From: Kees Cook <keescook@chromium.org>
To: Yu-cheng Yu <yu-cheng.yu@intel.com>
Cc: x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-mm@kvack.org, linux-arch@vger.kernel.org,
linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
Andy Lutomirski <luto@kernel.org>,
Balbir Singh <bsingharora@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Eugene Syromiatnikov <esyr@redhat.com>,
Florian Weimer <fweimer@redhat.com>,
"H.J. Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
Jonathan Corbet <corbet@lwn.net>,
Mike Kravetz <mike.kravetz@oracle.com>,
Nadav Amit <nadav.amit@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
Peter Zijlstra <peterz@infradead.org>,
Randy Dunlap <rdunlap@infradead.org>,
"Ravi V. Shankar" <ravi.v.shankar@intel.com>,
Vedvyas Shanbhogue <vedvyas.shanbhogue@intel.com>,
Dave Martin <Dave.Martin@arm.com>,
x86-patch-review@intel.com
Subject: Re: [RFC PATCH v9 04/27] x86/cet: Add control-protection fault handler
Date: Tue, 25 Feb 2020 12:06:08 -0800 [thread overview]
Message-ID: <202002251205.E2BA56A2B9@keescook> (raw)
In-Reply-To: <20200205181935.3712-5-yu-cheng.yu@intel.com>
On Wed, Feb 05, 2020 at 10:19:12AM -0800, Yu-cheng Yu wrote:
> A control-protection fault is triggered when a control-flow transfer
> attempt violates Shadow Stack or Indirect Branch Tracking constraints.
> For example, the return address for a RET instruction differs from the copy
> on the Shadow Stack; or an indirect JMP instruction, without the NOTRACK
> prefix, arrives at a non-ENDBR opcode.
>
> The control-protection fault handler works in a similar way as the general
> protection fault handler. It provides the si_code SEGV_CPERR to the signal
> handler.
>
> v9:
> - Add Shadow Stack pointer to the fault printout.
>
> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
> ---
> arch/x86/entry/entry_64.S | 2 +-
> arch/x86/include/asm/traps.h | 3 ++
> arch/x86/kernel/idt.c | 4 ++
> arch/x86/kernel/signal_compat.c | 2 +-
> arch/x86/kernel/traps.c | 59 ++++++++++++++++++++++++++++++
> include/uapi/asm-generic/siginfo.h | 3 +-
> 6 files changed, 70 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
> index 76942cbd95a1..6ca77312d008 100644
> --- a/arch/x86/entry/entry_64.S
> +++ b/arch/x86/entry/entry_64.S
> @@ -1034,7 +1034,7 @@ idtentry spurious_interrupt_bug do_spurious_interrupt_bug has_error_code=0
> idtentry coprocessor_error do_coprocessor_error has_error_code=0
> idtentry alignment_check do_alignment_check has_error_code=1
> idtentry simd_coprocessor_error do_simd_coprocessor_error has_error_code=0
> -
> +idtentry control_protection do_control_protection has_error_code=1
>
> /*
> * Reload gs selector with exception handling
> diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h
> index ffa0dc8a535e..7ac26bbd0bef 100644
> --- a/arch/x86/include/asm/traps.h
