diff mbox series

[v3,3/7] arm64: compat: Ensure upper 32 bits of x0 are zero on syscall return

Message ID 20200710130702.30658-4-will@kernel.org (mailing list archive)
State Mainlined
Commit 15956689a0e60aa0c795174f3c310b60d8794235
Headers show
Series arm64: Fix single-step handling and syscall tracing | expand

Commit Message

Will Deacon July 10, 2020, 1:06 p.m. UTC 
Although we zero the upper bits of x0 on entry to the kernel from an
AArch32 task, we do not clear them on the exception return path and can
therefore expose 64-bit sign extended syscall return values to userspace
via interfaces such as the 'perf_regs' ABI, which deal exclusively with
64-bit registers.

Explicitly clear the upper 32 bits of x0 on return from a compat system
call.

Cc: <stable@vger.kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Keno Fischer <keno@juliacomputing.com>
Cc: Luis Machado <luis.machado@linaro.org>
Signed-off-by: Will Deacon <will@kernel.org>
---
 arch/arm64/include/asm/syscall.h | 12 +++++++++++-
 arch/arm64/kernel/syscall.c      |  3 +++
 2 files changed, 14 insertions(+), 1 deletion(-)

Comments

Sasha Levin July 16, 2020, 12:27 a.m. UTC | #1 
Hi

[This is an automated email]

This commit has been processed because it contains a -stable tag.
The stable tag indicates that it's relevant for the following trees: all

The bot has tested the following trees: v5.7.8, v5.4.51, v4.19.132, v4.14.188, v4.9.230, v4.4.230.

v5.7.8: Build OK!
v5.4.51: Build OK!
v4.19.132: Build OK!
v4.14.188: Failed to apply! Possible dependencies:
    0013aceb30748 ("xtensa: clean up fixups in assembly code")
    1af1e8a39dc0f ("xtensa: move fixmap and kmap just above the KSEG")
    2a61f4747eeaa ("stack-protector: test compiler capability in Kconfig and drop AUTO mode")
    2b8383927525d ("Makefile: move stack-protector compiler breakage test earlier")
    2bc2f688fdf88 ("Makefile: move stack-protector availability out of Kconfig")
    409d5db49867c ("arm64: rseq: Implement backend rseq calls and select HAVE_RSEQ")
    40d1a07b333ef ("xtensa: enable stack protector")
    4141c857fd09d ("arm64: convert raw syscall invocation to C")
    44c6dc940b190 ("Makefile: introduce CONFIG_CC_STACKPROTECTOR_AUTO")
    5cf97ebd8b40e ("xtensa: clean up functions in assembly code")
    8d66772e869e7 ("arm64: Mask all exceptions during kernel_exit")
    9800b9dc13cdf ("arm: Add restartable sequences support")
    c2edb35ae342f ("xtensa: extract init_kio")
    c633544a61541 ("xtensa: add support for KASAN")
    d148eac0e70f0 ("Kbuild: rename HAVE_CC_STACKPROTECTOR config variable")
    f4431396be5b2 ("xtensa: consolidate kernel stack size related definitions")

v4.9.230: Failed to apply! Possible dependencies:
    12597988319c8 ("MIPS: Sort MIPS Kconfig Alphabetically.")
    2a61f4747eeaa ("stack-protector: test compiler capability in Kconfig and drop AUTO mode")
    2b8383927525d ("Makefile: move stack-protector compiler breakage test earlier")
    2bc2f688fdf88 ("Makefile: move stack-protector availability out of Kconfig")
    313dd1b629219 ("gcc-plugins: Add the randstruct plugin")
    39c13c204bb11 ("arm: eBPF JIT compiler")
    409d5db49867c ("arm64: rseq: Implement backend rseq calls and select HAVE_RSEQ")
    4141c857fd09d ("arm64: convert raw syscall invocation to C")
    44c6dc940b190 ("Makefile: introduce CONFIG_CC_STACKPROTECTOR_AUTO")
    74d86a70636a0 ("arm: use set_memory.h header")
    8d66772e869e7 ("arm64: Mask all exceptions during kernel_exit")
    9800b9dc13cdf ("arm: Add restartable sequences support")
    c02433dd6de32 ("arm64: split thread_info from task stack")
    c61f13eaa1ee1 ("gcc-plugins: Add structleak for more stack initialization")
    c763ea2650dfa ("x86/kconfig: Sort the 'config X86' selects alphabetically")
    d148eac0e70f0 ("Kbuild: rename HAVE_CC_STACKPROTECTOR config variable")
    f381bf6d82f03 ("MIPS: Add support for eBPF JIT.")

