.h | 32 ++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index 90eb70df0b18..3dab04841494 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -28,13 +28,21 @@ * kernel/sys_ni.c and SYS_NI in kernel/time/posix-stubs.c to cover this * case as well. */ +#define __IA32_COMPAT_SYS_STUB0(x, name) \ + asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs);\ + ALLOW_ERROR_INJECTION(__ia32_compat_sys_##name, ERRNO); \ + asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs)\ + { \ + return __se_compat_sys_##name(); \ + } + #define __IA32_COMPAT_SYS_STUBx(x, name, ...) \ asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs);\ ALLOW_ERROR_INJECTION(__ia32_compat_sys##name, ERRNO); \ asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs)\ { \ return __se_compat_sys##name(SC_IA32_REGS_TO_ARGS(x,__VA_ARGS__));\ - } \ + } #define __IA32_SYS_STUBx(x, name, ...) \ asmlinkage long __ia32_sys##name(const struct pt_regs *regs); \ @@ -76,15 +84,24 @@ * of the x86-64-style parameter ordering of x32 syscalls. The syscalls common * with x86_64 obviously do not need such care. */ +#define __X32_COMPAT_SYS_STUB0(x, name, ...) \ + asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs);\ + ALLOW_ERROR_INJECTION(__x32_compat_sys_##name, ERRNO); \ + asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs)\ + { \ + return __se_compat_sys_##name();\ + } + #define __X32_COMPAT_SYS_STUBx(x, name, ...) \ asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs);\ ALLOW_ERROR_INJECTION(__x32_compat_sys##name, ERRNO); \ asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs)\ { \ return __se_compat_sys##name(SC_X86_64_REGS_TO_ARGS(x,__VA_ARGS__));\ - } \ + } #else /* CONFIG_X86_X32 */ +#define __X32_COMPAT_SYS_STUB0(x, name) #define __X32_COMPAT_SYS_STUBx(x, name, ...) #endif /* CONFIG_X86_X32 */ @@ -95,6 +112,17 @@ * mapping of registers to parameters, we need to generate stubs for each * of them. */ +#define COMPAT_SYSCALL_DEFINE0(name) \ + static long __se_compat_sys_##name(void); \ + static inline long __do_compat_sys_##name(void); \ + __IA32_COMPAT_SYS_STUB0(x, name) \ + __X32_COMPAT_SYS_STUB0(x, name) \ + static long __se_compat_sys_##name(void) \ + { \ + return __do_compat_sys_##name(); \ + } \ + static inline long __do_compat_sys_##name(void) + #define COMPAT_SYSCALL_DEFINEx(x, name, ...) \ static long __se_compat_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \ static inline long __do_compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\ -- 2.23.0.351.gc4317032e6-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn 2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen @ 2019-09-18 22:46 ` Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen 4 siblings, 0 replies; 35+ messages in thread From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Use COMPAT_SYSCALL_DEFINE0 to define (rt_)sigreturn syscalls to replace sys32_sigreturn and sys32_rt_sigreturn. This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/entry/syscalls/syscall_32.tbl | 4 ++-- arch/x86/ia32/ia32_signal.c | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index 3fe02546aed3..2de75fda1d20 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -130,7 +130,7 @@ 116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo 117 i386 ipc sys_ipc __ia32_compat_sys_ipc 118 i386 fsync sys_fsync __ia32_sys_fsync -119 i386 sigreturn sys_sigreturn sys32_sigreturn +119 i386 sigreturn sys_sigreturn __ia32_compat_sys_sigreturn 120 i386 clone sys_clone __ia32_compat_sys_x86_clone 121 i386 setdomainname sys_setdomainname __ia32_sys_setdomainname 122 i386 uname sys_newuname __ia32_sys_newuname @@ -184,7 +184,7 @@ 170 i386 setresgid sys_setresgid16 __ia32_sys_setresgid16 171 i386 getresgid sys_getresgid16 __ia32_sys_getresgid16 172 i386 prctl sys_prctl __ia32_sys_prctl -173 i386 rt_sigreturn sys_rt_sigreturn sys32_rt_sigreturn +173 i386 rt_sigreturn sys_rt_sigreturn __ia32_compat_sys_rt_sigreturn 174 i386 rt_sigaction sys_rt_sigaction __ia32_compat_sys_rt_sigaction 175 i386 rt_sigprocmask sys_rt_sigprocmask __ia32_compat_sys_rt_sigprocmask 176 i386 rt_sigpending sys_rt_sigpending __ia32_compat_sys_rt_sigpending diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c index 1cee10091b9f..30416d7f19d4 100644 --- a/arch/x86/ia32/ia32_signal.c +++ b/arch/x86/ia32/ia32_signal.c @@ -21,6 +21,7 @@ #include <linux/personality.h> #include <linux/compat.h> #include <linux/binfmts.h> +#include <linux/syscalls.h> #include <asm/ucontext.h> #include <linux/uaccess.h> #include <asm/fpu/internal.h> @@ -118,7 +119,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, return err; } -asmlinkage long sys32_sigreturn(void) +COMPAT_SYSCALL_DEFINE0(sigreturn) { struct pt_regs *regs = current_pt_regs(); struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); @@ -144,7 +145,7 @@ asmlinkage long sys32_sigreturn(void) return 0; } -asmlinkage long sys32_rt_sigreturn(void) +COMPAT_SYSCALL_DEFINE0(rt_sigreturn) { struct pt_regs *regs = current_pt_regs(); struct rt_sigframe_ia32 __user *frame; -- 2.23.0.351.gc4317032e6-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall 2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen ` (2 preceding siblings ...) 2019-09-18 22:46 ` [PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen @ 2019-09-18 22:46 ` Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen 4 siblings, 0 replies; 35+ messages in thread From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Use the correct function type for sys_ni_syscall in system call tables to fix indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/entry/syscall_32.c | 8 +++----- arch/x86/entry/syscall_64.c | 14 ++++++++++---- arch/x86/entry/syscalls/syscall_32.tbl | 4 ++-- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c index aa3336a7cb15..7d17b3addbbb 100644 --- a/arch/x86/entry/syscall_32.c +++ b/arch/x86/entry/syscall_32.c @@ -10,13 +10,11 @@ #ifdef CONFIG_IA32_EMULATION /* On X86_64, we use struct pt_regs * to pass parameters to syscalls */ #define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *); - -/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */ -extern asmlinkage long sys_ni_syscall(const struct pt_regs *); - +#define __sys_ni_syscall __ia32_sys_ni_syscall #else /* CONFIG_IA32_EMULATION */ #define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); extern asmlinkage long sys_ni_syscall(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); +#define __sys_ni_syscall sys_ni_syscall #endif /* CONFIG_IA32_EMULATION */ #include <asm/syscalls_32.h> @@ -29,6 +27,6 @@ __visible const sys_call_ptr_t ia32_sys_call_table[__NR_syscall_compat_max+1] = * Smells like a compiler bug -- it doesn't work * when the & below is removed. */ - [0 ... __NR_syscall_compat_max] = &sys_ni_syscall, + [0 ... __NR_syscall_compat_max] = &__sys_ni_syscall, #include <asm/syscalls_32.h> }; diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c index b1bf31713374..adf619a856e8 100644 --- a/arch/x86/entry/syscall_64.c +++ b/arch/x86/entry/syscall_64.c @@ -4,11 +4,17 @@ #include <linux/linkage.h> #include <linux/sys.h> #include <linux/cache.h> +#include <linux/syscalls.h> #include <asm/asm-offsets.h> #include <asm/syscall.h> -/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */ -extern asmlinkage long sys_ni_syscall(const struct pt_regs *); +extern asmlinkage long sys_ni_syscall(void); + +SYSCALL_DEFINE0(ni_syscall) +{ + return sys_ni_syscall(); +} + #define __SYSCALL_64(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *); #define __SYSCALL_X32(nr, sym, qual) __SYSCALL_64(nr, sym, qual) #include <asm/syscalls_64.h> @@ -23,7 +29,7 @@ asmlinkage const sys_call_ptr_t sys_call_table[__NR_syscall_max+1] = { * Smells like a compiler bug -- it doesn't work * when the & below is removed. */ - [0 ... __NR_syscall_max] = &sys_ni_syscall, + [0 ... __NR_syscall_max] = &__x64_sys_ni_syscall, #include <asm/syscalls_64.h> }; @@ -40,7 +46,7 @@ asmlinkage const sys_call_ptr_t x32_sys_call_table[__NR_syscall_x32_max+1] = { * Smells like a compiler bug -- it doesn't work * when the & below is removed. */ - [0 ... __NR_syscall_x32_max] = &sys_ni_syscall, + [0 ... __NR_syscall_x32_max] = &__x64_sys_ni_syscall, #include <asm/syscalls_64.h> }; diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index 2de75fda1d20..15908eb9b17e 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -124,7 +124,7 @@ 110 i386 iopl sys_iopl __ia32_sys_iopl 111 i386 vhangup sys_vhangup __ia32_sys_vhangup 112 i386 idle -113 i386 vm86old sys_vm86old sys_ni_syscall +113 i386 vm86old sys_vm86old __ia32_sys_ni_syscall 114 i386 wait4 sys_wait4 __ia32_compat_sys_wait4 115 i386 swapoff sys_swapoff __ia32_sys_swapoff 116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo @@ -177,7 +177,7 @@ 163 i386 mremap sys_mremap __ia32_sys_mremap 164 i386 setresuid sys_setresuid16 __ia32_sys_setresuid16 165 i386 getresuid sys_getresuid16 __ia32_sys_getresuid16 -166 i386 vm86 sys_vm86 sys_ni_syscall +166 i386 vm86 sys_vm86 __ia32_sys_ni_syscall 167 i386 query_module 168 i386 poll sys_poll __ia32_sys_poll 169 i386 nfsservctl -- 2.23.0.351.gc4317032e6-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v2 5/5] x86: fix function types in COND_SYSCALL 2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen ` (3 preceding siblings ...) 2019-09-18 22:46 ` [PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen @ 2019-09-18 22:46 ` Sami Tolvanen 4 siblings, 0 replies; 35+ messages in thread From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Define a weak function in COND_SYSCALL instead of a weak alias to sys_ni_syscall, which has an incompatible type. This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/include/asm/syscall_wrapper.h | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index 3dab04841494..e2389ce9bf58 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -6,6 +6,8 @@ #ifndef _ASM_X86_SYSCALL_WRAPPER_H #define _ASM_X86_SYSCALL_WRAPPER_H +struct pt_regs; + /* Mapping of registers to parameters for syscalls on x86-64 and x32 */ #define SC_X86_64_REGS_TO_ARGS(x, ...) \ __MAP(x,__SC_ARGS \ @@ -64,9 +66,15 @@ SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) -#define COND_SYSCALL(name) \ - cond_syscall(__x64_sys_##name); \ - cond_syscall(__ia32_sys_##name) +#define COND_SYSCALL(name) \ + asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \ + { \ + return sys_ni_syscall(); \ + } \ + asmlinkage __weak long __ia32_sys_##name(const struct pt_regs *__unused)\ + { \ + return sys_ni_syscall(); \ + } #define SYS_NI(name) \ SYSCALL_ALIAS(__x64_sys_##name, sys_ni_posix_timers); \ @@ -218,7 +226,11 @@ #endif #ifndef COND_SYSCALL -#define COND_SYSCALL(name) cond_syscall(__x64_sys_##name) +#define COND_SYSCALL(name) \ + asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \ + { \ + return sys_ni_syscall(); \ + } #endif #ifndef SYS_NI @@ -230,7 +242,6 @@ * For VSYSCALLS, we need to declare these three syscalls with the new * pt_regs-based calling convention for in-kernel use. */ -struct pt_regs; asmlinkage long __x64_sys_getcpu(const struct pt_regs *regs); asmlinkage long __x64_sys_gettimeofday(const struct pt_regs *regs); asmlinkage long __x64_sys_time(const struct pt_regs *regs); -- 2.23.0.351.gc4317032e6-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches 2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen ` (4 preceding siblings ...) 2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen @ 2019-10-08 22:40 ` Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen ` (5 more replies) 5 siblings, 6 replies; 35+ messages in thread From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen This patch set changes x86 syscall wrappers and related functions to use function types that match sys_call_ptr_t. This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Changes since v1: - Use SYSCALL_DEFINE0 for __x64_sys_ni_syscall. - Include Andy's COMPAT_SYSCALL_DEFINE0 patch and use the macro for (rt_)sigreturn. Andy Lutomirski (1): x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen (4): x86: use the correct function type in SYSCALL_DEFINE0 x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn x86: use the correct function type for sys_ni_syscall x86: fix function types in COND_SYSCALL arch/x86/entry/syscall_32.c | 8 +-- arch/x86/entry/syscall_64.c | 14 +++-- arch/x86/entry/syscalls/syscall_32.tbl | 8 +-- arch/x86/ia32/ia32_signal.c | 5 +- arch/x86/include/asm/syscall_wrapper.h | 76 ++++++++++++++++++++------ 5 files changed, 78 insertions(+), 33 deletions(-) -- 2.23.0.581.g78d2f28ef7-goog ^ permalink raw reply [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen @ 2019-10-08 22:40 ` Sami Tolvanen 2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen ` (4 subsequent siblings) 5 siblings, 1 reply; 35+ messages in thread From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Although a syscall defined using SYSCALL_DEFINE0 doesn't accept parameters, use the correct function type to avoid type mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Acked-by: Andy Lutomirski <luto@kernel.org> --- arch/x86/include/asm/syscall_wrapper.h | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index e046a405743d..90eb70df0b18 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -48,12 +48,13 @@ * To keep the naming coherent, re-define SYSCALL_DEFINE0 to create an alias * named __ia32_sys_*() */ -#define SYSCALL_DEFINE0(sname) \ - SYSCALL_METADATA(_##sname, 0); \ - asmlinkage long __x64_sys_##sname(void); \ - ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ - SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ - asmlinkage long __x64_sys_##sname(void) + +#define SYSCALL_DEFINE0(sname) \ + SYSCALL_METADATA(_##sname, 0); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\ + ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ + SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) #define COND_SYSCALL(name) \ cond_syscall(__x64_sys_##name); \ @@ -181,11 +182,11 @@ * macros to work correctly. */ #ifndef SYSCALL_DEFINE0 -#define SYSCALL_DEFINE0(sname) \ - SYSCALL_METADATA(_##sname, 0); \ - asmlinkage long __x64_sys_##sname(void); \ - ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ - asmlinkage long __x64_sys_##sname(void) +#define SYSCALL_DEFINE0(sname) \ + SYSCALL_METADATA(_##sname, 0); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\ + ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) #endif #ifndef COND_SYSCALL -- 2.23.0.581.g78d2f28ef7-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [tip: x86/entry] syscalls/x86: Use the correct function type in SYSCALL_DEFINE0 2019-10-08 22:40 ` [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen @ 2019-10-11 11:22 ` tip-bot2 for Sami Tolvanen 0 siblings, 0 replies; 35+ messages in thread From: tip-bot2 for Sami Tolvanen @ 2019-10-11 11:22 UTC (permalink / raw) To: linux-tip-commits Cc: Sami Tolvanen, Andy Lutomirski, Borislav Petkov, H . Peter Anvin, Kees Cook, Linus Torvalds, Peter Zijlstra, Thomas Gleixner, Ingo Molnar, linux-kernel The following commit has been merged into the x86/entry branch of tip: Commit-ID: 8661d769ab77c675b5eb6c3351a372b9fbc1bf40 Gitweb: https://git.kernel.org/tip/8661d769ab77c675b5eb6c3351a372b9fbc1bf40 Author: Sami Tolvanen <samitolvanen@google.com> AuthorDate: Tue, 08 Oct 2019 15:40:45 -07:00 Committer: Ingo Molnar <mingo@kernel.org> CommitterDate: Fri, 11 Oct 2019 12:49:18 +02:00 syscalls/x86: Use the correct function type in SYSCALL_DEFINE0 Although a syscall defined using SYSCALL_DEFINE0 doesn't accept parameters, use the correct function type to avoid type mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Acked-by: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@alien8.de> Cc: H . Peter Anvin <hpa@zytor.com> Cc: Kees Cook <keescook@chromium.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Link: https://lkml.kernel.org/r/20191008224049.115427-2-samitolvanen@google.com Signed-off-by: Ingo Molnar <mingo@kernel.org> --- arch/x86/include/asm/syscall_wrapper.h | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index e046a40..90eb70d 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -48,12 +48,13 @@ * To keep the naming coherent, re-define SYSCALL_DEFINE0 to create an alias * named __ia32_sys_*() */ -#define SYSCALL_DEFINE0(sname) \ - SYSCALL_METADATA(_##sname, 0); \ - asmlinkage long __x64_sys_##sname(void); \ - ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ - SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ - asmlinkage long __x64_sys_##sname(void) + +#define SYSCALL_DEFINE0(sname) \ + SYSCALL_METADATA(_##sname, 0); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\ + ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ + SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) #define COND_SYSCALL(name) \ cond_syscall(__x64_sys_##name); \ @@ -181,11 +182,11 @@ * macros to work correctly. */ #ifndef SYSCALL_DEFINE0 -#define SYSCALL_DEFINE0(sname) \ - SYSCALL_METADATA(_##sname, 0); \ - asmlinkage long __x64_sys_##sname(void); \ - ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ - asmlinkage long __x64_sys_##sname(void) +#define SYSCALL_DEFINE0(sname) \ + SYSCALL_METADATA(_##sname, 0); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\ + ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) #endif #ifndef COND_SYSCALL ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen @ 2019-10-08 22:40 ` Sami Tolvanen 2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: " tip-bot2 for Andy Lutomirski 2019-10-08 22:40 ` [RESEND PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen ` (3 subsequent siblings) 5 siblings, 1 reply; 35+ messages in thread From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen From: Andy Lutomirski <luto@kernel.org> x86 has special handling for COMPAT_SYSCALL_DEFINEx, but there was no override for COMPAT_SYSCALL_DEFINE0. Wire it up so that we can use it for rt_sigreturn. Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/include/asm/syscall_wrapper.h | 32 ++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index 90eb70df0b18..3dab04841494 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -28,13 +28,21 @@ * kernel/sys_ni.c and SYS_NI in kernel/time/posix-stubs.c to cover this * case as well. */ +#define __IA32_COMPAT_SYS_STUB0(x, name) \ + asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs);\ + ALLOW_ERROR_INJECTION(__ia32_compat_sys_##name, ERRNO); \ + asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs)\ + { \ + return __se_compat_sys_##name(); \ + } + #define __IA32_COMPAT_SYS_STUBx(x, name, ...) \ asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs);\ ALLOW_ERROR_INJECTION(__ia32_compat_sys##name, ERRNO); \ asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs)\ { \ return __se_compat_sys##name(SC_IA32_REGS_TO_ARGS(x,__VA_ARGS__));\ - } \ + } #define __IA32_SYS_STUBx(x, name, ...) \ asmlinkage long __ia32_sys##name(const struct pt_regs *regs); \ @@ -76,15 +84,24 @@ * of the x86-64-style parameter ordering of x32 syscalls. The syscalls common * with x86_64 obviously do not need such care. */ +#define __X32_COMPAT_SYS_STUB0(x, name, ...) \ + asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs);\ + ALLOW_ERROR_INJECTION(__x32_compat_sys_##name, ERRNO); \ + asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs)\ + { \ + return __se_compat_sys_##name();\ + } + #define __X32_COMPAT_SYS_STUBx(x, name, ...) \ asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs);\ ALLOW_ERROR_INJECTION(__x32_compat_sys##name, ERRNO); \ asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs)\ { \ return __se_compat_sys##name(SC_X86_64_REGS_TO_ARGS(x,__VA_ARGS__));\ - } \ + } #else /* CONFIG_X86_X32 */ +#define __X32_COMPAT_SYS_STUB0(x, name) #define __X32_COMPAT_SYS_STUBx(x, name, ...) #endif /* CONFIG_X86_X32 */ @@ -95,6 +112,17 @@ * mapping of registers to parameters, we need to generate stubs for each * of them. */ +#define COMPAT_SYSCALL_DEFINE0(name) \ + static long __se_compat_sys_##name(void); \ + static inline long __do_compat_sys_##name(void); \ + __IA32_COMPAT_SYS_STUB0(x, name) \ + __X32_COMPAT_SYS_STUB0(x, name) \ + static long __se_compat_sys_##name(void) \ + { \ + return __do_compat_sys_##name(); \ + } \ + static inline long __do_compat_sys_##name(void) + #define COMPAT_SYSCALL_DEFINEx(x, name, ...) \ static long __se_compat_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \ static inline long __do_compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\ -- 2.23.0.581.g78d2f28ef7-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [tip: x86/entry] syscalls/x86: Wire up COMPAT_SYSCALL_DEFINE0 2019-10-08 22:40 ` [RESEND PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen @ 2019-10-11 11:22 ` tip-bot2 for Andy Lutomirski 0 siblings, 0 replies; 35+ messages in thread From: tip-bot2 for Andy Lutomirski @ 2019-10-11 11:22 UTC (permalink / raw) To: linux-tip-commits Cc: Andy Lutomirski, Sami Tolvanen, Borislav Petkov, H . Peter Anvin, Kees Cook, Linus Torvalds, Peter Zijlstra, Thomas Gleixner, Ingo Molnar, linux-kernel The following commit has been merged into the x86/entry branch of tip: Commit-ID: cf3b83e19d7c928e05a5d193c375463182c6029a Gitweb: https://git.kernel.org/tip/cf3b83e19d7c928e05a5d193c375463182c6029a Author: Andy Lutomirski <luto@kernel.org> AuthorDate: Tue, 08 Oct 2019 15:40:46 -07:00 Committer: Ingo Molnar <mingo@kernel.org> CommitterDate: Fri, 11 Oct 2019 12:49:18 +02:00 syscalls/x86: Wire up COMPAT_SYSCALL_DEFINE0 x86 has special handling for COMPAT_SYSCALL_DEFINEx, but there was no override for COMPAT_SYSCALL_DEFINE0. Wire it up so that we can use it for rt_sigreturn. Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Cc: Borislav Petkov <bp@alien8.de> Cc: H . Peter Anvin <hpa@zytor.com> Cc: Kees Cook <keescook@chromium.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Link: https://lkml.kernel.org/r/20191008224049.115427-3-samitolvanen@google.com Signed-off-by: Ingo Molnar <mingo@kernel.org> --- arch/x86/include/asm/syscall_wrapper.h | 32 +++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index 90eb70d..3dab048 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -28,13 +28,21 @@ * kernel/sys_ni.c and SYS_NI in kernel/time/posix-stubs.c to cover this * case as well. */ +#define __IA32_COMPAT_SYS_STUB0(x, name) \ + asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs);\ + ALLOW_ERROR_INJECTION(__ia32_compat_sys_##name, ERRNO); \ + asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs)\ + { \ + return __se_compat_sys_##name(); \ + } + #define __IA32_COMPAT_SYS_STUBx(x, name, ...) \ asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs);\ ALLOW_ERROR_INJECTION(__ia32_compat_sys##name, ERRNO); \ asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs)\ { \ return __se_compat_sys##name(SC_IA32_REGS_TO_ARGS(x,__VA_ARGS__));\ - } \ + } #define __IA32_SYS_STUBx(x, name, ...) \ asmlinkage long __ia32_sys##name(const struct pt_regs *regs); \ @@ -76,15 +84,24 @@ * of the x86-64-style parameter ordering of x32 syscalls. The syscalls common * with x86_64 obviously do not need such care. */ +#define __X32_COMPAT_SYS_STUB0(x, name, ...) \ + asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs);\ + ALLOW_ERROR_INJECTION(__x32_compat_sys_##name, ERRNO); \ + asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs)\ + { \ + return __se_compat_sys_##name();\ + } + #define __X32_COMPAT_SYS_STUBx(x, name, ...) \ asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs);\ ALLOW_ERROR_INJECTION(__x32_compat_sys##name, ERRNO); \ asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs)\ { \ return __se_compat_sys##name(SC_X86_64_REGS_TO_ARGS(x,__VA_ARGS__));\ - } \ + } #else /* CONFIG_X86_X32 */ +#define __X32_COMPAT_SYS_STUB0(x, name) #define __X32_COMPAT_SYS_STUBx(x, name, ...) #endif /* CONFIG_X86_X32 */ @@ -95,6 +112,17 @@ * mapping of registers to parameters, we need to generate stubs for each * of them. */ +#define COMPAT_SYSCALL_DEFINE0(name) \ + static long __se_compat_sys_##name(void); \ + static inline long __do_compat_sys_##name(void); \ + __IA32_COMPAT_SYS_STUB0(x, name) \ + __X32_COMPAT_SYS_STUB0(x, name) \ + static long __se_compat_sys_##name(void) \ + { \ + return __do_compat_sys_##name(); \ + } \ + static inline long __do_compat_sys_##name(void) + #define COMPAT_SYSCALL_DEFINEx(x, name, ...) \ static long __se_compat_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \ static inline long __do_compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\ ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn 2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen @ 2019-10-08 22:40 ` Sami Tolvanen 2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen ` (2 subsequent siblings) 5 siblings, 1 reply; 35+ messages