From: Nick Desaulniers <ndesaulniers@google.com>
To: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de
Cc: Nick Desaulniers <ndesaulniers@google.com>,
Peter Zijlstra <peterz@infradead.org>,
clang-built-linux@googlegroups.com,
Linus Torvalds <torvalds@linux-foundation.org>,
"H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Andy Lutomirski <luto@kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
Marco Elver <elver@google.com>, Brian Gerst <brgerst@gmail.com>,
Arnd Bergmann <arnd@arndb.de>,
Andrew Morton <akpm@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH v2] x86: signal: move save_altstack_ex out of generic headers
Date: Fri, 3 Apr 2020 16:16:06 -0700 [thread overview]
Message-ID: <20200403231611.81444-1-ndesaulniers@google.com> (raw)
In-Reply-To: <20200324220830.110002-1-ndesaulniers@google.com>
In some configurations (clang+KASAN), sas_ss_reset() may emit calls to
memset(). This is a problem for SMAP protections on x86, which should
try to minimize calls to any function not already on short whitelist, in
order to prevent leaking AC flags or being used as a gadget.
Linus noted that unsafe_save_altstack() only has callsites in the
arch-specific arch/x86/kernel/signal.c, and shouldn't be defined in arch
independent headers.
Split the logic of unsafe_save_altstack() into two, and move the definitions
to arch/x86/include/asm/sigframe.h. This does less work with the SMAP
guards down.
Link: https://github.com/ClangBuiltLinux/linux/issues/876
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: <clang-built-linux@googlegroups.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
---
Changes V1 -> V2:
* Rebased on top of
commit 39f16c1c0f14 ("x86: get rid of put_user_try in {ia32,x32}_setup_rt_frame()")
* went back to macros instead of static inline functions I had in v1.
Note:
Technically, this is a functional change that does more work if we jump
to Efault before calling {__compat|unsafe}_save_altstack, though the
hope is that that is an exceptional case.
arch/x86/ia32/ia32_signal.c | 2 ++
arch/x86/include/asm/sigframe.h | 13 +++++++++++++
arch/x86/kernel/signal.c | 4 ++++
include/linux/compat.h | 2 --
include/linux/signal.h | 10 ----------
5 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
index f9d8804144d0..e18f6d9dc393 100644
--- a/arch/x86/ia32/ia32_signal.c
+++ b/arch/x86/ia32/ia32_signal.c
@@ -349,6 +349,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
unsafe_put_sigcontext32(&frame->uc.uc_mcontext, fp, regs, set, Efault);
unsafe_put_user(*(__u64 *)set, (__u64 *)&frame->uc.uc_sigmask, Efault);
user_access_end();
+ reset_altstack();
if (__copy_siginfo_to_user32(&frame->info, &ksig->info, false))
return -EFAULT;
@@ -371,5 +372,6 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
return 0;
Efault:
user_access_end();
+ reset_altstack();
return -EFAULT;
}
diff --git a/arch/x86/include/asm/sigframe.h b/arch/x86/include/asm/sigframe.h
index 84eab2724875..67c317b8585d 100644
--- a/arch/x86/include/asm/sigframe.h
+++ b/arch/x86/include/asm/sigframe.h
@@ -85,4 +85,17 @@ struct rt_sigframe_x32 {
#endif /* CONFIG_X86_64 */
+#define unsafe_save_altstack(uss, sp, label) do { \
+ stack_t __user *__uss = uss; \
+ struct task_struct *t = current; \
+ unsafe_put_user((void __user *)t->sas_ss_sp, &__uss->ss_sp, label); \
+ unsafe_put_user(t->sas_ss_flags, &__uss->ss_flags, label); \
+ unsafe_put_user(t->sas_ss_size, &__uss->ss_size, label); \
+} while (0);
+
+#define reset_altstack() do { \
+ if (current->sas_ss_flags & SS_AUTODISARM) \
+ sas_ss_reset(current); \
+} while (0);
+
#endif /* _ASM_X86_SIGFRAME_H */
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index 83b74fb38c8f..1e9a900929b3 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -416,6 +416,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
return 0;
Efault:
user_access_end();
+ reset_altstack();
return -EFAULT;
}
#else /* !CONFIG_X86_32 */
@@ -507,6 +508,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
Efault:
user_access_end();
+ reset_altstack();
return -EFAULT;
}
#endif /* CONFIG_X86_32 */
@@ -541,6 +543,7 @@ static int x32_setup_rt_frame(struct ksignal *ksig,
unsafe_put_sigcontext(&frame->uc.uc_mcontext, fp, regs, set, Efault);
unsafe_put_sigmask(set, frame, Efault);
user_access_end();
+ reset_altstack();
if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
if (__copy_siginfo_to_user32(&frame->info, &ksig->info, true))
@@ -567,6 +570,7 @@ static int x32_setup_rt_frame(struct ksignal *ksig,
#ifdef CONFIG_X86_X32_ABI
Efault:
user_access_end();
+ reset_altstack();
return -EFAULT;
#endif
}
diff --git a/include/linux/compat.h b/include/linux/compat.h
index 0480ba4db592..f614967374f5 100644
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -461,8 +461,6 @@ int __compat_save_altstack(compat_stack_t __user *, unsigned long);
&__uss->ss_sp, label); \
unsafe_put_user(t->sas_ss_flags, &__uss->ss_flags, label); \
unsafe_put_user(t->sas_ss_size, &__uss->ss_size, label); \
- if (t->sas_ss_flags & SS_AUTODISARM) \
- sas_ss_reset(t); \
} while (0);
/*
diff --git a/include/linux/signal.h b/include/linux/signal.h
index 05bacd2ab135..1732114989f7 100644
--- a/include/linux/signal.h
+++ b/include/linux/signal.h
@@ -444,16 +444,6 @@ void signals_init(void);
int restore_altstack(const stack_t __user *);
int __save_altstack(stack_t __user *, unsigned long);
-#define unsafe_save_altstack(uss, sp, label) do { \
- stack_t __user *__uss = uss; \
- struct task_struct *t = current; \
- unsafe_put_user((void __user *)t->sas_ss_sp, &__uss->ss_sp, label); \
- unsafe_put_user(t->sas_ss_flags, &__uss->ss_flags, label); \
- unsafe_put_user(t->sas_ss_size, &__uss->ss_size, label); \
- if (t->sas_ss_flags & SS_AUTODISARM) \
- sas_ss_reset(t); \
-} while (0);
-
#ifdef CONFIG_PROC_FS
struct seq_file;
extern void render_sigset_t(struct seq_file *, const char *, sigset_t *);
--
2.26.0.292.g33ef6b2f38-goog
next prev parent reply other threads:[~2020-04-03 23:16 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-24 22:08 [PATCH] x86: signal: move save_altstack_ex out of generic headers Nick Desaulniers
2020-04-03 23:16 ` Nick Desaulniers [this message]
2020-04-03 23:39 ` [PATCH v2] " Al Viro
2020-04-04 16:01 ` Oleg Nesterov
2020-04-04 17:06 ` Al Viro
2020-04-04 17:31 ` Linus Torvalds
2020-04-04 17:50 ` Oleg Nesterov
2020-04-04 22:50 ` Nathan Chancellor
2020-04-13 19:12 ` Nick Desaulniers
2020-06-26 18:18 ` Nick Desaulniers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200403231611.81444-1-ndesaulniers@google.com \
--to=ndesaulniers@google.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=bigeasy@linutronix.de \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=clang-built-linux@googlegroups.com \
--cc=ebiederm@xmission.com \
--cc=elver@google.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=samitolvanen@google.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).