From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933158AbcLSXiI (ORCPT ); Mon, 19 Dec 2016 18:38:08 -0500 Received: from mail-vk0-f48.google.com ([209.85.213.48]:34416 "EHLO mail-vk0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932155AbcLSXiG (ORCPT ); Mon, 19 Dec 2016 18:38:06 -0500 MIME-Version: 1.0 In-Reply-To: <20161219233033.GB24180@node.shutemov.name> References: <20161219233033.GB24180@node.shutemov.name> From: Andy Lutomirski Date: Mon, 19 Dec 2016 15:37:45 -0800 Message-ID: Subject: Re: [PATCH] selftests/x86: Add a selftest for SYSRET to noncanonical addresses To: "Kirill A. Shutemov" Cc: Andy Lutomirski , X86 ML , Borislav Petkov , "linux-kernel@vger.kernel.org" , "Kirill A. Shutemov" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 19, 2016 at 3:30 PM, Kirill A. Shutemov wrote: > On Mon, Dec 19, 2016 at 11:12:42AM -0800, Andy Lutomirski wrote: >> SYSRET to a noncanonical address will blow up on Intel CPUs. Linux >> needs to prevent this from happening in two major cases, and the >> criteria will become more complicated when support for larger virtual >> address spaces is added. >> >> A fast-path SYSCALL will fallthrough to the following instruction >> using SYSRET without any particular checking. To prevent fallthrough >> to a noncanonical address, Linux prevents the highest canonical page >> from being mapped. This test case checks a variety of possible maximum >> addresses to make sure that either we can't map code there or that >> SYSCALL fallthrough works. >> >> A slow-path system call can return anywhere. Linux needs to make sure >> that, if the return address is non-canonical, it won't use SYSRET. >> This test cases causes sigreturn() to return to a variety of addresses >> (with RCX == RIP) and makes sure that nothing explodes. >> >> Some of this code comes from Kirill Shutemov. >> >> Cc: "Kirill A. Shutemov" >> Signed-off-by: Andy Lutomirski > > Thanks a lot. > > That's what I've got with 5-level paging: [...] Looks good. >> + err(1, "mremap to 0x%p", new_address); > > "0x" is redundant for %p. > >> + } else { >> + printf("[OK]\tmremap to 0x%p failed\n", new_address); > > Ditto. Will fix. >> + test_sigreturn_to((1UL< > Redundant parenthesis? Indeed. > >> + >> + clearhandler(SIGUSR1); >> + >> + sethandler(SIGSEGV, sigsegv_for_fallthrough, 0); >> + >> + /* This should execute on all kernels. */ >> + test_syscall_fallthrough_to((1UL << 47) - PAGE_SIZE); >> + >> + /* Make sure that we didn't screw up the mremap logic. */ >> + test_syscall_fallthrough_to((1UL << 47) - 2*PAGE_SIZE); >> + >> + /* These are the interesting cases. */ >> + for (int i = 47; i < 64; i++) >> + test_syscall_fallthrough_to((1UL< > Ditto. > > Also, "(1UL << i) - PAGE_SIZE" is interesting too. TASK_SIZE for 5-level > paging would be (1UL << 56) - PAGE_SIZE. I would be better to catch both > corner cases. There's not much scope for error, though -- (1UL << 56) - PAGE_SIZE isn't really any different from any other address. I all add it, but I'm not sure I see any way that the kernel could plausible get it wrong. I guess it's comforting to see the boundary, though. --Andy