From patchwork Tue May 9 17:08:12 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josh Poimboeuf X-Patchwork-Id: 9718733 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B097560237 for ; Tue, 9 May 2017 17:08:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A0608283FD for ; Tue, 9 May 2017 17:08:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 94BD428421; Tue, 9 May 2017 17:08:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 67FCD283FD for ; Tue, 9 May 2017 17:08:30 +0000 (UTC) Received: (qmail 24056 invoked by uid 550); 9 May 2017 17:08:28 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 24032 invoked from network); 9 May 2017 17:08:27 -0000 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 43FCAEC2F7 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jpoimboe@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 43FCAEC2F7 Date: Tue, 9 May 2017 12:08:12 -0500 From: Josh Poimboeuf To: Kees Cook Cc: LKML , Peter Zijlstra , PaX Team , Jann Horn , Eric Biggers , Christoph Hellwig , "axboe@kernel.dk" , James Bottomley , Elena Reshetova , Hans Liljestrand , David Windsor , "x86@kernel.org" , Ingo Molnar , Arnd Bergmann , Greg Kroah-Hartman , "David S. Miller" , Rik van Riel , linux-arch , "kernel-hardening@lists.openwall.com" Message-ID: <20170509170812.uyfkvblwofhxpk4e@treble> References: <1494271972-140319-1-git-send-email-keescook@chromium.org> <1494271972-140319-3-git-send-email-keescook@chromium.org> <20170508225308.a6uznrhdm7pgyhcg@treble> <20170509015829.iycvxxbyblfgklsg@treble> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20170509015829.iycvxxbyblfgklsg@treble> User-Agent: Mutt/1.6.0.1 (2016-04-01) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 09 May 2017 17:08:15 +0000 (UTC) Subject: [kernel-hardening] Re: [PATCH v3 2/2] x86/refcount: Implement fast refcount overflow protection X-Virus-Scanned: ClamAV using ClamSMTP On Mon, May 08, 2017 at 08:58:29PM -0500, Josh Poimboeuf wrote: > On Mon, May 08, 2017 at 04:31:11PM -0700, Kees Cook wrote: > > On Mon, May 8, 2017 at 3:53 PM, Josh Poimboeuf wrote: > > > On Mon, May 08, 2017 at 12:32:52PM -0700, Kees Cook wrote: > > >> +#define REFCOUNT_EXCEPTION \ > > >> + "movl $0x7fffffff, %[counter]\n\t" \ > > >> + "int $"__stringify(X86_REFCOUNT_VECTOR)"\n" \ > > >> + "0:\n\t" \ > > >> + _ASM_EXTABLE(0b, 0b) > > > > > > Despite the objtool warnings going away, this still uses the exception > > > table in a new way, which will confuse objtool. I need to do some more > > > thinking about the best way to fix it, either as a change to your patch > > > or a change to objtool. > > > > In that it's not a "true" exception? > > Right. And also that it doesn't need the "fixup" since it would return > to the same address anyway. How about the following on top of your patch? It uses #UD (invalid opcode). Notice it's mostly code deletions :-) diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index bba6976..50bc269 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -789,15 +789,6 @@ ENTRY(spurious_interrupt_bug) jmp common_exception END(spurious_interrupt_bug) -#ifdef CONFIG_FAST_REFCOUNT -ENTRY(refcount_error) - ASM_CLAC - pushl $0 - pushl $do_refcount_error - jmp common_exception -ENDPROC(refcount_error) -#endif - #ifdef CONFIG_XEN ENTRY(xen_hypervisor_callback) pushl $-1 /* orig_ax = -1 => not a system call */ diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 783045d..607d72c 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -855,9 +855,6 @@ idtentry coprocessor_error do_coprocessor_error has_error_code=0 idtentry alignment_check do_alignment_check has_error_code=1 idtentry simd_coprocessor_error do_simd_coprocessor_error has_error_code=0 -#ifdef CONFIG_FAST_REFCOUNT -idtentry refcount_error do_refcount_error has_error_code=0 -#endif /* * Reload gs selector with exception handling diff --git a/arch/x86/include/asm/irq_vectors.h b/arch/x86/include/asm/irq_vectors.h index d117776..6ca9fd6 100644 --- a/arch/x86/include/asm/irq_vectors.h +++ b/arch/x86/include/asm/irq_vectors.h @@ -48,9 +48,6 @@ #define IA32_SYSCALL_VECTOR 0x80 -/* Refcount overflow reporting exception. */ -#define X86_REFCOUNT_VECTOR 0x81 - /* * Vectors 0x30-0x3f are used for ISA interrupts. * round up to the next 16-vector boundary diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h index 6e8bbd7..653a985 100644 --- a/arch/x86/include/asm/refcount.h +++ b/arch/x86/include/asm/refcount.h @@ -8,15 +8,16 @@ */ #include #include +#include #define REFCOUNT_EXCEPTION \ "movl $0x7fffffff, %[counter]\n\t" \ - "int $"__stringify(X86_REFCOUNT_VECTOR)"\n" \ - "0:\n\t" \ - _ASM_EXTABLE(0b, 0b) + "1:\t" ASM_UD0 "\n" \ + "2:\n\t" \ + _ASM_EXTABLE(1b, 2b) #define REFCOUNT_CHECK \ - "jns 0f\n\t" \ + "jns 2f\n\t" \ REFCOUNT_EXCEPTION static __always_inline void refcount_add(unsigned int i, refcount_t *r) diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h index e4d8db7..01fd0a7 100644 --- a/arch/x86/include/asm/traps.h +++ b/arch/x86/include/asm/traps.h @@ -38,10 +38,6 @@ asmlinkage void machine_check(void); #endif /* CONFIG_X86_MCE */ asmlinkage void simd_coprocessor_error(void); -#ifdef CONFIG_FAST_REFCOUNT -asmlinkage void refcount_error(void); -#endif - #ifdef CONFIG_TRACING asmlinkage void trace_page_fault(void); #define trace_stack_segment stack_segment @@ -58,7 +54,6 @@ asmlinkage void trace_page_fault(void); #define trace_alignment_check alignment_check #define trace_simd_coprocessor_error simd_coprocessor_error #define trace_async_page_fault async_page_fault -#define trace_refcount_error refcount_error #endif dotraplinkage void do_divide_error(struct pt_regs *, long); diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 0b2dbcc..7de95b7 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -220,8 +220,8 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str, if (!user_mode(regs)) { if (fixup_exception(regs, trapnr)) { if (IS_ENABLED(CONFIG_FAST_REFCOUNT) && - trapnr == X86_REFCOUNT_VECTOR) - refcount_error_report(regs, str); + trapnr == X86_TRAP_UD) + refcount_error_report(regs); return 0; } @@ -332,10 +332,6 @@ DO_ERROR(X86_TRAP_NP, SIGBUS, "segment not present", segment_not_present) DO_ERROR(X86_TRAP_SS, SIGBUS, "stack segment", stack_segment) DO_ERROR(X86_TRAP_AC, SIGBUS, "alignment check", alignment_check) -#ifdef CONFIG_FAST_REFCOUNT -DO_ERROR(X86_REFCOUNT_VECTOR, SIGILL, "refcount overflow", refcount_error) -#endif - #ifdef CONFIG_VMAP_STACK __visible void __noreturn handle_stack_overflow(const char *message, struct pt_regs *regs, @@ -1026,11 +1022,6 @@ void __init trap_init(void) set_bit(IA32_SYSCALL_VECTOR, used_vectors); #endif -#ifdef CONFIG_FAST_REFCOUNT - set_intr_gate(X86_REFCOUNT_VECTOR, refcount_error); - set_bit(X86_REFCOUNT_VECTOR, used_vectors); -#endif - /* * Set the IDT descriptor to a fixed read-only location, so that the * "sidt" instruction will not leak the location of the kernel, and diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 94f87d5..53c9326 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -276,7 +276,7 @@ extern int oops_may_print(void); void do_exit(long error_code) __noreturn; void complete_and_exit(struct completion *, long) __noreturn; -void refcount_error_report(struct pt_regs *regs, const char *kind); +void refcount_error_report(struct pt_regs *regs); /* Internal, do not use. */ int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); diff --git a/kernel/panic.c b/kernel/panic.c index c95b919..2c4ce79 100644 --- a/kernel/panic.c +++ b/kernel/panic.c @@ -605,7 +605,7 @@ EXPORT_SYMBOL(__stack_chk_fail); #ifdef CONFIG_FAST_REFCOUNT static DEFINE_RATELIMIT_STATE(refcount_ratelimit, 15 * HZ, 3); -void refcount_error_report(struct pt_regs *regs, const char *kind) +void refcount_error_report(struct pt_regs *regs) { /* Always make sure triggering process will be terminated. */ do_send_sig_info(SIGKILL, SEND_SIG_FORCED, current, true); @@ -613,8 +613,7 @@ void refcount_error_report(struct pt_regs *regs, const char *kind) if (!__ratelimit(&refcount_ratelimit)) return; - pr_emerg("%s detected in: %s:%d, uid/euid: %u/%u\n", - kind ? kind : "refcount error", + pr_emerg("refcount error detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current), from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));