From patchwork Thu Jul 22 20:57:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu-cheng Yu X-Patchwork-Id: 12394765 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FE74C432BE for ; Thu, 22 Jul 2021 20:58:19 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id DFFA260EBE for ; Thu, 22 Jul 2021 20:58:18 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org DFFA260EBE Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id A1E8A8E0002; Thu, 22 Jul 2021 16:58:10 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 952C08E0005; Thu, 22 Jul 2021 16:58:10 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5126D8E0002; Thu, 22 Jul 2021 16:58:10 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0093.hostedemail.com [216.40.44.93]) by kanga.kvack.org (Postfix) with ESMTP id 266728E0003 for ; Thu, 22 Jul 2021 16:58:10 -0400 (EDT) Received: from smtpin13.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id C86AF82499B9 for ; Thu, 22 Jul 2021 20:58:09 +0000 (UTC) X-FDA: 78391436298.13.24D4575 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by imf12.hostedemail.com (Postfix) with ESMTP id A53761001534 for ; Thu, 22 Jul 2021 20:58:06 +0000 (UTC) X-IronPort-AV: E=McAfee;i="6200,9189,10053"; a="297309438" X-IronPort-AV: E=Sophos;i="5.84,262,1620716400"; d="scan'208";a="297309438" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Jul 2021 13:58:04 -0700 X-IronPort-AV: E=Sophos;i="5.84,262,1620716400"; d="scan'208";a="433273364" Received: from yyu32-desk.sc.intel.com ([143.183.136.146]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Jul 2021 13:58:03 -0700 From: Yu-cheng Yu To: x86@kernel.org, "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Dave Martin , Weijiang Yang , Pengfei Xu , Haitao Huang , Rick P Edgecombe Cc: Yu-cheng Yu Subject: [PATCH v28 03/10] x86/cet/ibt: Handle signals for Indirect Branch Tracking Date: Thu, 22 Jul 2021 13:57:16 -0700 Message-Id: <20210722205723.9476-4-yu-cheng.yu@intel.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20210722205723.9476-1-yu-cheng.yu@intel.com> References: <20210722205723.9476-1-yu-cheng.yu@intel.com> MIME-Version: 1.0 Authentication-Results: imf12.hostedemail.com; dkim=none; spf=none (imf12.hostedemail.com: domain of yu-cheng.yu@intel.com has no SPF policy when checking 192.55.52.43) smtp.mailfrom=yu-cheng.yu@intel.com; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=intel.com (policy=none) X-Stat-Signature: 86anjzdtzmibcqxkqy4tfsrn13y5bxgx X-Rspamd-Queue-Id: A53761001534 X-Rspamd-Server: rspam01 X-HE-Tag: 1626987486-43914 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: IBT state machine tracks CALL/JMP instructions. When a such instruction is executed and before arriving at an ENDBR, it is in WAIT_FOR_ENDBR state, which can be read from CET_WAIT_ENDBR bit of MSR_IA32_U_CET. Further details are described in Intel SDM Vol. 1, Sec. 18.3. In handling signals, WAIT_FOR_ENDBR state is saved/restored with a new UC_WAIT_ENDBR flag being introduced. A legacy IA32 signal frame does not have ucontext, and cannot be supported with a uc flag. Thus, IBT feature is not supported for ia32 app's, which is handled in a separate patch. Signed-off-by: Yu-cheng Yu Cc: Andy Lutomirski Cc: Cyrill Gorcunov Cc: Florian Weimer Cc: H. Peter Anvin Cc: Kees Cook Link: https://lore.kernel.org/linux-api/f6e61dae-9805-c855-8873-7481ceb7ea79@intel.com/ --- arch/x86/ia32/ia32_signal.c | 15 ++++++++-- arch/x86/include/asm/cet.h | 4 +++ arch/x86/include/uapi/asm/ucontext.h | 5 ++++ arch/x86/kernel/ibt.c | 41 ++++++++++++++++++++++++++++ arch/x86/kernel/signal.c | 6 ++++ 5 files changed, 68 insertions(+), 3 deletions(-) diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c index d7a30bc98e66..77d0fa90cc19 100644 --- a/arch/x86/ia32/ia32_signal.c +++ b/arch/x86/ia32/ia32_signal.c @@ -129,6 +129,7 @@ COMPAT_SYSCALL_DEFINE0(rt_sigreturn) { struct pt_regs *regs = current_pt_regs(); struct rt_sigframe_ia32 __user *frame; + unsigned int uc_flags; sigset_t set; frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4); @@ -137,6 +138,11 @@ COMPAT_SYSCALL_DEFINE0(rt_sigreturn) goto badframe; if (__get_user(set.sig[0], (__u64 __user *)&frame->uc.uc_sigmask)) goto badframe; + if (__get_user(uc_flags, &frame->uc.uc_flags)) + goto badframe; + + if (uc_flags & UC_WAIT_ENDBR) + ibt_set_wait_endbr(); set_current_blocked(&set); @@ -312,6 +318,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, compat_sigset_t *set, struct pt_regs *regs) { struct rt_sigframe_ia32 __user *frame; + unsigned int uc_flags = 0; void __user *restorer; void __user *fp = NULL; @@ -339,6 +346,9 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, if (setup_signal_shadow_stack(1, restorer)) return -EFAULT; + if (ibt_get_clear_wait_endbr()) + uc_flags |= UC_WAIT_ENDBR; + if (!user_access_begin(frame, sizeof(*frame))) return -EFAULT; @@ -348,9 +358,8 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, /* Create the ucontext. */ if (static_cpu_has(X86_FEATURE_XSAVE)) - unsafe_put_user(UC_FP_XSTATE, &frame->uc.uc_flags, Efault); - else - unsafe_put_user(0, &frame->uc.uc_flags, Efault); + uc_flags |= UC_FP_XSTATE; + unsafe_put_user(uc_flags, &frame->uc.uc_flags, Efault); unsafe_put_user(0, &frame->uc.uc_link, Efault); unsafe_compat_save_altstack(&frame->uc.uc_stack, regs->sp, Efault); diff --git a/arch/x86/include/asm/cet.h b/arch/x86/include/asm/cet.h index 3dfca29a7c0b..2618faf3fda5 100644 --- a/arch/x86/include/asm/cet.h +++ b/arch/x86/include/asm/cet.h @@ -46,9 +46,13 @@ static inline int restore_signal_shadow_stack(void) { return 0; } #ifdef CONFIG_X86_IBT int ibt_setup(void); void ibt_disable(void); +int ibt_get_clear_wait_endbr(void); +int ibt_set_wait_endbr(void); #else static inline int ibt_setup(void) { return 0; } static inline void ibt_disable(void) {} +static inline int ibt_get_clear_wait_endbr(void) { return 0; } +static inline int ibt_set_wait_endbr(void) { return 0; } #endif #ifdef CONFIG_X86_SHADOW_STACK diff --git a/arch/x86/include/uapi/asm/ucontext.h b/arch/x86/include/uapi/asm/ucontext.h index 5657b7a49f03..905419de2cc7 100644 --- a/arch/x86/include/uapi/asm/ucontext.h +++ b/arch/x86/include/uapi/asm/ucontext.h @@ -51,6 +51,11 @@ #define UC_STRICT_RESTORE_SS 0x4 #endif +/* + * Indicates IBT WAIT-ENDBR status. + */ +#define UC_WAIT_ENDBR 0x08 + #include #endif /* _ASM_X86_UCONTEXT_H */ diff --git a/arch/x86/kernel/ibt.c b/arch/x86/kernel/ibt.c index 4ab7af33b274..5ab8632a1f7e 100644 --- a/arch/x86/kernel/ibt.c +++ b/arch/x86/kernel/ibt.c @@ -56,3 +56,44 @@ void ibt_disable(void) ibt_set_clear_msr_bits(0, CET_ENDBR_EN); current->thread.shstk.ibt = 0; } + +int ibt_get_clear_wait_endbr(void) +{ + u64 msr_val = 0; + + if (!current->thread.shstk.ibt) + return 0; + + fpregs_lock(); + + if (!test_thread_flag(TIF_NEED_FPU_LOAD)) { + if (!rdmsrl_safe(MSR_IA32_U_CET, &msr_val)) + wrmsrl(MSR_IA32_U_CET, msr_val & ~CET_WAIT_ENDBR); + } else { + struct cet_user_state *cet; + + /* + * If !TIF_NEED_FPU_LOAD and get_xsave_addr() returns zero, + * XFEATURE_CET_USER is in init state (cet is not active). + * Return zero status. + */ + cet = get_xsave_addr(¤t->thread.fpu.state.xsave, + XFEATURE_CET_USER); + if (cet) { + msr_val = cet->user_cet; + cet->user_cet = msr_val & ~CET_WAIT_ENDBR; + } + } + + fpregs_unlock(); + + return msr_val & CET_WAIT_ENDBR; +} + +int ibt_set_wait_endbr(void) +{ + if (!current->thread.shstk.ibt) + return 0; + + return ibt_set_clear_msr_bits(CET_WAIT_ENDBR, 0); +} diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c index 661e46803b84..a1285650852e 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -135,6 +135,9 @@ static int restore_sigcontext(struct pt_regs *regs, */ if (unlikely(!(uc_flags & UC_STRICT_RESTORE_SS) && user_64bit_mode(regs))) force_valid_ss(regs); + + if (uc_flags & UC_WAIT_ENDBR) + ibt_set_wait_endbr(); #endif return fpu__restore_sig((void __user *)sc.fpstate, @@ -455,6 +458,9 @@ static unsigned long frame_uc_flags(struct pt_regs *regs) if (likely(user_64bit_mode(regs))) flags |= UC_STRICT_RESTORE_SS; + if (ibt_get_clear_wait_endbr()) + flags |= UC_WAIT_ENDBR; + return flags; }