| Message ID | 20190606200926.4029-13-yu-cheng.yu@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Control-flow Enforcement: Branch Tracking, PTRACE | expand |
On Thu, Jun 6, 2019 at 1:17 PM Yu-cheng Yu <yu-cheng.yu@intel.com> wrote: > > When emulating a RET, also unwind the task's shadow stack and cancel > the current branch tracking status. > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > --- > arch/x86/entry/vsyscall/vsyscall_64.c | 28 +++++++++++++++++++++++++++ > 1 file changed, 28 insertions(+) > > diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c > index d9d81ad7a400..6869ef9d1e8b 100644 > --- a/arch/x86/entry/vsyscall/vsyscall_64.c > +++ b/arch/x86/entry/vsyscall/vsyscall_64.c > @@ -38,6 +38,8 @@ > #include <asm/fixmap.h> > #include <asm/traps.h> > #include <asm/paravirt.h> > +#include <asm/fpu/xstate.h> > +#include <asm/fpu/types.h> > > #define CREATE_TRACE_POINTS > #include "vsyscall_trace.h" > @@ -92,6 +94,30 @@ static int addr_to_vsyscall_nr(unsigned long addr) > return nr; > } > > +void fixup_shstk(void) > +{ > +#ifdef CONFIG_X86_INTEL_SHADOW_STACK_USER > + u64 r; > + > + if (current->thread.cet.shstk_enabled) { > + rdmsrl(MSR_IA32_PL3_SSP, r); > + wrmsrl(MSR_IA32_PL3_SSP, r + 8); > + } > +#endif > +} > + > +void fixup_ibt(void) > +{ > +#ifdef CONFIG_X86_INTEL_BRANCH_TRACKING_USER > + u64 r; > + > + if (current->thread.cet.ibt_enabled) { > + rdmsrl(MSR_IA32_U_CET, r); > + wrmsrl(MSR_IA32_U_CET, r & ~MSR_IA32_CET_WAIT_ENDBR); > + } > +#endif > +} These should be static. But please just inline them directly in their one call site. The code will be a lot easier to understand. --Andy
diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c index d9d81ad7a400..6869ef9d1e8b 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -38,6 +38,8 @@ #include <asm/fixmap.h> #include <asm/traps.h> #include <asm/paravirt.h> +#include <asm/fpu/xstate.h> +#include <asm/fpu/types.h> #define CREATE_TRACE_POINTS #include "vsyscall_trace.h" @@ -92,6 +94,30 @@ static int addr_to_vsyscall_nr(unsigned long addr) return nr; } +void fixup_shstk(void) +{ +#ifdef CONFIG_X86_INTEL_SHADOW_STACK_USER + u64 r; + + if (current->thread.cet.shstk_enabled) { + rdmsrl(MSR_IA32_PL3_SSP, r); + wrmsrl(MSR_IA32_PL3_SSP, r + 8); + } +#endif +} + +void fixup_ibt(void) +{ +#ifdef CONFIG_X86_INTEL_BRANCH_TRACKING_USER + u64 r; + + if (current->thread.cet.ibt_enabled) { + rdmsrl(MSR_IA32_U_CET, r); + wrmsrl(MSR_IA32_U_CET, r & ~MSR_IA32_CET_WAIT_ENDBR); + } +#endif +} + static bool write_ok_or_segv(unsigned long ptr, size_t size) { /* @@ -265,6 +291,8 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address) /* Emulate a ret instruction. */ regs->ip = caller; regs->sp += 8; + fixup_shstk(); + fixup_ibt(); return true; sigsegv:
When emulating a RET, also unwind the task's shadow stack and cancel the current branch tracking status. Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> --- arch/x86/entry/vsyscall/vsyscall_64.c | 28 +++++++++++++++++++++++++++ 1 file changed, 28 insertions(+)