in thread From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Use COMPAT_SYSCALL_DEFINE0 to define (rt_)sigreturn syscalls to replace sys32_sigreturn and sys32_rt_sigreturn. This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/entry/syscalls/syscall_32.tbl | 4 ++-- arch/x86/ia32/ia32_signal.c | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index 3fe02546aed3..2de75fda1d20 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -130,7 +130,7 @@ 116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo 117 i386 ipc sys_ipc __ia32_compat_sys_ipc 118 i386 fsync sys_fsync __ia32_sys_fsync -119 i386 sigreturn sys_sigreturn sys32_sigreturn +119 i386 sigreturn sys_sigreturn __ia32_compat_sys_sigreturn 120 i386 clone sys_clone __ia32_compat_sys_x86_clone 121 i386 setdomainname sys_setdomainname __ia32_sys_setdomainname 122 i386 uname sys_newuname __ia32_sys_newuname @@ -184,7 +184,7 @@ 170 i386 setresgid sys_setresgid16 __ia32_sys_setresgid16 171 i386 getresgid sys_getresgid16 __ia32_sys_getresgid16 172 i386 prctl sys_prctl __ia32_sys_prctl -173 i386 rt_sigreturn sys_rt_sigreturn sys32_rt_sigreturn +173 i386 rt_sigreturn sys_rt_sigreturn __ia32_compat_sys_rt_sigreturn 174 i386 rt_sigaction sys_rt_sigaction __ia32_compat_sys_rt_sigaction 175 i386 rt_sigprocmask sys_rt_sigprocmask __ia32_compat_sys_rt_sigprocmask 176 i386 rt_sigpending sys_rt_sigpending __ia32_compat_sys_rt_sigpending diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c index 1cee10091b9f..30416d7f19d4 100644 --- a/arch/x86/ia32/ia32_signal.c +++ b/arch/x86/ia32/ia32_signal.c @@ -21,6 +21,7 @@ #include <linux/personality.h> #include <linux/compat.h> #include <linux/binfmts.h> +#include <linux/syscalls.h> #include <asm/ucontext.h> #include <linux/uaccess.h> #include <asm/fpu/internal.h> @@ -118,7 +119,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, return err; } -asmlinkage long sys32_sigreturn(void) +COMPAT_SYSCALL_DEFINE0(sigreturn) { struct pt_regs *regs = current_pt_regs(); struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); @@ -144,7 +145,7 @@ asmlinkage long sys32_sigreturn(void) return 0; } -asmlinkage long sys32_rt_sigreturn(void) +COMPAT_SYSCALL_DEFINE0(rt_sigreturn) { struct pt_regs *regs = current_pt_regs(); struct rt_sigframe_ia32 __user *frame; -- 2.23.0.581.g78d2f28ef7-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [tip: x86/entry] syscalls/x86: Use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn 2019-10-08 22:40 ` [RESEND PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen @ 2019-10-11 11:22 ` tip-bot2 for Sami Tolvanen 0 siblings, 0 replies; 35+ messages in thread From: tip-bot2 for Sami Tolvanen @ 2019-10-11 11:22 UTC (permalink / raw) To: linux-tip-commits Cc: Sami Tolvanen, Andy Lutomirski, Borislav Petkov, H . Peter Anvin, Kees Cook, Linus Torvalds, Peter Zijlstra, Thomas Gleixner, Ingo Molnar, linux-kernel The following commit has been merged into the x86/entry branch of tip: Commit-ID: 00198a6eaf66609de5e4de9163bb42c7ca9dd7b7 Gitweb: https://git.kernel.org/tip/00198a6eaf66609de5e4de9163bb42c7ca9dd7b7 Author: Sami Tolvanen <samitolvanen@google.com> AuthorDate: Tue, 08 Oct 2019 15:40:47 -07:00 Committer: Ingo Molnar <mingo@kernel.org> CommitterDate: Fri, 11 Oct 2019 12:49:18 +02:00 syscalls/x86: Use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Use COMPAT_SYSCALL_DEFINE0 to define (rt_)sigreturn() syscalls to replace sys32_sigreturn() and sys32_rt_sigreturn(). This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Acked-by: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@alien8.de> Cc: H . Peter Anvin <hpa@zytor.com> Cc: Kees Cook <keescook@chromium.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Link: https://lkml.kernel.org/r/20191008224049.115427-4-samitolvanen@google.com Signed-off-by: Ingo Molnar <mingo@kernel.org> --- arch/x86/entry/syscalls/syscall_32.tbl | 4 ++-- arch/x86/ia32/ia32_signal.c | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index 3fe0254..2de75fd 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -130,7 +130,7 @@ 116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo 117 i386 ipc sys_ipc __ia32_compat_sys_ipc 118 i386 fsync sys_fsync __ia32_sys_fsync -119 i386 sigreturn sys_sigreturn sys32_sigreturn +119 i386 sigreturn sys_sigreturn __ia32_compat_sys_sigreturn 120 i386 clone sys_clone __ia32_compat_sys_x86_clone 121 i386 setdomainname sys_setdomainname __ia32_sys_setdomainname 122 i386 uname sys_newuname __ia32_sys_newuname @@ -184,7 +184,7 @@ 170 i386 setresgid sys_setresgid16 __ia32_sys_setresgid16 171 i386 getresgid sys_getresgid16 __ia32_sys_getresgid16 172 i386 prctl sys_prctl __ia32_sys_prctl -173 i386 rt_sigreturn sys_rt_sigreturn sys32_rt_sigreturn +173 i386 rt_sigreturn sys_rt_sigreturn __ia32_compat_sys_rt_sigreturn 174 i386 rt_sigaction sys_rt_sigaction __ia32_compat_sys_rt_sigaction 175 i386 rt_sigprocmask sys_rt_sigprocmask __ia32_compat_sys_rt_sigprocmask 176 i386 rt_sigpending sys_rt_sigpending __ia32_compat_sys_rt_sigpending diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c index 1cee100..30416d7 100644 --- a/arch/x86/ia32/ia32_signal.c +++ b/arch/x86/ia32/ia32_signal.c @@ -21,6 +21,7 @@ #include <linux/personality.h> #include <linux/compat.h> #include <linux/binfmts.h> +#include <linux/syscalls.h> #include <asm/ucontext.h> #include <linux/uaccess.h> #include <asm/fpu/internal.h> @@ -118,7 +119,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, return err; } -asmlinkage long sys32_sigreturn(void) +COMPAT_SYSCALL_DEFINE0(sigreturn) { struct pt_regs *regs = current_pt_regs(); struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); @@ -144,7 +145,7 @@ badframe: return 0; } -asmlinkage long sys32_rt_sigreturn(void) +COMPAT_SYSCALL_DEFINE0(rt_sigreturn) { struct pt_regs *regs = current_pt_regs(); struct rt_sigframe_ia32 __user *frame; ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall 2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen ` (2 preceding siblings ...) 