From patchwork Tue Oct 1 22:59:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Brown X-Patchwork-Id: 13818925 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DDDDCF318A for ; Tue, 1 Oct 2024 23:04:42 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C0A64680033; Tue, 1 Oct 2024 19:04:41 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B910868002B; Tue, 1 Oct 2024 19:04:41 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9BBBF680033; Tue, 1 Oct 2024 19:04:41 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 7962B68002B for ; Tue, 1 Oct 2024 19:04:41 -0400 (EDT) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 266F0C0AF9 for ; Tue, 1 Oct 2024 23:04:41 +0000 (UTC) X-FDA: 82626564762.22.CBE4313 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf27.hostedemail.com (Postfix) with ESMTP id 50D2D40010 for ; Tue, 1 Oct 2024 23:04:39 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=TB0n3CPd; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf27.hostedemail.com: domain of broonie@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=broonie@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727823738; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=yJtqeUkAWWAacG+qFJSzrl+bCDrrPsx2/xUTEvzw2Nk=; b=KwkOif8IelF3zog3Hxl/FCVR+Wp1D+qN4b4rS7Yzko54UTGGbmvV5q7jlp1tRWvvU5rIhQ eR7Dfgr1PB4FaBW/uYGWtLSJYBhXZs1vVlOyi6MsKaDtLJIj96EGshRT3MjEeAJbKYsVWH 7FewAcADRU+jpzr45aRjnprCdFRVwrI= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727823738; a=rsa-sha256; cv=none; b=he94iQN5Jf9PS8SzqYFNBwaYe0tWuDL0pPsbuYbv4GUjMVieRHtjrFhHfaAzoytZ2xtaJo Qw01lEdufyN8iHdKVkGJATtk39WDdnqek5Q3snOps4pupY3+m1oVIUkY8sZ1Mb2Z1rHZ0j Bf+Ca1u2GAbAPKflXCf9dH81l3LDtpM= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=TB0n3CPd; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf27.hostedemail.com: domain of broonie@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=broonie@kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 596335C53D4; Tue, 1 Oct 2024 23:04:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 67207C4CEC6; Tue, 1 Oct 2024 23:04:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1727823878; bh=M/Cko4L7ycF7EfuRgE9nFrYd9p9UbU51oKSukOYF/3Y=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=TB0n3CPdNHxlLWrrtuwMlV8tMuyagUCpSWBaTpoZK3gtGJcqFir6KLD+BmHv+cAUd qM/4Gy+3Y18n74iUaE3rzufN3Rl/YESZyphxeSuMvNMijO55mx0tYJmieb9IHxvIqG lKLPaKvylTHaCFcD3d2EQpZOZ+TUNT51nHrDD5Q/xrHnMKDfBv/rh5RPQozl9dCruQ 0REOF1upnxBvakxy2PWw5L7FCxb1vRcxVUKN6luHbJiTMdFqw5QxkIyTUrxpDEImd+ xjFKxq+oZ20wZuFdNCPOnXd9v4i+GcTRI+IXsg9I4FVuQivvGUdj6CHwInwp+0eTc9 t51dk4u8fx/Cg== From: Mark Brown Date: Tue, 01 Oct 2024 23:59:04 +0100 Subject: [PATCH v13 25/40] arm64/signal: Set up and restore the GCS context for signal handlers MIME-Version: 1.0 Message-Id: <20241001-arm64-gcs-v13-25-222b78d87eee@kernel.org> References: <20241001-arm64-gcs-v13-0-222b78d87eee@kernel.org> In-Reply-To: <20241001-arm64-gcs-v13-0-222b78d87eee@kernel.org> To: Catalin