* Backtrace after invalid XRSTOR after "x86/fault: BUG() when uaccess helpers fault on kernel addresses"
@ 2018-11-26 16:59 Sebastian Andrzej Siewior
2018-11-26 17:12 ` Jann Horn
2018-11-27 13:32 ` [PATCH v2] x86/fpu: XRSTOR is expected to raise #GP Jann Horn
0 siblings, 2 replies; 4+ messages in thread
From: Sebastian Andrzej Siewior @ 2018-11-26 16:59 UTC (permalink / raw)
To: Jann Horn
Cc: Thomas Gleixner, Andy Lutomirski, kernel-hardening,
Naveen N. Rao, Borislav Petkov, linux-kernel
Commit 75045f77f7a7 ("x86/extable: Introduce _ASM_EXTABLE_UA for uaccess
fixups") made copy_user_to_xregs() -> XSTATE_OP() use _ASM_EXTABLE_UA.
Commit 9da3f2b74054 ("x86/fault: BUG() when uaccess helpers fault on
kernel addresses") then decided that a #GP is not good and has to be
reported loudly.
I had a TC which sets a few invalid bits in xstate which is used by
copy_user_to_xregs() on sig-return. Before that change I had:
| sig-xstate-bum[2253] bad frame in rt_sigreturn frame:0000000056078134 ip:7f9da336c227 sp:7ffc871325e8 orax:ffffffffffffffff in libc-2.27.so[7f9da3358000+146000]
after those two patches are applied:
|BUG: GPF in non-whitelisted uaccess (non-canonical address?)
|general protection fault: 0000 [#1] PREEMPT SMP NOPTI
|CPU: 26 PID: 2236 Comm: sig-xstate-bum Not tainted 4.20.0-rc3 #45
|RIP: 0010:__fpu__restore_sig+0x1c1/0x540
|Code: 02 00 00 48 8b 95 58 ff ff ff 48 f7 d2 48 21 d0 0f 85 6e 03 00 00 0f 01 cb 48 8b 85 58 ff ff ff 48 89 df 48 89 c2 48 c1 ea 20 <48> 0f ae 2f 31 db 0f 01 ca 85 db 0f 84 d7 00 00 00 4c 89 f7 bb ff
|Call Trace:
| fpu__restore_sig+0x28/0x40
| restore_sigcontext+0x13a/0x180
| __ia32_sys_rt_sigreturn+0xae/0x100
| do_syscall_64+0x4f/0x100
| entry_SYSCALL_64_after_hwframe+0x44/0xa9
|RIP: 0033:0x7f9b06aea227
|---[ end trace a45ac23b593e9ab0 ]---
The expected behaviour would that `xrstor' performs a #GP and this does
not a produce a backtrace like that and copy_user_to_fxregs() returns an
error.
copy_user_to_fxregs() / user_insn() does not have this behaviour and
that also might generate a #GP (if invalid bits are set in MCSR).
What do we do?
Sebastian
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Backtrace after invalid XRSTOR after "x86/fault: BUG() when uaccess helpers fault on kernel addresses"
2018-11-26 16:59 Backtrace after invalid XRSTOR after "x86/fault: BUG() when uaccess helpers fault on kernel addresses" Sebastian Andrzej Siewior
@ 2018-11-26 17:12 ` Jann Horn
2018-11-27 13:32 ` [PATCH v2] x86/fpu: XRSTOR is expected to raise #GP Jann Horn
1 sibling, 0 replies; 4+ messages in thread
From: Jann Horn @ 2018-11-26 17:12 UTC (permalink / raw)
To: bigeasy
Cc: Thomas Gleixner, Andy Lutomirski, Kernel Hardening, naveen.n.rao,
Borislav Petkov, kernel list
On Mon, Nov 26, 2018 at 5:59 PM Sebastian Andrzej Siewior
<bigeasy@linutronix.de> wrote:
> Commit 75045f77f7a7 ("x86/extable: Introduce _ASM_EXTABLE_UA for uaccess
> fixups") made copy_user_to_xregs() -> XSTATE_OP() use _ASM_EXTABLE_UA.
