From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82CB4C46467 for ; Fri, 20 Jan 2023 00:50:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1813F6B0074; Thu, 19 Jan 2023 19:50:30 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 132056B0075; Thu, 19 Jan 2023 19:50:30 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F13DA6B0078; Thu, 19 Jan 2023 19:50:29 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id E26616B0074 for ; Thu, 19 Jan 2023 19:50:29 -0500 (EST) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id B3B44409F2 for ; Fri, 20 Jan 2023 00:50:29 +0000 (UTC) X-FDA: 80373346578.25.EB31962 Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by imf18.hostedemail.com (Postfix) with ESMTP id DB16C1C000E for ; Fri, 20 Jan 2023 00:50:27 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=lZ5Lch+f; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf18.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.176 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674175828; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=R2aEPPbfB/worS45EAxatPQssMYjlVb1o5H9g9LucF0=; b=0qdjWh+BFOoXhdvtimRArm5o8d++YZWOkC9Tg3kP3oX4lt5lDvwNPog6BC6Jj1/XGSoiuZ eaRTrijtGF3lF2CT/n6AixIs7IyEWL45u4y7tRpzAIIaXlXwdsl4U1tTbKOVdTO4HGuvxz uZyDGvUtMSi1bxLqfcBbbcDJkSZkLcg= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=lZ5Lch+f; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf18.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.176 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674175828; a=rsa-sha256; cv=none; b=ZKvHgS4L/SpZ7iXc/SCTETux7mfvzFpRP6+yamK3pFxsUHzhHhsjypcBACUktrs8kgz7fH bEsg/WYL+lSLXLkvfgMGWVn1cxcOegV0d7dO6XsIC6b+J/IjiJ5yFS5vd9wxHEzrgYNvZj CqDvg6UtwZg46l9X2LusvRl4IT2kTCY= Received: by mail-pl1-f176.google.com with SMTP id c6so3980263pls.4 for ; Thu, 19 Jan 2023 16:50:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=R2aEPPbfB/worS45EAxatPQssMYjlVb1o5H9g9LucF0=; b=lZ5Lch+fy2oLgIdUAA75L9S48vEREC8i/frZUS5ItPKxp3Pld370+Dr1dRugVzsT+M 7heNk7KiSyRSOUwU7RFFj47VfbQhnuJAgSEyvRD0fgxnkBfzNE5EOjIorGzYdWbr52z4 4rmF4UPJPe8tgvkNN/exAf+u0UyWvpPid5+ig= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=R2aEPPbfB/worS45EAxatPQssMYjlVb1o5H9g9LucF0=; b=egbIyUgK2P0wUC7u4A/eOV73w4XgP0D+TP5kwaEGazHT6gPPQq/ABDIcKQAF5XJ9g+ s7tp5j0uTz/zfnLtyiIA92osZx2LzSajfm/hBJof1IoUlvhDIYjNkeJhQ1llBrnoJ3X4 5RRVoFHl71XDtUwWUQFDoCmtOgxRzfdXQmP7uOXMOm0Rtneft9GAank36oWBpzsxC2li lLWrG/5YQd0YnUA98KVMdbhXXv2VvjYMAwRVpB5IJkQukD16JFtDQK5e7yGvYDji10xU TYrjSBP+3SsyZq4lYPypf9QGtDL1gMVKgqStsNy7K6O0Ay241e+DGySoHPqryC+Dtg9A jL8Q== X-Gm-Message-State: AFqh2kphvwQ2O4pjPiueTbwKiTkT5o9DdtBDmjSj5SQo0KR5LWFJUehT 4rHEqGEQgKsNBgcqDfHQvqiZeQ== X-Google-Smtp-Source: AMrXdXtc7roB+w/tCl6tJQ9aF1cdAEg63HAhbectzk8kGPfsJ3hnUhD7/rAtxmwtE0GL8Q/xUmc13g== X-Received: by 2002:a17:90a:71c3:b0:229:77f:6d2f with SMTP id m3-20020a17090a71c300b00229077f6d2fmr13141866pjs.44.1674175826738; Thu, 19 Jan 2023 16:50:26 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id mt19-20020a17090b231300b0022704cc03ebsm238569pjb.41.2023.01.19.16.50.