| Message ID | 20170509170812.uyfkvblwofhxpk4e@treble (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, May 9, 2017 at 10:08 AM, Josh Poimboeuf <jpoimboe@redhat.com> wrote: > On Mon, May 08, 2017 at 08:58:29PM -0500, Josh Poimboeuf wrote: >> On Mon, May 08, 2017 at 04:31:11PM -0700, Kees Cook wrote: >> > On Mon, May 8, 2017 at 3:53 PM, Josh Poimboeuf <jpoimboe@redhat.com> wrote: >> > > On Mon, May 08, 2017 at 12:32:52PM -0700, Kees Cook wrote: >> > >> +#define REFCOUNT_EXCEPTION \ >> > >> + "movl $0x7fffffff, %[counter]\n\t" \ >> > >> + "int $"__stringify(X86_REFCOUNT_VECTOR)"\n" \ >> > >> + "0:\n\t" \ >> > >> + _ASM_EXTABLE(0b, 0b) >> > > >> > > Despite the objtool warnings going away, this still uses the exception >> > > table in a new way, which will confuse objtool. I need to do some more >> > > thinking about the best way to fix it, either as a change to your patch >> > > or a change to objtool. >> > >> > In that it's not a "true" exception? >> >> Right. And also that it doesn't need the "fixup" since it would return >> to the same address anyway. > > How about the following on top of your patch? It uses #UD (invalid > opcode). Notice it's mostly code deletions :-) Hah, I wrote this patch almost exactly last night, but hadn't had a chance to send it out. :) I ended up defining a new exception handler, which means nothing special in the generic trap code. I didn't send it out because it was still using a jns instead of js, and I was pondering if I wanted to reintroduce the text section jump just to gain the initial benefit of forward-branch-not-taken optimization... > diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h > index 6e8bbd7..653a985 100644 > --- a/arch/x86/include/asm/refcount.h > +++ b/arch/x86/include/asm/refcount.h > @@ -8,15 +8,16 @@ > */ > #include <linux/refcount.h> > #include <asm/irq_vectors.h> > +#include <asm/bug.h> > > #define REFCOUNT_EXCEPTION \ > "movl $0x7fffffff, %[counter]\n\t" \ > - "int $"__stringify(X86_REFCOUNT_VECTOR)"\n" \ > - "0:\n\t" \ > - _ASM_EXTABLE(0b, 0b) > + "1:\t" ASM_UD0 "\n" \ > + "2:\n\t" \ > + _ASM_EXTABLE(1b, 2b) I used _ASM_EXTABLE_REFCOUNT(1b, 2b) here, with arch/x86/include/asm/asm.h adding: +# define _ASM_EXTABLE_REFCOUNT(from, to) \ + _ASM_EXTABLE_HANDLE(from, to, ex_handler_refcount) > diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c > index 0b2dbcc..7de95b7 100644 > --- a/arch/x86/kernel/traps.c > +++ b/arch/x86/kernel/traps.c > @@ -220,8 +220,8 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str, > if (!user_mode(regs)) { > if (fixup_exception(regs, trapnr)) { > if (IS_ENABLED(CONFIG_FAST_REFCOUNT) && > - trapnr == X86_REFCOUNT_VECTOR) > - refcount_error_report(regs, str); > + trapnr == X86_TRAP_UD) > + refcount_error_report(regs); > > return 0; > } And then I could leave out this hunk, instead adding this to arch/x86/mm/extable.c: +bool ex_handler_refcount(const struct exception_table_entry *fixup, + struct pt_regs *regs, int trapnr) +{ + regs->ip = ex_fixup_addr(fixup); + refcount_error_report(regs, "overflow"); + return true; +} +EXPORT_SYMBOL_GPL(ex_handler_refcount); After looking at the assembly output, the "movl" instructions can be various sizes, depending on where %[counter] lives, so I'm also considering returning to using PaX's "lea", but I'm not sure the benefit would be very large. -Kees
On Tue, May 09, 2017 at 10:29:16AM -0700, Kees Cook wrote: > On Tue, May 9, 2017 at 10:08 AM, Josh Poimboeuf <jpoimboe@redhat.com> wrote: > > On Mon, May 08, 2017 at 08:58:29PM -0500, Josh Poimboeuf wrote: > >> On Mon, May 08, 2017 at 04:31:11PM -0700, Kees Cook wrote: > >> > On Mon, May 8, 2017 at 3:53 PM, Josh Poimboeuf <jpoimboe@redhat.com> wrote: > >> > > On Mon, May 08, 2017 at 12:32:52PM -0700, Kees Cook wrote: > >> > >> +#define REFCOUNT_EXCEPTION \ > >> > >> + "movl $0x7fffffff, %[counter]\n\t" \ > >> > >> + "int $"__stringify(X86_REFCOUNT_VECTOR)"\n" \ > >> > >> + "0:\n\t" \ > >> > >> + _ASM_EXTABLE(0b, 0b) > >> > > > >> > > Despite the objtool warnings going away, this still uses the exception > >> > > table in a new way, which will confuse