Marinas , Will Deacon , Jonathan Corbet , Andrew Morton , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Arnd Bergmann , Oleg Nesterov , Eric Biederman , Shuah Khan , "Rick P. Edgecombe" , Deepak Gupta , Ard Biesheuvel , Szabolcs Nagy , Kees Cook Cc: "H.J. Lu" , Paul Walmsley , Palmer Dabbelt , Albert Ou , Florian Weimer , Christian Brauner , Thiago Jung Bauermann , Ross Burton , David Spickett , Yury Khrustalev , Wilco Dijkstra , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Mark Brown X-Mailer: b4 0.15-dev-99b12 X-Developer-Signature: v=1; a=openpgp-sha256; l=6765; i=broonie@kernel.org; h=from:subject:message-id; bh=M/Cko4L7ycF7EfuRgE9nFrYd9p9UbU51oKSukOYF/3Y=; b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBm/H7XYlmqI4AVMLQuVzPpNgT/SyMCRjCiznsJGwH4 G2vcFFCJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCZvx+1wAKCRAk1otyXVSH0KouB/ 9Jw3HWKPOwR2aVOZ6u7wPXJwj9zBiar/DXFEbthlVQ/Dr8xLxWr9UILF4cDa6yLfc+rJkYXNX+5RK9 BkjxhujnTpn05vvFfUCInty8LTLbn0sywBiP8f8X0Dn2rcVCUbs5Smk8agHmrxbSo76R4SwsFy498d AyoptghwLoECA+CFGXG7VMkZ9S7i+FfAd1v2VUB63hLD5sxJkIEubTmneUSSxYvFVT5b/J37eGA6+z 13qjEBBQxnOjZ9MlEZ5LB/ybEnIQLz1wN87hLvtd7aIz5ZIpPZ8Azclkb+uVeaAc0nEsRgnOd/5R7F 2+kSiCmA0iuGU82ZzrQ9jZqMMl63ti X-Developer-Key: i=broonie@kernel.org; a=openpgp; fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 50D2D40010 X-Stat-Signature: 3ymahzodc8ksp1u1ifmpjxx1q38afgkw X-Rspam-User: X-HE-Tag: 1727823879-242030 X-HE-Meta: U2FsdGVkX1+frirhPdHPnt0F87Gmb6U2dyv2hB1zdrZcKiBWlVbKr1YBk255LvNhWnx7UPlwSubtoPVyelA7+bM41HZuCmEwBBCDDfTg/QKpUUlDxopUr05Z9lq3bZbakKCxZMhEem7AsZ0bfUA0wMuJI8pFZFRBpyifRcEjxspZfg6dqxk8FqaeVwvV6eYap+EExopwMYzTCiIw2c+NfoUgpLU+0dCyRf3vgufiyeZ3klU/XyzRqLsXh9RJAZwe10hWrjUewCldR0ZHaNKbtoUbAC6ntUrmivbpfSXcjD2KYmh0yXSx1xCqEdbrErOwOvHf4pbl8KZkD7ya8wyeiQeQiSZg+9PEVxadODv2VrwMiURpzQGV8L/fu3g6NrwBV6QPK8FMGXpiiSCktxJo7cLsqd7FEG9q/uLeFpFJP0DA1is9U4ayU+I64CAefYZ8L7D0UF1a/VYs1CInDD6yYhrs4/PYEps25zQmn0MOqvSVpSdyQs2fgN4Y/rRLNY5FYaCzLndT1BmLbg9PA/v6FqzwQ/Rwlz4VyH3mO8fx8BE5U7HRHrrqWd13FAJFazaFjDVRDM6XudVJtHefpwug+E2M003vRBrRO2NcLksXhCm7w7MIv2BHbgZZm+nDe1GRUD1Ac2gRZAzF+kuhwBzL9Q+Ji4+6IQUM5FvzcuRJSPv/dhy5xgKkeECGemeIHEYXZseZIySes7etZ5Y2VHrEdz1GzUEn9yi6cAc4jV+uG5HOSHQBxy4/YG28gxV9vVuUiSNUFbituZ015lGaYRaZyxBE2xPCICMaCuRdzRxFgiJ0hCC+uEm5CIzZSI7NehjmzS9r//2Kxb6Zfeishe00F1hYVEEvN4tq+UYiRDxV25Udk0Kts7UwupdcTICRKWSF8RH4PVmHGA3hC+PvMeoX8ZGPzKHbCp21zSMDzpVo51MxIfIIeMzyNsbBsFpOpP2iNgCytVGlUFpZcTn6pIK dn+6mz5+ WDRWwLMUIpzRzB2EnZ82RVezTnGZLt6k+micftKOylyzOs/aLOiE5DxFPeVq4Cw5h58hwSAerUF6D1I3kY63o1saNTulSTZ0yeRvweepGZPHu2oid0lLqNJhlHVJ9LNyi3CWWgXuiF3JnQ5lNJMgIQ9h6nOPAag8RegtnJqCJszcaEUmu63ziyDLVQ0Q3BqfakOuDybee626a+8gxlBipmmqikmmsfzb9jgBsR+uzTOefYByBNrXY0g208MvIctYbcLUKi8qaQE3PRp+HxGhq2mRrUCV9fD2Y2Xw8qDq5p1EC797VnuOcDGOKrDzOP9Qdil5uXAeuJpPF4zBfqcGddJl3VCuWT64XwUD80HRvrYcf/FIu114PM+oDWefPULtmlH18Jc033Moph/T2DEEdvrvWRcBTe6pQe8Pw7g4QBqOI/7rAe8LsyjtDbA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: When invoking a signal handler we use the GCS