> +++ b/arch/x86/include/asm/traps.h
> @@ -26,6 +26,7 @@ asmlinkage void invalid_TSS(void);
> asmlinkage void segment_not_present(void);
> asmlinkage void stack_segment(void);
> asmlinkage void general_protection(void);
> +asmlinkage void control_protection(void);
> asmlinkage void page_fault(void);
> asmlinkage void async_page_fault(void);
> asmlinkage void spurious_interrupt_bug(void);
> @@ -84,6 +85,7 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s);
> void __init trap_init(void);
> #endif
> dotraplinkage void do_general_protection(struct pt_regs *regs, long error_code);
> +dotraplinkage void do_control_protection(struct pt_regs *regs, long error_code);
> dotraplinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address);
> dotraplinkage void do_spurious_interrupt_bug(struct pt_regs *regs, long error_code);
> dotraplinkage void do_coprocessor_error(struct pt_regs *regs, long error_code);
> @@ -154,6 +156,7 @@ enum {
> X86_TRAP_AC, /* 17, Alignment Check */
> X86_TRAP_MC, /* 18, Machine Check */
> X86_TRAP_XF, /* 19, SIMD Floating-Point Exception */
> + X86_TRAP_CP = 21, /* 21 Control Protection Fault */
> X86_TRAP_IRET = 32, /* 32, IRET Exception */
> };
>
> diff --git a/arch/x86/kernel/idt.c b/arch/x86/kernel/idt.c
> index 87ef69a72c52..8ed406f469e7 100644
> --- a/arch/x86/kernel/idt.c
> +++ b/arch/x86/kernel/idt.c
> @@ -102,6 +102,10 @@ static const __initconst struct idt_data def_idts[] = {
> #elif defined(CONFIG_X86_32)
> SYSG(IA32_SYSCALL_VECTOR, entry_INT80_32),
> #endif
> +
> +#ifdef CONFIG_X86_64
> + INTG(X86_TRAP_CP, control_protection),
> +#endif
> };
>
> /*
> diff --git a/arch/x86/kernel/signal_compat.c b/arch/x86/kernel/signal_compat.c
> index 9ccbf0576cd0..c572a3de1037 100644
> --- a/arch/x86/kernel/signal_compat.c
> +++ b/arch/x86/kernel/signal_compat.c
> @@ -27,7 +27,7 @@ static inline void signal_compat_build_tests(void)
> */
> BUILD_BUG_ON(NSIGILL != 11);
> BUILD_BUG_ON(NSIGFPE != 15);
> - BUILD_BUG_ON(NSIGSEGV != 7);
> + BUILD_BUG_ON(NSIGSEGV != 8);
> BUILD_BUG_ON(NSIGBUS != 5);
> BUILD_BUG_ON(NSIGTRAP != 5);
> BUILD_BUG_ON(NSIGCHLD != 6);
> diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
> index 05da6b5b167b..99c83ee522ed 100644
> --- a/arch/x86/kernel/traps.c
> +++ b/arch/x86/kernel/traps.c
> @@ -570,6 +570,65 @@ do_general_protection(struct pt_regs *regs, long error_code)
> }
> NOKPROBE_SYMBOL(do_general_protection);
>
> +static const char * const control_protection_err[] = {
> + "unknown",
> + "near-ret",
> + "far-ret/iret",
> + "endbranch",
> + "rstorssp",
> + "setssbsy",
> +};
> +
> +/*
> + * When a control protection exception occurs, send a signal
> + * to the responsible application. Currently, control
> + * protection is only enabled for the user mode. This
> + * exception should not come from the kernel mode.