objtool. I need to do some more > >> > > thinking about the best way to fix it, either as a change to your patch > >> > > or a change to objtool. > >> > > >> > In that it's not a "true" exception? > >> > >> Right. And also that it doesn't need the "fixup" since it would return > >> to the same address anyway. > > > > How about the following on top of your patch? It uses #UD (invalid > > opcode). Notice it's mostly code deletions :-) > > Hah, I wrote this patch almost exactly last night, but hadn't had a > chance to send it out. :) > > I ended up defining a new exception handler, which means nothing > special in the generic trap code. I didn't send it out because it was > still using a jns instead of js, and I was pondering if I wanted to > reintroduce the text section jump just to gain the initial benefit of > forward-branch-not-taken optimization... > > > diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h > > index 6e8bbd7..653a985 100644 > > --- a/arch/x86/include/asm/refcount.h > > +++ b/arch/x86/include/asm/refcount.h > > @@ -8,15 +8,16 @@ > > */ > > #include <linux/refcount.h> > > #include <asm/irq_vectors.h> > > +#include <asm/bug.h> > > > > #define REFCOUNT_EXCEPTION \ > > "movl $0x7fffffff, %[counter]\n\t" \ > > - "int $"__stringify(X86_REFCOUNT_VECTOR)"\n" \ > > - "0:\n\t" \ > > - _ASM_EXTABLE(0b, 0b) > > + "1:\t" ASM_UD0 "\n" \ > > + "2:\n\t" \ > > + _ASM_EXTABLE(1b, 2b) > > I used _ASM_EXTABLE_REFCOUNT(1b, 2b) here, with > arch/x86/include/asm/asm.h adding: > > +# define _ASM_EXTABLE_REFCOUNT(from, to) \ > + _ASM_EXTABLE_HANDLE(from, to, ex_handler_refcount) > > > diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c > > index 0b2dbcc..7de95b7 100644 > > --- a/arch/x86/kernel/traps.c > > +++ b/arch/x86/kernel/traps.c > > @@ -220,8 +220,8 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str, > > if (!user_mode(regs)) { > > if (fixup_exception(regs, trapnr)) { > > if (IS_ENABLED(CONFIG_FAST_REFCOUNT) && > > - trapnr == X86_REFCOUNT_VECTOR) > > - refcount_error_report(regs, str); > > + trapnr == X86_TRAP_UD) > > + refcount_error_report(regs); > > > > return 0; > > } > > And then I could leave out this hunk, instead adding this to > arch/x86/mm/extable.c: > > +bool ex_handler_refcount(const struct exception_table_entry *fixup, > + struct pt_regs *regs, int trapnr) > +{ > + regs->ip = ex_fixup_addr(fixup); > + refcount_error_report(regs, "overflow"); > + return true; > +} > +EXPORT_SYMBOL_GPL(ex_handler_refcount); > > After looking at the assembly output, the "movl" instructions can be > various sizes, depending on where %[counter] lives, so I'm also > considering returning to using PaX's "lea", but I'm not sure the > benefit would be very large. Good, your patch sounds better than mine :-)
diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index bba6976..50bc269 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -789,15 +789,6 @@ ENTRY(spurious_interrupt_bug) jmp common_exception END(spurious_interrupt_bug) -#ifdef CONFIG_FAST_REFCOUNT -ENTRY(refcount_error) - ASM_CLAC - pushl $0 - pushl $do_refcount_error - jmp common_exception -ENDPROC(refcount_error) -#endif - #ifdef CONFIG_XEN ENTRY(xen_hypervisor_callback) pushl $-1 /* orig_ax = -1 => not a system call */ diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 783045d..607d72c 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -855,9 +855,6 @@ idtentry coprocessor_error do_coprocessor_error has_error_code=0 idtentry alignment_check do_alignment_check has_error_code=1 idtentry simd_coprocessor_error do_simd_coprocessor_error has_error_code=0 -#ifdef CONFIG_FAST_REFCOUNT -idtentry refcount_error do_refcount_error has_error_code=0 -#endif /* * Reload gs selector with exception handling diff --git a/arch/x86/include/asm/irq_vectors.h b/arch/x86/include/asm/irq_vectors.h index d117776..6ca9fd6 100644 --- a/arch/x86/include/asm/irq_vectors.h +++ b/arch/x86/include/asm/irq_vectors.h @@ -48,9 +48,6 @@ #define IA32_SYSCALL_VECTOR 0x80 -/* Refcount overflow reporting exception. */ -#define X86_REFCOUNT_VECTOR 0x81 - /* * Vectors 0x30-0x3f are used for ISA