From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0488C4332B for ; Wed, 10 Feb 2021 19:48:49 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 6149E64EDA for ; Wed, 10 Feb 2021 19:48:49 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6149E64EDA Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id CCA6E8D0006; Wed, 10 Feb 2021 14:48:48 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C537B8D0005; Wed, 10 Feb 2021 14:48:48 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B43F68D0006; Wed, 10 Feb 2021 14:48:48 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0110.hostedemail.com [216.40.44.110]) by kanga.kvack.org (Postfix) with ESMTP id 98B688D0005 for ; Wed, 10 Feb 2021 14:48:48 -0500 (EST) Received: from smtpin05.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 6352A824556B for ; Wed, 10 Feb 2021 19:48:48 +0000 (UTC) X-FDA: 77803395936.05.band10_0103e8327612 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin05.hostedemail.com (Postfix) with ESMTP id 3982B18001C13 for ; Wed, 10 Feb 2021 19:48:48 +0000 (UTC) X-HE-Tag: band10_0103e8327612 X-Filterd-Recvd-Size: 9931 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf08.hostedemail.com (Postfix) with ESMTP for ; Wed, 10 Feb 2021 19:48:47 +0000 (UTC) Received: by mail.kernel.org (Postfix) with ESMTPSA id 7950864EE0 for ; Wed, 10 Feb 2021 19:48:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1612986526; bh=FAPGExqOTkOBqOlkCN+OURryuSv/6YZbk+hA40//uP4=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=qqXiVHqcEQzlQMKfWyZGVyXTnVfbR0Nh8XzPsU/TsXK2AOyNqURhBBi73UGFdA2aB rboYLFKEEveMuxdXxvRGNnyTxB7ojs/J4VffGjotsaBzDPMUT3o78Ziq9yw5Ek9VcO r6ll9iFBr5goU8h60p/GWFjs9v9A5CXyWQqK5lTv65sAP/Jkrx9bCvjEqQ0FOEG713 Ao7Rnj1kfBo1n5tZHIJbUdNXJ3b9GITeeP8/oJplZbIDGzW8C8sYZvwBTSA7f2Xlke ntUR0nnFo4lOMKI3sdwmwjBA8942xZ4C7JtIgne4ft3/ISBJZn16iHJVig8dw8pkEb ThMuCmO5hLOqQ== Received: by mail-ej1-f43.google.com with SMTP id sa23so6348780ejb.0 for ; Wed, 10 Feb 2021 11:48:46 -0800 (PST) X-Gm-Message-State: AOAM530XAxkUvy5WSnXzOyoNm8e1f1EihUWP+gOzYqm2xiylZYzPjW3T bIC/P2m9Ac2CiEA4JHnOxJ9Khl/DkSG10ubebVeqdw== X-Google-Smtp-Source: ABdhPJxZ1Oe7ZfDn2o8sh5z16NgXDE74CZwTf3R65dv3ub1JlsAMldes56Bodh/Kn0gw1S45DR4gxiZj4SL+x2P51Tw= X-Received: by 2002:a17:906:17d3:: with SMTP id u19mr4829127eje.316.1612986524982; Wed, 10 Feb 2021 11:48:44 -0800 (PST) MIME-Version: 1.0 References: <20210210175703.12492-1-yu-cheng.yu@intel.com> <20210210175703.12492-7-yu-cheng.yu@intel.com> In-Reply-To: <20210210175703.12492-7-yu-cheng.yu@intel.com> From: Andy Lutomirski Date: Wed, 10 Feb 2021 11:48:33 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v20 06/25] x86/cet: Add control-protection fault handler To: Yu-cheng Yu Cc: X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , LKML , "open list:DOCUMENTATION" , Linux-MM , linux-arch , Linux API , Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Dave Martin , Weijiang Yang , Pengfei Xu , "Huang, Haitao" , Michael Kerrisk Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Feb 10, 2021 at 9:58 AM Yu-cheng Yu wrote: > > A control-protection fault is triggered when a control-flow transfer > attempt violates Shadow Stack or Indirect Branch Tracking constraints. > For example, the return address for a RET instruction differs from the copy > on the shadow stack; or an indirect JMP instruction, without the NOTRACK > prefix, arrives at a non-ENDBR opcode. > > The control-protection fault handler works in a similar way as the general > protection fault handler. It provides the si_code SEGV_CPERR to the signal > handler. > > Signed-off-by: Yu-cheng Yu > Cc: Michael Kerrisk > --- > arch/x86/include/asm/idtentry.h | 4 ++ > arch/x86/kernel/idt.c | 4 ++ > arch/x86/kernel/signal_compat.c | 2 +- > arch/x86/kernel/traps.c | 63 ++++++++++++++++++++++++++++++ > include/uapi/asm-generic/siginfo.h | 3 +- > 5 files changed, 74 insertions(+), 2 deletions(-) > > diff --git a/arch/x86/include/asm/idtentry.h b/arch/x86/include/asm/idtentry.h > index f656aabd1545..ff4b3bf634da 100644 > --- a/arch/x86/include/asm/idtentry.h > +++ b/arch/x86/include/asm/idtentry.h > @@ -574,6 +574,10 @@ DECLARE_IDTENTRY_ERRORCODE(X86_TRAP_SS, exc_stack_segment); > DECLARE_IDTENTRY_ERRORCODE(X86_TRAP_GP, exc_general_protection); > DECLARE_IDTENTRY_ERRORCODE(X86_TRAP_AC, exc_alignment_check); > > +#ifdef