> + */
> +dotraplinkage void
> +do_control_protection(struct pt_regs *regs, long error_code)
> +{
> + struct task_struct *tsk;
> +
> + RCU_LOCKDEP_WARN(!rcu_is_watching(), "entry code didn't wake RCU");
> + if (notify_die(DIE_TRAP, "control protection fault", regs,
> + error_code, X86_TRAP_CP, SIGSEGV) == NOTIFY_STOP)
> + return;
> + cond_local_irq_enable(regs);
> +
> + if (!user_mode(regs))
> + die("kernel control protection fault", regs, error_code);
> +
> + if (!static_cpu_has(X86_FEATURE_SHSTK) &&
> + !static_cpu_has(X86_FEATURE_IBT))
> + WARN_ONCE(1, "CET is disabled but got control protection fault\n");
> +
> + tsk = current;
> + tsk->thread.error_code = error_code;
> + tsk->thread.trap_nr = X86_TRAP_CP;
> +
> + if (show_unhandled_signals && unhandled_signal(tsk, SIGSEGV) &&
> + printk_ratelimit()) {
> + unsigned int max_err;
> + unsigned long ssp;
> +
> + max_err = ARRAY_SIZE(control_protection_err) - 1;
> + if ((error_code < 0) || (error_code > max_err))
> + error_code = 0;
> + rdmsrl(MSR_IA32_PL3_SSP, ssp);
> + pr_info("%s[%d] control protection ip:%lx sp:%lx ssp:%lx error:%lx(%s)",
> + tsk->comm, task_pid_nr(tsk),
> + regs->ip, regs->sp, ssp, error_code,
> + control_protection_err[error_code]);
> + print_vma_addr(KERN_CONT " in ", regs->ip);
> + pr_cont("\n");
> + }
> +
> + force_sig_fault(SIGSEGV, SEGV_CPERR,
> + (void __user *)uprobe_get_trap_addr(regs));
> +}
> +NOKPROBE_SYMBOL(do_control_protection);
> +
> dotraplinkage void notrace do_int3(struct pt_regs *regs, long error_code)
> {
> #ifdef CONFIG_DYNAMIC_FTRACE
> diff --git a/include/uapi/asm-generic/siginfo.h b/include/uapi/asm-generic/siginfo.h
> index cb3d6c267181..693071dbe641 100644
> --- a/include/uapi/asm-generic/siginfo.h
> +++ b/include/uapi/asm-generic/siginfo.h
> @@ -229,7 +229,8 @@ typedef struct siginfo {
> #define SEGV_ACCADI 5 /* ADI not enabled for mapped object */
> #define SEGV_ADIDERR 6 /* Disrupting MCD error */
> #define SEGV_ADIPERR 7 /* Precise MCD exception */
> -#define NSIGSEGV 7
> +#define SEGV_CPERR 8
> +#define NSIGSEGV 8
>
> /*
> * SIGBUS si_codes
> --
> 2.21.0
>
--
Kees Cook
next prev parent reply other threads:[~2020-02-25 20:06 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-05 18:19 [RFC PATCH v9 00/27] Control-flow Enforcement: Shadow Stack Yu-cheng Yu
2020-02-05 18:19 ` [RFC PATCH v9 01/27] Documentation/x86: Add CET description Yu-cheng Yu
2020-02-06 0:16 ` Randy Dunlap
[not found] ` <af5ee976-3b57-4afe-6304-fcab8de45c77-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2020-02-06 20:17 ` Yu-cheng Yu
2020-02-25 20:02 ` Kees Cook
2020-02-28 15:55 ` Yu-cheng Yu
2020-02-26 17:57 ` Dave Hansen
2020-03-09 17:00 ` Yu-cheng Yu
2020-03-09 17:21 ` Dave Hansen
2020-03-09 19:27 ` Yu-cheng Yu
2020-03-09 19:35 ` Dave Hansen
2020-03-09 19:50 ` H.J. Lu
