From patchwork Mon Dec  5 20:03:41 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ardb@kernel.org>
X-Patchwork-Id: 13065055
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id BF3A8C4332F
	for <linux-arm-kernel@archiver.kernel.org>;
 Mon,  5 Dec 2022 20:05:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=z9F0QzvdRJFpHTLeUv2fGCHU9oUtRc+pPhu7r9qSZdY=; b=eCjH2L9+jyIyNA
	worT3o/9qJUCQ9I1W42KkHde8tw8Y1FxiC4VdIY4d79BNDEvgmUmqbbI1oI0XcgtOyuB/50J5kR09
	/1Fu9U+oU6UWujGnGreo1PUkoXdy6JpKdCR5oKDBa8uF5XjkUAS3OdUum/cTyqyFsoMYvzYdp+jll
	mFHfLrVYCFb0kRCjpANeSMa3ZqKtYEONKKRpvIwBWgaembDeZYojVl4xLylqFXUH5ZjZAo466gV3z
	ZaquGuYXRtzYNGoIX7RX0Hf0L6K838xqOp0jfk1DvMjHLoT5/lXe7RQsiPZLuUiLpVwevTrvu8svG
	xWj7bRwF6D1hmf2vwxXA==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1p2HhC-009tCJ-Kz; Mon, 05 Dec 2022 20:04:10 +0000
Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1p2Hgt-009syu-Ff
	for linux-arm-kernel@lists.infradead.org; Mon, 05 Dec 2022 20:03:53 +0000
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dfw.source.kernel.org (Postfix) with ESMTPS id 198F561369;
	Mon,  5 Dec 2022 20:03:51 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1AE80C433D7;
	Mon,  5 Dec 2022 20:03:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1670270630;
	bh=seUY+O+NmEcVPaZ0Lnh9VHXWK1q8rE9XcJUhAzXTJuY=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=HddzadDDkE5Xy6clLIgZF+mX3Yj0s1u18xQ94ISbnHY+KfbpseVS57prM8/f6OZNQ
	 adkaRA73+fUCkbA7ug1BZ78FFINkSi7O1Xhhq0HFiT7ch0adMQiBk48dX4HTDcEx4t
	 2QWRJl1PjskEn/pZaJxWvgwdbgK8RtPnMu2jIVjKVyhK8bm6a3Zzd++oSM3rdLFhRw
	 WJ5i9KL3kFHkxphYqj1qMs/0EmktK87tFGFwS9WJh1PsHrJb3952cyrVYKgYD5NBV2
	 c0Jb1NcDzvFzlICtVPdBifhA2pbt6fdVKWKwAYBqeSVWur5BcrexLi46pO6ItagPjP
	 bmFPoGsYRuW7g==
From: Ard Biesheuvel <ardb@kernel.org>
To: linux-arm-kernel@lists.infradead.org
Cc: will@kernel.org,
	catalin.marinas@arm.com,
	mark.rutland@arm.com,
	Ard Biesheuvel <ardb@kernel.org>,
	Sami Tolvanen <samitolvanen@google.com>,
	Kees Cook <keescook@chromium.org>
Subject: [PATCH 2/2] arm64: Stash shadow stack pointer in the task struct on
 interrupt
Date: Mon,  5 Dec 2022 21:03:41 +0100
Message-Id: <20221205200341.463601-3-ardb@kernel.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20221205200341.463601-1-ardb@kernel.org>
References: <20221205200341.463601-1-ardb@kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2053; i=ardb@kernel.org;
 h=from:subject; bh=seUY+O+NmEcVPaZ0Lnh9VHXWK1q8rE9XcJUhAzXTJuY=;
 b=owEB7QES/pANAwAKAcNPIjmS2Y8kAcsmYgBjjk6coU/pTnoOSVec+JHNh/S2NoHqwzbFTmKc4yj1
 lAiHLQKJAbMEAAEKAB0WIQT72WJ8QGnJQhU3VynDTyI5ktmPJAUCY45OnAAKCRDDTyI5ktmPJJHCDA
 DHFiv7r3e34kCJvXPG3U5a/dMues6d9B+guvN9BzknsxiN5S+uqdKTihacNUK+3SveCF53Cc1VIEej
 AZsOgSdM6ePPX4b+IZKfgdEamrUVfUom1pGDxd+NbDxE0uRTb1QxxCLVuPkRTi77qk695djX2DWxAp
 at0izDOwHkBhlA3ew1gAPBr2wF5/W0Uv5B8DqrRQghFtAbv/Be1CTxyMy3rz8LYTrKq8OBDAHk7Vth
 gVgSg3FJWKQTbOiavtlcjGzhlgBAJKlHWEQWdKDpih/m0aQQTu0YAqRJLSnf99b6tNQ7Ryfuz4byzB
 0af6ODTYeW733k1XI7Kfdkkim9IykqpVx4mld3uEwELl57MVXsWBPjH+R4OTc+axZkxEIlWXBQ6yLR
 dApoqb9mCGu6Uj6cdge4MkFtZZvVj9dw4X2hNqfRpPseGj1toAu1OyZ/9asw9brswzhSAH9ohxLTCH
 O8M0koU8XmLOfiipoCFRCFbyfQdLOD22aJIhC3FvM4wXY=
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
 fpr=F43D03328115A198C90016883D200E9CA6329909
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20221205_120351_736317_F9796E33 
X-CRM114-Status: GOOD (  13.24  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Instead of reloading the shadow call stack pointer from the ordinary
stack, which may be vulnerable to the kind of gadget based attacks
shadow call stacks were designed to prevent, let's store a task's shadow
call stack pointer in the task struct when switching to the shadow IRQ
stack.

Given that currently, the task_struct::scs_sp field is only used to
preserve the shadow call stack pointer while a task is scheduled out or
running in user space, reusing this field to preserve and restore it
while running off the IRQ stack must be safe, as those occurrences are
guaranteed to never overlap. (The stack switching logic only switches
stacks when running from the task stack, and so the value being saved
here always corresponds to the task mode shadow stack)

While at it, fold a mov/add/mov sequence into a single add.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/arm64/kernel/entry.S | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 20e25083eced13f5..3671d9521d4f559e 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -873,19 +873,19 @@ NOKPROBE(ret_from_fork)
  */
 SYM_FUNC_START(call_on_irq_stack)
 #ifdef CONFIG_SHADOW_CALL_STACK
-	stp	scs_sp, xzr, [sp, #-16]!
+	get_current_task x16
+	scs_save x16
 	ldr_this_cpu scs_sp, irq_shadow_call_stack_ptr, x17
 #endif
+
 	/* Create a frame record to save our LR and SP (implicit in FP) */
 	stp	x29, x30, [sp, #-16]!
 	mov	x29, sp
 
 	ldr_this_cpu x16, irq_stack_ptr, x17
-	mov	x15, #IRQ_STACK_SIZE
-	add	x16, x16, x15
 
 	/* Move to the new stack and call the function there */
-	mov	sp, x16
+	add	sp, x16, #IRQ_STACK_SIZE
 	blr	x1
 
 	/*
@@ -894,9 +894,7 @@ SYM_FUNC_START(call_on_irq_stack)
 	 */
 	mov	sp, x29
 	ldp	x29, x30, [sp], #16
-#ifdef CONFIG_SHADOW_CALL_STACK
-	ldp	scs_sp, xzr, [sp], #16
-#endif
+	scs_load_current
 	ret
 SYM_FUNC_END(call_on_irq_stack)
 NOKPROBE(call_on_irq_stack)