From: Andy Lutomirski <luto@kernel.org>
To: LKML <linux-kernel@vger.kernel.org>
Cc: x86@kernel.org, Borislav Petkov <bp@alien8.de>,
Peter Zijlstra <peterz@infradead.org>,
Andy Lutomirski <luto@kernel.org>
Subject: [PATCH] x86/hw_breakpoint: Prevent data breakpoints on cpu_entry_area
Date: Thu, 25 Jul 2019 09:37:15 -0700 [thread overview]
Message-ID: <cf0ca526e3bc946766ab70bada2686c82e7da1ce.1564072590.git.luto@kernel.org> (raw)
A data breakpoint near the top of an IST stack will cause unresoverable
recursion. A data breakpoint on the GDT, IDT, or TSS is terrifying.
Prevent either of these from happening.
Co-developed-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
---
The rest of my series is still in progress -- as we all know, idtentry
is a morass. But this is self-contained and is an obvious fix.
arch/x86/include/asm/cpu_entry_area.h | 10 ++++++++++
arch/x86/kernel/hw_breakpoint.c | 17 +++++++++++++++++
2 files changed, 27 insertions(+)
diff --git a/arch/x86/include/asm/cpu_entry_area.h b/arch/x86/include/asm/cpu_entry_area.h
index e23e2d9a92d7..3f50d4738487 100644
--- a/arch/x86/include/asm/cpu_entry_area.h
+++ b/arch/x86/include/asm/cpu_entry_area.h
@@ -126,6 +126,16 @@ static inline struct entry_stack *cpu_entry_stack(int cpu)
return &get_cpu_entry_area(cpu)->entry_stack_page.stack;
}
+/*
+ * Checks whether the range from addr to end, inclusive, overlaps the CPU
+ * entry area range.
+ */
+static inline bool within_cpu_entry_area(unsigned long addr, unsigned long end)
+{
+ return end >= CPU_ENTRY_AREA_PER_CPU &&
+ addr < (CPU_ENTRY_AREA_PER_CPU + CPU_ENTRY_AREA_TOT_SIZE);
+}
+
#define __this_cpu_ist_top_va(name) \
CEA_ESTACK_TOP(__this_cpu_read(cea_exception_stacks), name)
diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c
index 218c8917118e..dc4581fe4b4e 100644
--- a/arch/x86/kernel/hw_breakpoint.c
+++ b/arch/x86/kernel/hw_breakpoint.c
@@ -231,6 +231,23 @@ static int arch_build_bp_info(struct perf_event *bp,
const struct perf_event_attr *attr,
struct arch_hw_breakpoint *hw)
{
+ unsigned long bp_end;
+
+ /* Ensure that bp_end does not oveflow. */
+ if (attr->bp_len >= ULONG_MAX - attr->bp_addr)
+ return -EINVAL;
+
+ bp_end = attr->bp_addr + attr->bp_len - 1;
+
+ /*
+ * Prevent any breakpoint of any type that overlaps the
+ * cpu_entry_area. This protects the IST stacks and also
+ * reduces the chance that we ever find out what happens if
+ * there's a data breakpoint on the GDT, IDT, or TSS.
+ */
+ if (within_cpu_entry_area(attr->bp_addr, bp_end))
+ return -EINVAL;
+
hw->address = attr->bp_addr;
hw->mask = 0;
--
2.21.0
next reply other threads:[~2019-07-25 16:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-25 16:37 Andy Lutomirski [this message]
2019-07-25 17:28 ` [PATCH] x86/hw_breakpoint: Prevent data breakpoints on cpu_entry_area Peter Zijlstra
2019-07-25 22:11 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cf0ca526e3bc946766ab70bada2686c82e7da1ce.1564072590.git.luto@kernel.org \
--to=luto@kernel.org \
--cc=bp@alien8.de \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).