CONFIG_X86_CET > +DECLARE_IDTENTRY_ERRORCODE(X86_TRAP_CP, exc_control_protection); > +#endif > + > /* Raw exception entries which need extra work */ > DECLARE_IDTENTRY_RAW(X86_TRAP_UD, exc_invalid_op); > DECLARE_IDTENTRY_RAW(X86_TRAP_BP, exc_int3); > diff --git a/arch/x86/kernel/idt.c b/arch/x86/kernel/idt.c > index ee1a283f8e96..e8166d9bbb10 100644 > --- a/arch/x86/kernel/idt.c > +++ b/arch/x86/kernel/idt.c > @@ -105,6 +105,10 @@ static const __initconst struct idt_data def_idts[] = { > #elif defined(CONFIG_X86_32) > SYSG(IA32_SYSCALL_VECTOR, entry_INT80_32), > #endif > + > +#ifdef CONFIG_X86_CET > + INTG(X86_TRAP_CP, asm_exc_control_protection), > +#endif > }; > > /* > diff --git a/arch/x86/kernel/signal_compat.c b/arch/x86/kernel/signal_compat.c > index a5330ff498f0..dd92490b1e7f 100644 > --- a/arch/x86/kernel/signal_compat.c > +++ b/arch/x86/kernel/signal_compat.c > @@ -27,7 +27,7 @@ static inline void signal_compat_build_tests(void) > */ > BUILD_BUG_ON(NSIGILL != 11); > BUILD_BUG_ON(NSIGFPE != 15); > - BUILD_BUG_ON(NSIGSEGV != 9); > + BUILD_BUG_ON(NSIGSEGV != 10); > BUILD_BUG_ON(NSIGBUS != 5); > BUILD_BUG_ON(NSIGTRAP != 5); > BUILD_BUG_ON(NSIGCHLD != 6); > diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c > index 7f5aec758f0e..8c7fa91a57c9 100644 > --- a/arch/x86/kernel/traps.c > +++ b/arch/x86/kernel/traps.c > @@ -39,6 +39,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -606,6 +607,68 @@ DEFINE_IDTENTRY_ERRORCODE(exc_general_protection) > cond_local_irq_disable(regs); > } > > +#ifdef CONFIG_X86_CET > +static const char * const control_protection_err[] = { > + "unknown", > + "near-ret", > + "far-ret/iret", > + "endbranch", > + "rstorssp", > + "setssbsy", > + "unknown", > +}; > + > +/* > + * When a control protection exception occurs, send a signal to the responsible > + * application. Currently, control protection is only enabled for user mode. > + * This exception should not come from kernel mode. > + */ > +DEFINE_IDTENTRY_ERRORCODE(exc_control_protection) > +{ > + static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL, > + DEFAULT_RATELIMIT_BURST); > + struct task_struct *tsk; > + > + if (!user_mode(regs)) { > + pr_emerg("PANIC: unexpected kernel control protection fault\n"); > + die("kernel control protection fault", regs, error_code); > + panic("Machine halted."); I think it would be nice to decode the error code and print the cause. > + } > + > + cond_local_irq_enable(regs); We got rid of user mode irqs off a while ago. You can just do local_irq_enable(); > + > + if (!boot_cpu_has(X86_FEATURE_CET)) > + WARN_ONCE(1, "Control protection fault with CET support disabled\n"); > + > + tsk = current; > + tsk->thread.error_code = error_code; > + tsk->thread.trap_nr = X86_TRAP_CP; > + > + /* > + * Ratelimit to prevent log spamming. > + */ > + if (show_unhandled_signals && unhandled_signal(tsk, SIGSEGV) && > + __ratelimit(&rs)) { > + unsigned long ssp; > + int err; > + > + err = array_index_nospec(error_code, ARRAY_SIZE(control_protection_err)); Shouldn't this do a bounds check? You also need to handle the ENCL bit. > + > + rdmsrl(MSR_IA32_PL3_SSP, ssp); > + pr_emerg("%s[%d] control protection ip:%lx sp:%lx ssp:%lx error:%lx(%s)", > + tsk->comm, task_pid_nr(tsk), > + regs->ip, regs->sp, ssp, error_code, > + control_protection_err[err]); That should be pr_info(); > + print_vma_addr(KERN_CONT " in ", regs->ip); > + pr_cont("\n"); > + } > + > + force_sig_fault(SIGSEGV, SEGV_CPERR, > + (void __user *)uprobe_get_trap_addr(regs)); > + cond_local_irq_disable(regs); > +} > +#endif > + > static bool do_int3(struct pt_regs *regs) > { > int res; > diff --git a/include/uapi/asm-generic/siginfo.h b/include/uapi/asm-generic/siginfo.h > index d2597000407a..1c2ea91284a0 100644 > --- a/include/uapi/asm-generic/siginfo.h > +++ b/include/uapi/asm-generic/siginfo.h > @@ -231,7 +231,8 @@ typedef struct siginfo { > #define SEGV_ADIPERR 7 /* Precise MCD exception */ > #define SEGV_MTEAERR 8 /* Asynchronous ARM MTE error */ > #define SEGV_MTESERR 9 /* Synchronous ARM MTE exception */ > -#define NSIGSEGV 9 > +#define SEGV_CPERR 10 /* Control protection fault */ > +#define NSIGSEGV 10 > > /* > * SIGBUS si_codes > -- > 2.21.0 >