2019-10-08 22:40 ` [RESEND PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen @ 2019-10-08 22:40 ` Sami Tolvanen 2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen 2019-10-10 18:17 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Andy Lutomirski 5 siblings, 1 reply; 35+ messages in thread From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Use the correct function type for sys_ni_syscall in system call tables to fix indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/entry/syscall_32.c | 8 +++----- arch/x86/entry/syscall_64.c | 14 ++++++++++---- arch/x86/entry/syscalls/syscall_32.tbl | 4 ++-- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c index aa3336a7cb15..7d17b3addbbb 100644 --- a/arch/x86/entry/syscall_32.c +++ b/arch/x86/entry/syscall_32.c @@ -10,13 +10,11 @@ #ifdef CONFIG_IA32_EMULATION /* On X86_64, we use struct pt_regs * to pass parameters to syscalls */ #define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *); - -/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */ -extern asmlinkage long sys_ni_syscall(const struct pt_regs *); - +#define __sys_ni_syscall __ia32_sys_ni_syscall #else /* CONFIG_IA32_EMULATION */ #define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); extern asmlinkage long sys_ni_syscall(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); +#define __sys_ni_syscall sys_ni_syscall #endif /* CONFIG_IA32_EMULATION */ #include <asm/syscalls_32.h> @@ -29,6 +27,6 @@ __visible const sys_call_ptr_t ia32_sys_call_table[__NR_syscall_compat_max+1] = * Smells like a compiler bug -- it doesn't work * when the & below is removed. */ - [0 ... __NR_syscall_compat_max] = &sys_ni_syscall, + [0 ... __NR_syscall_compat_max] = &__sys_ni_syscall, #include <asm/syscalls_32.h> }; diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c index b1bf31713374..adf619a856e8 100644 --- a/arch/x86/entry/syscall_64.c +++ b/arch/x86/entry/syscall_64.c @@ -4,11 +4,17 @@ #include <linux/linkage.h> #include <linux/sys.h> #include <linux/cache.h> +#include <linux/syscalls.h> #include <asm/asm-offsets.h> #include <asm/syscall.h> -/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */ -extern asmlinkage long sys_ni_syscall(const struct pt_regs *); +extern asmlinkage long sys_ni_syscall(void); + +SYSCALL_DEFINE0(ni_syscall) +{ + return sys_ni_syscall(); +} + #define __SYSCALL_64(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *); #define __SYSCALL_X32(nr, sym, qual) __SYSCALL_64(nr, sym, qual) #include <asm/syscalls_64.h> @@ -23,7 +29,7 @@ asmlinkage const sys_call_ptr_t sys_call_table[__NR_syscall_max+1] = { * Smells like a compiler bug -- it doesn't work * when the & below is removed. */ - [0 ... __NR_syscall_max] = &sys_ni_syscall, + [0 ... __NR_syscall_max] = &__x64_sys_ni_syscall, #include <asm/syscalls_64.h> }; @@ -40,7 +46,7 @@ asmlinkage const sys_call_ptr_t x32_sys_call_table[__NR_syscall_x32_max+1] = { * Smells like a compiler bug -- it doesn't work * when the & below is removed. */ - [0 ... __NR_syscall_x32_max] = &sys_ni_syscall, + [0 ... __NR_syscall_x32_max] = &__x64_sys_ni_syscall, #include <asm/syscalls_64.h> }; diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index 2de75fda1d20..15908eb9b17e 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -124,7 +124,7 @@ 110 i386 iopl sys_iopl __ia32_sys_iopl 111 i386 vhangup sys_vhangup __ia32_sys_vhangup 112 i386 idle -113 i386 vm86old sys_vm86old sys_ni_syscall +113 i386 vm86old sys_vm86old __ia32_sys_ni_syscall 114 i386 wait4 sys_wait4 __ia32_compat_sys_wait4 115 i386 swapoff sys_swapoff __ia32_sys_swapoff 116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo @@ -177,7 +177,7 @@ 163 i386 mremap sys_mremap __ia32_sys_mremap 164 i386 setresuid sys_setresuid16 __ia32_sys_setresuid16 165 i386 getresuid sys_getresuid16 __ia32_sys_getresuid16 -166 i386 vm86 sys_vm86 sys_ni_syscall +166 i386 vm86 sys_vm86 __ia32_sys_ni_syscall 167 i386 query_module 168 i386 poll sys_poll __ia32_sys_poll 169 i386 nfsservctl -- 2.23.0.581.g78d2f28ef7-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [tip: x86/entry] syscalls/x86: Use the correct function type for sys_ni_syscall 2019-10-08 22:40 ` [RESEND PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen @ 2019-10-11 11:22 ` tip-bot2 for Sami Tolvanen 0 siblings, 0 replies; 35+ messages in thread From: tip-bot2 for Sami Tolvanen @ 2019-10-11 11:22 UTC (permalink / raw) To: linux-tip-commits Cc: Sami Tolvanen, Andy Lutomirski, Borislav Petkov, H . Peter Anvin, Kees Cook, Linus Torvalds, Peter Zijlstra, Thomas Gleixner, Ingo Molnar, linux-kernel The following commit has been merged into the x86/entry branch of tip: Commit-ID: f48f01a92cca09e86d46c91d8edf9d5a71c61727 Gitweb: https://git.kernel.org/tip/f48f01a92cca09e86d46c91d8edf9d5a71c61727 Author: Sami Tolvanen <samitolvanen@google.com> AuthorDate: Tue, 08 Oct 2019 15:40:48 -07:00 Committer: Ingo Molnar <mingo@kernel.org> CommitterDate: Fri, 11 Oct 2019 12:49:18 +02:00 syscalls/x86: Use the correct function type for sys_ni_syscall Use the correct function type for sys_ni_syscall() in system call tables to fix indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Acked-by: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@alien8.de> Cc: H . Peter Anvin <hpa@zytor.com> Cc: Kees Cook <keescook@chromium.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Link: https://lkml.kernel.org/r/20191008224049.115427-5-samitolvanen@google.com Signed-off-by: Ingo Molnar <mingo@kernel.org> --- arch/x86/entry/syscall_32.c | 8 +++----- arch/x86/entry/syscall_64.c | 14 ++++++++++---- arch/x86/entry/syscalls/syscall_32.tbl | 4 ++-- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c index aa3336a..7d17b3a 100644 --- a/arch/x86/entry/syscall_32.c +++ b/arch/x86/entry/syscall_32.c @@ -10,13 +10,11 @@ #ifdef CONFIG_IA32_EMULATION /* On X86_64, we use struct pt_regs * to pass parameters to syscalls */ #define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *); - -/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */ -extern asmlinkage long sys_ni_syscall(const struct pt_regs *); - +#define __sys_ni_syscall __ia32_sys_ni_syscall #else /* CONFIG_IA32_EMULATION */ #define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); extern asmlinkage long sys_ni_syscall(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); +#define __sys_ni_syscall sys_ni_syscall #endif /* CONFIG_IA32_EMULATION */ #include <asm/syscalls_32.h> @@ -29,6 +27,6 @@ __visible const sys_call_ptr_t ia32_sys_call_table[__NR_syscall_compat_max+1] = * Smells like a compiler bug -- it doesn't work * when the & below is removed. */ - [0 ... __NR_syscall_compat_max] = &sys_ni_syscall, + [0 ... __NR_syscall_compat_max] = &__sys_ni_syscall, #include <asm/syscalls_32.h> }; diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c index b1bf317..adf619a 100644 --- a/arch/x86/entry/syscall_64.c +++ b/arch/x86/entry/syscall_64.c @@ -4,11 +4,17 @@ #include <linux/linkage.h> #include <linux/sys.h> #include <linux/cache.h> +#include <linux/syscalls.h> #include <asm/asm-offsets.h> #include <asm/syscall.h> -/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */ -extern asmlinkage long sys_ni_syscall(const struct pt_regs *); +extern asmlinkage long sys_ni_syscall(void); + +SYSCALL_DEFINE0(ni_syscall) +{ + return sys_ni_syscall(); +} + #define __SYSCALL_64(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *); #define __SYSCALL_X32(nr, sym, qual) __SYSCALL_64(nr, sym, qual) #include <asm/syscalls_64.h> @@ -23,7 +29,7 @@ asmlinkage const sys_call_ptr_t sys_call_table[__NR_syscall_max+1] = { * Smells like a compiler bug -- it doesn't work * when the & below is removed. */ - [0 ... __NR_syscall_max] = &sys_ni_syscall, + [0 ... __NR_syscall_max] = &__x64_sys_ni_syscall, #include <asm/syscalls_64.h> }; @@ -40,7 +46,7 @@ asmlinkage const sys_call_ptr_t x32_sys_call_table[__NR_syscall_x32_max+1] = { * Smells like a compiler bug -- it doesn't work * when the & below is removed. */ - [0 ... __NR_syscall_x32_max] = &sys_ni_syscall, + [0 ... __NR_syscall_x32_max] = &__x64_sys_ni_syscall, #include <asm/syscalls_64.h> }; diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index 2de75fd..15908eb 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -124,7 +124,7 @@ 110 i386 iopl sys_iopl __ia32_sys_iopl 111 i386 vhangup sys_vhangup __ia32_sys_vhangup 112 i386 idle -113 i386 vm86old sys_vm86old sys_ni_syscall +113 i386 vm86old sys_vm86old __ia32_sys_ni_syscall 114 i386 wait4 sys_wait4 __ia32_compat_sys_wait4 115 i386 swapoff sys_swapoff __ia32_sys_swapoff 116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo @@ -177,7 +177,7 @@ 163 i386 mremap sys_mremap __ia32_sys_mremap 164 i386 setresuid sys_setresuid16 __ia32_sys_setresuid16 165 i386 getresuid sys_getresuid16 __ia32_sys_getresuid16 -166 i386 vm86 sys_vm86 sys_ni_syscall +166 i386 vm86 sys_vm86 __ia32_sys_ni_syscall 167 i386 query_module 168 i386 poll sys_poll __ia32_sys_poll 169 i386 nfsservctl ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 5/5] x86: fix function types in COND_SYSCALL 2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen ` (3 preceding siblings ...) 2019-10-08 22:40 ` [RESEND PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen @ 2019-10-08 22:40 ` Sami Tolvanen 2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Fix " tip-bot2 for Sami Tolvanen 2019-10-10 18:17 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Andy Lutomirski 5 siblings, 1 reply; 35+ messages in thread From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw) To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook Cc: x86, linux-kernel, Sami Tolvanen Define a weak function in COND_SYSCALL instead of a weak alias to sys_ni_syscall, which has an incompatible type. This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- arch/x86/include/asm/syscall_wrapper.h | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index 3dab04841494..e2389ce9bf58 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -6,6 +6,8 @@ #ifndef _ASM_X86_SYSCALL_WRAPPER_H #define _ASM_X86_SYSCALL_WRAPPER_H +struct pt_regs; + /* Mapping of registers to parameters for syscalls on x86-64 and x32 */ #define SC_X86_64_REGS_TO_ARGS(x, ...) \ __MAP(x,__SC_ARGS \ @@ -64,9 +66,15 @@ SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) -#define COND_SYSCALL(name) \ - cond_syscall(__x64_sys_##name); \ - cond_syscall(__ia32_sys_##name) +#define COND_SYSCALL(name) \ + asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \ + { \ + return sys_ni_syscall(); \ + } \ + asmlinkage __weak long __ia32_sys_##name(const struct pt_regs *__unused)\ + { \ + return sys_ni_syscall(); \ + } #define SYS_NI(name) \ SYSCALL_ALIAS(__x64_sys_##name, sys_ni_posix_timers); \ @@ -218,7 +226,11 @@ #endif #ifndef COND_SYSCALL -#define COND_SYSCALL(name) cond_syscall(__x64_sys_##name) +#define COND_SYSCALL(name) \ + asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \ + { \ + return sys_ni_syscall(); \ + } #endif #ifndef SYS_NI @@ -230,7 +242,6 @@ * For VSYSCALLS, we need to declare these three syscalls with the new * pt_regs-based calling convention for in-kernel use. */ -struct pt_regs; asmlinkage long __x64_sys_getcpu(const struct pt_regs *regs); asmlinkage long __x64_sys_gettimeofday(const struct pt_regs *regs); asmlinkage long __x64_sys_time(const struct pt_regs *regs); -- 2.23.0.581.g78d2f28ef7-goog ^ permalink raw reply related [flat|nested] 35+ messages in thread
* [tip: x86/entry] syscalls/x86: Fix function types in COND_SYSCALL 2019-10-08 22:40 ` [RESEND PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen @ 2019-10-11 11:22 ` tip-bot2 for Sami Tolvanen 0 siblings, 0 replies; 35+ messages in thread From: tip-bot2 for Sami Tolvanen @ 2019-10-11 11:22 UTC (permalink / raw) To: linux-tip-commits Cc: Sami Tolvanen, Andy Lutomirski, Borislav Petkov, H . Peter Anvin, Kees Cook, Linus Torvalds, Peter Zijlstra, Thomas Gleixner, Ingo Molnar, linux-kernel The following commit has been merged into the x86/entry branch of tip: Commit-ID: 6e4847640c6aebcaa2d9b3686cecc91b41f09269 Gitweb: https://git.kernel.org/tip/6e4847640c6aebcaa2d9b3686cecc91b41f09269 Author: Sami Tolvanen <samitolvanen@google.com> AuthorDate: Tue, 08 Oct 2019 15:40:49 -07:00 Committer: Ingo Molnar <mingo@kernel.org> CommitterDate: Fri, 11 Oct 2019 12:49:19 +02:00 syscalls/x86: Fix function types in COND_SYSCALL Define a weak function in COND_SYSCALL instead of a weak alias to sys_ni_syscall(), which has an incompatible type. This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Acked-by: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@alien8.de> Cc: H . Peter Anvin <hpa@zytor.com> Cc: Kees Cook <keescook@chromium.