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Jan 2023 16:50:26 -0800 (PST) Date: Thu, 19 Jan 2023 16:50:25 -0800 From: Kees Cook To: Rick Edgecombe Cc: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, Yu-cheng Yu , Michael Kerrisk Subject: Re: [PATCH v5 07/39] x86: Add user control-protection fault handler Message-ID: <202301191649.5283D6C@keescook> References: <20230119212317.8324-1-rick.p.edgecombe@intel.com> <20230119212317.8324-8-rick.p.edgecombe@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230119212317.8324-8-rick.p.edgecombe@intel.com> X-Rspamd-Queue-Id: DB16C1C000E X-Rspamd-Server: rspam09 X-Rspam-User: X-Stat-Signature: htxae79hj63zzftojiqg16sn5bxsqnfo X-HE-Tag: 1674175827-714981 X-HE-Meta: U2FsdGVkX19e5kZo9togWZFIrWayPK6etYQx1kIKvqzEtXa71Bwm34z9NAGhzIs/ETftg54CvT8q+x5J8RB8gsbreYIqXloPpsKzLmVKApmdbU20r79zMY1qgWTTM6vqEJkind1PS1vdaf7soDflNozDR0HqXnBsjQL0VG65vwX+VSqaWoT1nbTzwYQnpTZkqfCES44dF6AljLnxKc3h9+ZFcwEsqeIyUaEC706sqd57tD/YA5+hNnStjfsYjEvtLFAa1hu0uRA0+VwWUD6K7IZMe4zM6rNBkbp4pwGK8IBmhuesVjyu91C0w6RutCgnDTVQUK2DRZ51nswXDMGOyTXmljt5Qwh3WSdz7V5Snexg8XY7wuoqNN2e5DMA7nfJc20N6JGFDKR1ONF49B+4FXyeuoewph8EVdCMoD4Xmh78pLaXGr02ixYrIomBi23/Ahzbu8hH27InZhjFS7Ji4Ki5fmx/BkmwdYsdCmTu7hXpCUx97kT9jv2pC7mluu3fTO2f69P1QPSa+6hoVHEp8vmmD7eYBsyKaLwyIpgPHAv+3CfgvCDuwMcZ8ULnqpDQH6qSLE8wywVOaH70J2oNVb6rAyQ9HfibWSlDV8xvvs63y9wvapdxgE4dc4YKK/CwN/Pb8ZkmEJI+msTo0x/jOB+5Or1zQFu1MQXvGt6FAswMpTaFJEtfkPM5qtjAfYGi5j5ziJHWdE1w24TsMUS5egKJu8dydzEP/SG23DQLTNeq7WxC4X+8K3eV3eiBdlGic1Fhl5n1rZFksO6dRYtVqvcTLwclozjOaburo4h/JzfSEe3cXUSvG1J2yB+YouigFfdUGZeamomlEdRTBZGT+duU/e+D0/lX9qCjKQwaxH9F6KJjG+mUoK8qKM2FBiA6u2FlOzw8yEd24IdkIZdXA/p2D1n4Vb9VO1zrLnBau+DrXBN0vPa6LOkOpckDwwXv+wbK0Loarz7HD0mFwNk KzM/crqI aoZFDjt/XNBrKb5dSTFd3yFeyJabPKm6P6dACjeqgQGGyYeFOvax1EkA7whyU4ZaIizMQJdUTVMna5qvGZxHwyemlqMMj69wepHNzoBUhia4qK/JsuHKm+OysM2Ae1lLxJrCiYMJNFerC2C1N255ULHcVenR+Nyaeltwb7mjH6jPaw05v/Erq9I2xr6Dsq+5qwERMJP8Mj5dIfhME+avcZo24l6cgTjigZv/SvJ7JACQ6TnsrjD+zPpHr42eXW92Hca/1vkrkni49D0AWMs/narLajTB1c4bF7lX6foxHanIlFWfILNxl5+Mw4eB6T+5ztg/srkpi0g3g/PDntPtPN4LGJHU5v8Q53Gr7REcHadlIhHG60ad7GbYJLp1Gc1b5Y1haoDaTCyAHQrvicrODne1WpUIE1RXURT1dur/ed3kVyGhyROmGBFTpC7ew0hYo494T9QZB8P9TIWLAfIVEUMDrdMfpP+FmErci0NrP/I+7B8WRlltWZ1B6ZktwByFr+ENYZxBX+18F36KmL5ugoTpMJymQ6orQgDGIPhGPfNV3jbc= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Jan 19, 2023 at 01:22:45PM -0800, Rick Edgecombe wrote: > From: Yu-cheng Yu > > A control-protection fault is triggered when a control-flow transfer > attempt violates Shadow Stack or Indirect Branch Tracking constraints. > For example, the return address for a RET instruction differs from the copy > on the shadow stack. > > There already exists a control-protection fault handler for handling kernel > IBT faults. Refactor this fault handler into separate user and kernel > handlers, like the page fault handler. Add a control-protection handler > for usermode. To avoid ifdeffery, put them both in a new file cet.c, which > is compiled in the case of either of the two CET features supported in the > kernel: kernel IBT or user mode shadow stack. Move some static inline > functions from traps.c into a header so they can be used in cet.c. > > Opportunistically fix a comment in the kernel IBT part of the fault > handler that is on the end of the line instead of preceding it. > > Keep the same behavior for the kernel side of the fault handler, except for > converting a BUG to a WARN in the case of a #CP happening when the feature > is missing. This unifies the behavior with the new shadow stack code, and > also prevents the kernel from crashing under this situation which is > potentially recoverable. > > The control-protection fault handler works in a similar way as the general > protection fault handler. It provides the si_code SEGV_CPERR to the signal > handler. > > Tested-by: Pengfei Xu > Tested-by: John Allen > Signed-off-by: Yu-cheng Yu This diff would have been a bit easier to review if the file move was separate from the addition of the handler, but regardless: Reviewed-by: Kees Cook -- Kees Cook