> Commit 9da3f2b74054 ("x86/fault: BUG() when uaccess helpers fault on
> kernel addresses") then decided that a #GP is not good and has to be
> reported loudly.
>
> I had a TC which sets a few invalid bits in xstate which is used by
> copy_user_to_xregs() on sig-return. Before that change I had:
> | sig-xstate-bum[2253] bad frame in rt_sigreturn frame:0000000056078134 ip:7f9da336c227 sp:7ffc871325e8 orax:ffffffffffffffff in libc-2.27.so[7f9da3358000+146000]
>
> after those two patches are applied:
> |BUG: GPF in non-whitelisted uaccess (non-canonical address?)
> |general protection fault: 0000 [#1] PREEMPT SMP NOPTI
> |CPU: 26 PID: 2236 Comm: sig-xstate-bum Not tainted 4.20.0-rc3 #45
> |RIP: 0010:__fpu__restore_sig+0x1c1/0x540
> |Code: 02 00 00 48 8b 95 58 ff ff ff 48 f7 d2 48 21 d0 0f 85 6e 03 00 00 0f 01 cb 48 8b 85 58 ff ff ff 48 89 df 48 89 c2 48 c1 ea 20 <48> 0f ae 2f 31 db 0f 01 ca 85 db 0f 84 d7 00 00 00 4c 89 f7 bb ff
> |Call Trace:
> | fpu__restore_sig+0x28/0x40
> | restore_sigcontext+0x13a/0x180
> | __ia32_sys_rt_sigreturn+0xae/0x100
> | do_syscall_64+0x4f/0x100
> | entry_SYSCALL_64_after_hwframe+0x44/0xa9
> |RIP: 0033:0x7f9b06aea227
> |---[ end trace a45ac23b593e9ab0 ]---
>
> The expected behaviour would that `xrstor' performs a #GP and this does
> not a produce a backtrace like that and copy_user_to_fxregs() returns an
> error.
> copy_user_to_fxregs() / user_insn() does not have this behaviour and
> that also might generate a #GP (if invalid bits are set in MCSR).
> What do we do?
Bleh. This code has to use normal _ASM_EXTABLE. _ASM_EXTABLE_UA is
(almost, with the exception of stuff like probe_kernel_read() and
exact_copy_from_user()) only for code that isn't expected to throw
things other than #PF with a userspace address. I must have missed
this when looking at the documentation for XRSTOR, or something like
that...
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2] x86/fpu: XRSTOR is expected to raise #GP
@ 2018-11-27 13:32 ` Jann Horn
2018-11-27 17:03 ` [tip:x86/urgent] x86/fpu: Use the correct exception table macro in the XSTATE_OP wrapper tip-bot for Jann Horn
0 siblings, 1 reply; 4+ messages in thread
From: Jann Horn @ 2018-11-27 13:32 UTC (permalink / raw)
To: Thomas Gleixner, Sebastian Andrzej Siewior, Ingo Molnar,
Borislav Petkov, H. Peter Anvin, jannh
Cc: Andy Lutomirski, kernel-hardening, Naveen N. Rao, linux-kernel, x86
commit 75045f77f7a7 ("x86/extable: Introduce _ASM_EXTABLE_UA for uaccess
fixups") incorrectly replaced the fixup entry for XSTATE_OP with a
user-#PF-only fixup. XRSTOR can also raise #GP if the xstate content is
invalid, and _ASM_EXTABLE_UA doesn't expect that.
Change this fixup back to _ASM_EXTABLE so that #GP gets fixed up.