interrupts. * round up to the next 16-vector boundary diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h index 6e8bbd7..653a985 100644 --- a/arch/x86/include/asm/refcount.h +++ b/arch/x86/include/asm/refcount.h @@ -8,15 +8,16 @@ */ #include <linux/refcount.h> #include <asm/irq_vectors.h> +#include <asm/bug.h> #define REFCOUNT_EXCEPTION \ "movl $0x7fffffff, %[counter]\n\t" \ - "int $"__stringify(X86_REFCOUNT_VECTOR)"\n" \ - "0:\n\t" \ - _ASM_EXTABLE(0b, 0b) + "1:\t" ASM_UD0 "\n" \ + "2:\n\t" \ + _ASM_EXTABLE(1b, 2b) #define REFCOUNT_CHECK \ - "jns 0f\n\t" \ + "jns 2f\n\t" \ REFCOUNT_EXCEPTION static __always_inline void refcount_add(unsigned int i, refcount_t *r) diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h index e4d8db7..01fd0a7 100644 --- a/arch/x86/include/asm/traps.h +++ b/arch/x86/include/asm/traps.h @@ -38,10 +38,6 @@ asmlinkage void machine_check(void); #endif /* CONFIG_X86_MCE */ asmlinkage void simd_coprocessor_error(void); -#ifdef CONFIG_FAST_REFCOUNT -asmlinkage void refcount_error(void); -#endif - #ifdef CONFIG_TRACING asmlinkage void trace_page_fault(void); #define trace_stack_segment stack_segment @@ -58,7 +54,6 @@ asmlinkage void trace_page_fault(void); #define trace_alignment_check alignment_check #define trace_simd_coprocessor_error simd_coprocessor_error #define trace_async_page_fault async_page_fault -#define trace_refcount_error refcount_error #endif dotraplinkage void do_divide_error(struct pt_regs *, long); diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 0b2dbcc..7de95b7 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -220,8 +220,8 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str, if (!user_mode(regs)) { if (fixup_exception(regs, trapnr)) { if (IS_ENABLED(CONFIG_FAST_REFCOUNT) && - trapnr == X86_REFCOUNT_VECTOR) - refcount_error_report(regs, str); + trapnr == X86_TRAP_UD) + refcount_error_report(regs); return 0; } @@ -332,10 +332,6 @@ DO_ERROR(X86_TRAP_NP, SIGBUS, "segment not present", segment_not_present) DO_ERROR(X86_TRAP_SS, SIGBUS, "stack segment", stack_segment) DO_ERROR(X86_TRAP_AC, SIGBUS, "alignment check", alignment_check) -#ifdef CONFIG_FAST_REFCOUNT -DO_ERROR(X86_REFCOUNT_VECTOR, SIGILL, "refcount overflow", refcount_error) -#endif - #ifdef CONFIG_VMAP_STACK __visible void __noreturn handle_stack_overflow(const char *message, struct pt_regs *regs, @@ -1026,11 +1022,6 @@ void __init trap_init(void) set_bit(IA32_SYSCALL_VECTOR, used_vectors); #endif -#ifdef CONFIG_FAST_REFCOUNT - set_intr_gate(X86_REFCOUNT_VECTOR, refcount_error); - set_bit(X86_REFCOUNT_VECTOR, used_vectors); -#endif - /* * Set the IDT descriptor to a fixed read-only location, so that the * "sidt" instruction will not leak the location of the kernel, and diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 94f87d5..53c9326 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -276,7 +276,7 @@ extern int oops_may_print(void); void do_exit(long error_code) __noreturn; void complete_and_exit(struct completion *, long) __noreturn; -void refcount_error_report(struct pt_regs *regs, const char *kind); +void refcount_error_report(struct pt_regs *regs); /* Internal, do not use. */ int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); diff --git a/kernel/panic.c b/kernel/panic.c index c95b919..2c4ce79 100644 --- a/kernel/panic.c +++ b/kernel/panic.c @@ -605,7 +605,7 @@ EXPORT_SYMBOL(__stack_chk_fail); #ifdef CONFIG_FAST_REFCOUNT static DEFINE_RATELIMIT_STATE(refcount_ratelimit, 15 * HZ, 3); -void refcount_error_report(struct pt_regs *regs, const char *kind) +void refcount_error_report(struct pt_regs *regs) { /* Always make sure triggering process will be terminated. */ do_send_sig_info(SIGKILL, SEND_SIG_FORCED, current, true); @@ -613,8 +613,7 @@ void refcount_error_report(struct pt_regs *regs, const char *kind) if (!__ratelimit(&refcount_ratelimit)) return; - pr_emerg("%s detected in: %s:%d, uid/euid: %u/%u\n", - kind ? kind : "refcount error", + pr_emerg("refcount error detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current), from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));