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Link: https://lkml.kernel.org/r/20191008224049.115427-6-samitolvanen@google.com Signed-off-by: Ingo Molnar <mingo@kernel.org> --- arch/x86/include/asm/syscall_wrapper.h | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index 3dab048..e2389ce 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -6,6 +6,8 @@ #ifndef _ASM_X86_SYSCALL_WRAPPER_H #define _ASM_X86_SYSCALL_WRAPPER_H +struct pt_regs; + /* Mapping of registers to parameters for syscalls on x86-64 and x32 */ #define SC_X86_64_REGS_TO_ARGS(x, ...) \ __MAP(x,__SC_ARGS \ @@ -64,9 +66,15 @@ SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) -#define COND_SYSCALL(name) \ - cond_syscall(__x64_sys_##name); \ - cond_syscall(__ia32_sys_##name) +#define COND_SYSCALL(name) \ + asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \ + { \ + return sys_ni_syscall(); \ + } \ + asmlinkage __weak long __ia32_sys_##name(const struct pt_regs *__unused)\ + { \ + return sys_ni_syscall(); \ + } #define SYS_NI(name) \ SYSCALL_ALIAS(__x64_sys_##name, sys_ni_posix_timers); \ @@ -218,7 +226,11 @@ #endif #ifndef COND_SYSCALL -#define COND_SYSCALL(name) cond_syscall(__x64_sys_##name) +#define COND_SYSCALL(name) \ + asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \ + { \ + return sys_ni_syscall(); \ + } #endif #ifndef SYS_NI @@ -230,7 +242,6 @@ * For VSYSCALLS, we need to declare these three syscalls with the new * pt_regs-based calling convention for in-kernel use. */ -struct pt_regs; asmlinkage long __x64_sys_getcpu(const struct pt_regs *regs); asmlinkage long __x64_sys_gettimeofday(const struct pt_regs *regs); asmlinkage long __x64_sys_time(const struct pt_regs *regs); ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches 2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen ` (4 preceding siblings ...) 2019-10-08 22:40 ` [RESEND PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen @ 2019-10-10 18:17 ` Andy Lutomirski 2019-10-11 10:50 ` Ingo Molnar 5 siblings, 1 reply; 35+ messages in thread From: Andy Lutomirski @ 2019-10-10 18:17 UTC (permalink / raw) To: Sami Tolvanen Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML On Tue, Oct 8, 2019 at 3:41 PM Sami Tolvanen <samitolvanen@google.com> wrote: > > This patch set changes x86 syscall wrappers and related functions to > use function types that match sys_call_ptr_t. This fixes indirect call > mismatches with Control-Flow Integrity (CFI) checking. tglx, I'm pretty happy with this series. Do you need anything else from me or do you want to just pick it up in -tip? --Andy > > Changes since v1: > - Use SYSCALL_DEFINE0 for __x64_sys_ni_syscall. > - Include Andy's COMPAT_SYSCALL_DEFINE0 patch and use the macro > for (rt_)sigreturn. > > Andy Lutomirski (1): > x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 > > Sami Tolvanen (4): > x86: use the correct function type in SYSCALL_DEFINE0 > x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn > x86: use the correct function type for sys_ni_syscall > x86: fix function types in COND_SYSCALL > > arch/x86/entry/syscall_32.c | 8 +-- > arch/x86/entry/syscall_64.c | 14 +++-- > arch/x86/entry/syscalls/syscall_32.tbl | 8 +-- > arch/x86/ia32/ia32_signal.c | 5 +- > arch/x86/include/asm/syscall_wrapper.h | 76 ++++++++++++++++++++------ > 5 files changed, 78 insertions(+), 33 deletions(-) > > -- > 2.23.0.581.g78d2f28ef7-goog > ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches 2019-10-10 18:17 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Andy Lutomirski @ 2019-10-11 10:50 ` Ingo Molnar 0 siblings, 0 replies; 35+ messages in thread From: Ingo Molnar @ 2019-10-11 10:50 UTC (permalink / raw) To: Andy Lutomirski Cc: Sami Tolvanen, Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML * Andy Lutomirski <luto@kernel.org> wrote: > On Tue, Oct 8, 2019 at 3:41 PM Sami Tolvanen <samitolvanen@google.com> wrote: > > > > This patch set changes x86 syscall wrappers and related functions to > > use function types that match sys_call_ptr_t. This fixes indirect call > > mismatches with Control-Flow Integrity (CFI) checking. > > tglx, I'm pretty happy with this series. Do you need anything else > from me or do you want to just pick it up in -tip? Thomas is on vacation - I've picked up the series, it looks good! I've added your Acked-by to the #3,#4,#5 patches as well. Thanks, Ingo ^ permalink raw reply [flat|nested] 35+ messages in thread
end of thread, other threads:[~2019-10-11 11:22 UTC | newest] Thread overview: 35+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen 2019-09-13 21:00 ` [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen 2019-09-13 22:33 ` Andy Lutomirski 2019-09-13 21:00 ` [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn Sami Tolvanen 2019-09-13 22:44 ` Andy Lutomirski 2019-09-13 23:29 ` Sami Tolvanen 2019-09-13 21:00 ` [PATCH 3/4] x86: use the correct function type for sys_ni_syscall Sami Tolvanen 2019-09-13 22:45 ` Andy Lutomirski 2019-09-13 23:26 ` Sami Tolvanen 2019-09-14 0:27 ` Andy Lutomirski 2019-09-16 20:43 ` Will Deacon 2019-09-13 21:00 ` [PATCH 4/4] x86: fix function types in COND_SYSCALL Sami Tolvanen 2019-09-13 22:46 ` Andy Lutomirski 2019-09-13 23:28 ` Sami Tolvanen 2019-09-14 0:28 ` Andy Lutomirski 2019-09-17 22:44 ` Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen 2019-09-18 22:46 ` [PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen 2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen 2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: " tip-bot2 for Andy Lutomirski 2019-10-08 22:40 ` [RESEND PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen 2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen 2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen 2019-10-08 22:40 ` [RESEND PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen 2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Fix " tip-bot2 for Sami Tolvanen 2019-10-10 18:17 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Andy Lutomirski 2019-10-11 10:50 ` Ingo Molnar
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.