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Fixes: 75045f77f7a7 ("x86/extable: Introduce _ASM_EXTABLE_UA for uaccess fixups")
Signed-off-by: Jann Horn <jannh@google.com>
---
arch/x86/include/asm/fpu/internal.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
index 5f7290e6e954..69dcdf195b61 100644
--- a/arch/x86/include/asm/fpu/internal.h
+++ b/arch/x86/include/asm/fpu/internal.h
@@ -226,7 +226,7 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu)
"3: movl $-2,%[err]\n\t" \
"jmp 2b\n\t" \
".popsection\n\t" \
- _ASM_EXTABLE_UA(1b, 3b) \
+ _ASM_EXTABLE(1b, 3b) \
: [err] "=r" (err) \
: "D" (st), "m" (*st), "a" (lmask), "d" (hmask) \
: "memory")
--
2.20.0.rc0.387.gc7a69e6b6c-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [tip:x86/urgent] x86/fpu: Use the correct exception table macro in the XSTATE_OP wrapper
2018-11-27 13:32 ` [PATCH v2] x86/fpu: XRSTOR is expected to raise #GP Jann Horn
@ 2018-11-27 17:03 ` tip-bot for Jann Horn
0 siblings, 0 replies; 4+ messages in thread
From: tip-bot for Jann Horn @ 2018-11-27 17:03 UTC (permalink / raw)
To: linux-tip-commits
Cc: tglx, mingo, naveen.n.rao, linux-kernel, bigeasy, bp, x86, hpa,
mingo, luto, jannh
Commit-ID: ac26d1f74cfc19c8dc9d533b5f20e99dbee3d9bd
Gitweb: https://git.kernel.org/tip/ac26d1f74cfc19c8dc9d533b5f20e99dbee3d9bd
Author: Jann Horn <jannh@google.com>
AuthorDate: Tue, 27 Nov 2018 14:32:00 +0100
Committer: Borislav Petkov <bp@suse.de>
CommitDate: Tue, 27 Nov 2018 17:55:45 +0100
x86/fpu: Use the correct exception table macro in the XSTATE_OP wrapper
Commit
75045f77f7a7 ("x86/extable: Introduce _ASM_EXTABLE_UA for uaccess fixups")
incorrectly replaced the fixup entry for XSTATE_OP with a user-#PF-only
fixup. XRSTOR can also raise #GP if the xstate content is invalid,
and _ASM_EXTABLE_UA doesn't expect that. Change this fixup back to
_ASM_EXTABLE so that #GP gets fixed up.
Fixes: 75045f77f7a7 ("x86/extable: Introduce _ASM_EXTABLE_UA for uaccess fixups")
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Tested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-hardening@lists.openwall.com
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20181126165957.xhsyu2dhyy45mrjo@linutronix.de
Link: https://lkml.kernel.org/r/20181127133200.38322-1-jannh@google.com
---
arch/x86/include/asm/fpu/internal.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
index 5f7290e6e954..69dcdf195b61 100644
--- a/arch/x86/include/asm/fpu/internal.h
+++ b/arch/x86/include/asm/fpu/internal.h
@@ -226,7 +226,7 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu)
"3: movl $-2,%[err]\n\t" \
"jmp 2b\n\t" \
".popsection\n\t" \
- _ASM_EXTABLE_UA(1b, 3b) \
+ _ASM_EXTABLE(1b, 3b) \
: [err] "=r" (err) \
: "D" (st), "m" (*st), "a" (lmask), "d" (hmask) \
: "memory")
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-11-27 17:04 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-26 16:59 Backtrace after invalid XRSTOR after "x86/fault: BUG() when uaccess helpers fault on kernel addresses" Sebastian Andrzej Siewior
2018-11-26 17:12 ` Jann Horn
2018-11-27 13:32 ` [PATCH v2] x86/fpu: XRSTOR is expected to raise #GP Jann Horn
2018-11-27 17:03 ` [tip:x86/urgent] x86/fpu: Use the correct exception table macro in the XSTATE_OP wrapper tip-bot for Jann Horn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).