2020-03-09 20:16 ` Andy Lutomirski
2020-03-09 20:54 ` H.J. Lu
2020-03-09 20:59 ` Dave Hansen
2020-03-09 21:12 ` H.J. Lu
2020-03-09 22:02 ` Andy Lutomirski
2020-03-09 22:19 ` Dave Hansen
2020-03-09 23:11 ` H.J. Lu
2020-03-09 23:20 ` Dave Hansen
2020-03-09 23:51 ` H.J. Lu
2020-03-09 23:59 ` Andy Lutomirski
2020-03-10 0:08 ` H.J. Lu
2020-03-10 1:21 ` Andy Lutomirski
2020-03-10 2:13 ` H.J. Lu
2020-02-05 18:19 ` [RFC PATCH v9 03/27] x86/fpu/xstate: Introduce CET MSR XSAVES supervisor states Yu-cheng Yu
2020-02-25 20:04 ` Kees Cook
2020-02-05 18:19 ` [RFC PATCH v9 04/27] x86/cet: Add control-protection fault handler Yu-cheng Yu
2020-02-25 20:06 ` Kees Cook [this message]
2020-02-26 17:10 ` Dave Hansen
2020-03-05 20:44 ` Yu-cheng Yu
2020-02-05 18:19 ` [RFC PATCH v9 06/27] mm: Introduce VM_SHSTK for Shadow Stack memory Yu-cheng Yu
2020-02-25 20:07 ` Kees Cook
2020-02-26 18:07 ` Dave Hansen
2020-02-05 18:19 ` [RFC PATCH v9 07/27] Add guard pages around a Shadow Stack Yu-cheng Yu
2020-02-25 20:11 ` Kees Cook
2020-02-26 18:17 ` Dave Hansen
2020-02-05 18:19 ` [RFC PATCH v9 08/27] x86/mm: Change _PAGE_DIRTY to _PAGE_DIRTY_HW Yu-cheng Yu
2020-02-25 20:12 ` Kees Cook
2020-02-26 18:20 ` Dave Hansen
2020-02-05 18:19 ` [RFC PATCH v9 10/27] x86/mm: Update pte_modify, pmd_modify, and _PAGE_CHG_MASK for _PAGE_DIRTY_SW Yu-cheng Yu
2020-02-26 22:02 ` Dave Hansen
2020-02-05 18:19 ` [RFC PATCH v9 11/27] drm/i915/gvt: Change _PAGE_DIRTY to _PAGE_DIRTY_BITS Yu-cheng Yu
2020-02-25 20:13 ` Kees Cook
2020-02-26 22:04 ` Dave Hansen
2020-04-03 15:42 ` Yu-cheng Yu
2020-02-05 18:19 ` [RFC PATCH v9 13/27] x86/mm: Shadow Stack page fault error checking Yu-cheng Yu
2020-02-25 20:16 ` Kees Cook
2020-02-26 22:47 ` Dave Hansen
2020-02-05 18:19 ` [RFC PATCH v9 14/27] mm: Handle Shadow Stack page fault Yu-cheng Yu
2020-02-25 20:20 ` Kees Cook
2020-03-05 18:30 ` Yu-cheng Yu
2020-02-27 0:08 ` Dave Hansen
2020-04-07 18:14 ` Yu-cheng Yu
2020-04-07 22:21 ` Dave Hansen
2020-04-08 18:18 ` Yu-cheng Yu
2020-02-05 18:19 ` [RFC PATCH v9 15/27] mm: Handle THP/HugeTLB " Yu-cheng Yu
2020-02-25 20:59 ` Kees Cook
2020-03-13 22:00 ` Yu-cheng Yu
2020-02-05 18:19 ` [RFC PATCH v9 16/27] mm: Update can_follow_write_pte() for Shadow Stack Yu-cheng Yu
2020-02-27 0:34 ` Dave Hansen
2020-02-05 18:19 ` [RFC PATCH v9 17/27] x86/cet/shstk: User-mode Shadow Stack support Yu-cheng Yu
2020-02-25 21:07 ` Kees Cook
2020-02-27 0:55 ` Dave Hansen
2020-02-05 18:19 ` [RFC PATCH v9 18/27] x86/cet/shstk: Introduce WRUSS instruction Yu-cheng Yu
2020-02-25 21:10 ` Kees Cook
2020-03-05 18:39 ` Yu-cheng Yu
2020-02-05 18:19 ` [RFC PATCH v9 19/27] x86/cet/shstk: Handle signals for Shadow Stack Yu-cheng Yu
2020-02-25 21:17 ` Kees Cook
2020-02-05 18:19 ` [RFC PATCH v9 20/27] ELF: UAPI and Kconfig additions for ELF program properties Yu-cheng Yu