v4.4.230: Failed to apply! Possible dependencies:
    218cfe4ed8885 ("perf/x86: Move perf_event_amd_ibs.c ....... => x86/events/amd/ibs.c")
    25a77b55e74c4 ("xtensa/perf: Convert the hotplug notifier to state machine callbacks")
    2a803c4db615d ("arm64: head.S: use memset to clear BSS")
    2bf31a4a05f5b ("arm64: avoid dynamic relocations in early boot code")
    3600c2fdc09a4 ("arm64: Add macros to read/write system registers")
    39b0332a21583 ("perf/x86: Move perf_event_amd.c ........... => x86/events/amd/core.c")
    4141c857fd09d ("arm64: convert raw syscall invocation to C")
    499c81507f599 ("arm64/debug: Remove superfluous SMP function call")
    49de0493e5f67 ("x86/perf/intel/cstate: Make cstate hotplug handling actually work")
    4b6e2571bf000 ("x86/perf/intel/rapl: Make the Intel RAPL PMU driver modular")
    5b26547dd7faa ("perf/x86: Move perf_event_amd_iommu.[ch] .. => x86/events/amd/iommu.[ch]")
    609116d202a8c ("arm64: add function to install the idmap")
    6cdf9c7ca687e ("arm64: Store struct thread_info in sp_el0")
    77c34ef1c3194 ("perf/x86/intel/cstate: Convert Intel CSTATE to hotplug state machine")
    8d66772e869e7 ("arm64: Mask all exceptions during kernel_exit")
    9e8e865bbe294 ("arm64: unify idmap removal")
    a563f7598198b ("arm64: Reuse TCR field definitions for EL1 and EL2")
    adf7589997927 ("arm64: simplify sysreg manipulation")
    ae7e27fe6834d ("arm64: hw_breakpoint: Allow EL2 breakpoints if running in HYP")
    bb9052744f4b7 ("arm64: Handle early CPU boot failures")
    c02433dd6de32 ("arm64: split thread_info from task stack")
    c4bc34d20273d ("arm64: Add a helper for parking CPUs in a loop")
    c7afba320e91c ("x86/perf/intel/cstate: Modularize driver")
    e5b61bafe7047 ("arm: Convert VFP hotplug notifiers to state machine")
    e633c65a1d585 ("x86/perf/intel/uncore: Make the Intel uncore PMU driver modular")
    e937dd5782688 ("arm64: debug: convert OS lock CPU hotplug notifier to new infrastructure")
    ee02a15919cf8 ("arm64: Introduce cpu_die_early")
    fa9cbf320e996 ("perf/x86: Move perf_event.c ............... => x86/events/core.c")
    fce6361fe9b0c ("arm64: Move cpu_die_early to smp.c")


NOTE: The patch will not be queued to stable trees until it is upstream.

How should we proceed with this patch?
diff mbox series

Patch

diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 65299a2dcf9c..cfc0672013f6 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -34,6 +34,10 @@  static inline long syscall_get_error(struct task_struct *task,
 				     struct pt_regs *regs)
 {
 	unsigned long error = regs->regs[0];
+
+	if (is_compat_thread(task_thread_info(task)))
+		error = sign_extend64(error, 31);
+
 	return IS_ERR_VALUE(error) ? error : 0;
 }
 
@@ -47,7 +51,13 @@  static inline void syscall_set_return_value(struct task_struct *task,
 					    struct pt_regs *regs,
 					    int error, long val)
 {
-	regs->regs[0] = (long) error ? error : val;
+	if (error)
+		val = error;
+
+	if (is_compat_thread(task_thread_info(task)))
+		val = lower_32_bits(val);
+
+	regs->regs[0] = val;
 }
 
 #define SYSCALL_MAX_ARGS 6
diff --git a/arch/arm64/kernel/syscall.c b/arch/arm64/kernel/syscall.c
index 7c14466a12af..98a26d4e7b0c 100644
--- a/arch/arm64/kernel/syscall.c
+++ b/arch/arm64/kernel/syscall.c
@@ -50,6 +50,9 @@  static void invoke_syscall(struct pt_regs *regs, unsigned int scno,
 		ret = do_ni_syscall(regs, scno);
 	}
 
+	if (is_compat_task())
+		ret = lower_32_bits(ret);
+
 	regs->regs[0] = ret;
 }