2020-02-05 18:19 ` [RFC PATCH v9 22/27] ELF: Add ELF program property parsing support Yu-cheng Yu
2020-02-25 21:20 ` Kees Cook
2020-02-05 18:19 ` [RFC PATCH v9 23/27] ELF: Introduce arch_setup_elf_property() Yu-cheng Yu
2020-02-05 18:19 ` [RFC PATCH v9 24/27] x86/cet/shstk: ELF header parsing for Shadow Stack Yu-cheng Yu
2020-02-25 21:22 ` Kees Cook
2020-02-05 18:19 ` [RFC PATCH v9 25/27] x86/cet/shstk: Handle thread " Yu-cheng Yu
2020-02-25 21:29 ` Kees Cook
2020-03-25 21:51 ` Yu-cheng Yu
2020-02-05 18:19 ` [RFC PATCH v9 26/27] mm/mmap: Add Shadow Stack pages to memory accounting Yu-cheng Yu
[not found] ` <20200205181935.3712-1-yu-cheng.yu-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2020-02-05 18:19 ` [RFC PATCH v9 02/27] x86/cpufeatures: Add CET CPU feature flags for Control-flow Enforcement Technology (CET) Yu-cheng Yu
2020-02-25 20:02 ` Kees Cook
2020-02-05 18:19 ` [RFC PATCH v9 05/27] x86/cet/shstk: Add Kconfig option for user-mode Shadow Stack protection Yu-cheng Yu
2020-02-25 20:07 ` Kees Cook
2020-02-26 17:03 ` Dave Hansen
2020-02-26 19:57 ` Pavel Machek
2020-03-05 20:38 ` Yu-cheng Yu
2020-02-26 18:05 ` Dave Hansen
2020-02-27 1:02 ` H.J. Lu
2020-02-27 1:16 ` Dave Hansen
2020-02-27 2:11 ` H.J. Lu
2020-02-27 3:57 ` Andy Lutomirski
2020-02-27 18:03 ` Dave Hansen
2020-03-06 18:37 ` Yu-cheng Yu
2020-03-06 19:02 ` Dave Hansen
2020-03-06 21:16 ` Yu-cheng Yu
2020-02-05 18:19 ` [RFC PATCH v9 09/27] x86/mm: Introduce _PAGE_DIRTY_SW Yu-cheng Yu
2020-02-25 20:12 ` Kees Cook
2020-02-26 21:35 ` Dave Hansen
2020-04-01 19:08 ` Yu-cheng Yu
2020-04-01 19:22 ` Dave Hansen
2020-02-05 18:19 ` [RFC PATCH v9 12/27] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW Yu-cheng Yu
2020-02-25 20:14 ` Kees Cook
2020-02-26 22:20 ` Dave Hansen
2020-02-05 18:19 ` [RFC PATCH v9 21/27] binfmt_elf: Define GNU_PROPERTY_X86_FEATURE_1_AND Yu-cheng Yu
2020-02-25 21:18 ` Kees Cook
2020-02-05 18:19 ` [RFC PATCH v9 27/27] x86/cet/shstk: Add arch_prctl functions for Shadow Stack Yu-cheng Yu
2020-02-25 21:31 ` [RFC PATCH v9 00/27] Control-flow Enforcement: " Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202002251205.E2BA56A2B9@keescook \
--to=keescook@chromium.org \
--cc=Dave.Martin@arm.com \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=bsingharora@gmail.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=esyr@redhat.com \
--cc=fweimer@redhat.com \
--cc=gorcunov@gmail.com \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mike.kravetz@oracle.com \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=oleg@redhat.com \
--cc=pavel@ucw.cz \
--cc=peterz@infradead.org \
--cc=ravi.v.shankar@intel.com \
--cc=rdunlap@infradead.org \
--cc=tglx@linutronix.de \
--cc=vedvyas.shanbhogue@intel.com \
--cc=x86-patch-review@intel.com \
--cc=x86@kernel.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).