configuration and stack for the current thread. Since we implement signal return by calling the signal handler with a return address set up pointing to a trampoline in the vDSO we need to also configure any active GCS for this by pushing a frame for the trampoline onto the GCS. If we do not do this then signal return will generate a GCS protection fault. In order to guard against attempts to bypass GCS protections via signal return we only allow returning with GCSPR_EL0 pointing to an address where it was previously preempted by a signal. We do this by pushing a cap onto the GCS, this takes the form of an architectural GCS cap token with the top bit set and token type of 0 which we add on signal entry and validate and pop off on signal return. The combination of the top bit being set and the token type mean that this can't be interpreted as a valid token or address. Reviewed-by: Thiago Jung Bauermann Reviewed-by: Catalin Marinas Signed-off-by: Mark Brown --- arch/arm64/include/asm/gcs.h | 1 + arch/arm64/kernel/signal.c | 118 +++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 114 insertions(+), 5 deletions(-) diff --git a/arch/arm64/include/asm/gcs.h b/arch/arm64/include/asm/gcs.h index 48c97e63e56a..f50660603ecf 100644 --- a/arch/arm64/include/asm/gcs.h +++ b/arch/arm64/include/asm/gcs.h @@ -9,6 +9,7 @@ #include struct kernel_clone_args; +struct ksignal; static inline void gcsb_dsync(void) { diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 561986947530..b5ab0e229a78 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include @@ -34,6 +35,15 @@ #include #include +#ifdef CONFIG_ARM64_GCS +#define GCS_SIGNAL_CAP(addr) (((unsigned long)addr) & GCS_CAP_ADDR_MASK) + +static bool gcs_signal_cap_valid(u64 addr, u64 val) +{ + return val == GCS_SIGNAL_CAP(addr); +} +#endif + /* * Do a signal return; undo the signal stack. These are aligned to 128-bit. */ @@ -904,6 +914,58 @@ static int restore_sigframe(struct pt_regs *regs, return err; } +#ifdef CONFIG_ARM64_GCS +static int gcs_restore_signal(void) +{ + unsigned long __user *gcspr_el0; + u64 cap; + int ret; + + if (!system_supports_gcs()) + return 0; + + if (!(current->thread.gcs_el0_mode & PR_SHADOW_STACK_ENABLE)) + return 0; + + gcspr_el0 = (unsigned long __user *)read_sysreg_s(SYS_GCSPR_EL0); + + /* + * Ensure that any changes to the GCS done via GCS operations + * are visible to the normal reads we do to validate the + * token. + */ + gcsb_dsync(); + + /* + * GCSPR_EL0 should be pointing at a capped GCS, read the cap. + * We don't enforce that this is in a GCS page, if it is not + * then faults will be generated on GCS operations - the main + * concern is to protect GCS pages. + */ + ret = copy_from_user(&cap, gcspr_el0, sizeof(cap)); + if (ret) + return -EFAULT; + + /* + * Check that the cap is the actual GCS before replacing it. + */ + if (!gcs_signal_cap_valid((u64)gcspr_el0, cap)) + return -EINVAL; + + /* Invalidate the token to prevent reuse */ + put_user_gcs(0, (__user void*)gcspr_el0, &ret); + if (ret != 0) + return -EFAULT; + + write_sysreg_s(gcspr_el0 + 1, SYS_GCSPR_EL0); + + return 0; +} + +#else +static int gcs_restore_signal(void) { return 0; } +#endif + SYSCALL_DEFINE0(rt_sigreturn) { struct pt_regs *regs = current_pt_regs(); @@ -927,6 +989,9 @@ SYSCALL_DEFINE0(rt_sigreturn) if (restore_sigframe(regs, frame)) goto badframe; + if (gcs_restore_signal()) + goto badframe; + if (restore_altstack(&frame->uc.uc_stack)) goto badframe; @@ -1189,7 +1254,48 @@ static int get_sigframe(struct rt_sigframe_user_layout *user, return 0; } -static void setup_return(struct pt_regs *regs, struct k_sigaction *ka, +#ifdef CONFIG_ARM64_GCS + +static int gcs_signal_entry(__sigrestore_t sigtramp, struct ksignal *ksig) +{ + unsigned long __user *gcspr_el0; + int ret = 0; + + if (!system_supports_gcs()) + return 0; + + if (!task_gcs_el0_enabled(current)) + return 0; + + /* + * We are entering a signal handler, current register state is + * active. + */ + gcspr_el0 = (unsigned long __user *)read_sysreg_s(SYS_GCSPR_EL0); + + /* + * Push a cap and the GCS entry for the trampoline onto the GCS. + */ + put_user_gcs((unsigned long)sigtramp, gcspr_el0 - 2, &ret); + put_user_gcs(GCS_SIGNAL_CAP(gcspr_el0 - 1), gcspr_el0 - 1, &ret); + if (ret != 0) + return ret; + + gcspr_el0 -= 2; + write_sysreg_s((unsigned long)gcspr_el0, SYS_GCSPR_EL0); + + return 0; +} +#else + +static int gcs_signal_entry(__sigrestore_t sigtramp, struct ksignal *ksig) +{ + return 0; +} + +#endif + +static int setup_return(struct pt_regs *regs, struct ksignal *ksig, struct rt_sigframe_user_layout *user, int usig) { __sigrestore_t sigtramp; @@ -1197,7 +1303,7 @@ static void setup_return(struct pt_regs *regs, struct k_sigaction *ka, regs->regs[0] = usig; regs->sp = (unsigned long)user->sigframe; regs->regs[29] = (unsigned long)&user->next_frame->fp; - regs->pc = (unsigned long)ka->sa.sa_handler; + regs->pc = (unsigned long)ksig->ka.sa.sa_handler; /* * Signal delivery is a (wacky) indirect function call in @@ -1240,12 +1346,14 @@ static void setup_return(struct pt_regs *regs, struct k_sigaction *ka, if (system_supports_poe()) write_sysreg_s(POR_EL0_INIT, SYS_POR_EL0); - if (ka->sa.sa_flags & SA_RESTORER) - sigtramp = ka->sa.sa_restorer; + if (ksig->ka.sa.sa_flags & SA_RESTORER) + sigtramp = ksig->ka.sa.sa_restorer; else sigtramp = VDSO_SYMBOL(current->mm->context.vdso, sigtramp); regs->regs[30] = (unsigned long)sigtramp; + + return gcs_signal_entry(sigtramp, ksig); } static int setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set, @@ -1268,7 +1376,7 @@ static int setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set, err |= __save_altstack(&frame->uc.uc_stack, regs->sp); err |= setup_sigframe(&user, regs, set); if (err == 0) { - setup_return(regs, &ksig->ka, &user, usig); + err = setup_return(regs, ksig, &user, usig); if (ksig->ka.sa.sa_flags & SA_SIGINFO) { err |= copy_siginfo_to_user(&frame->info, &ksig->info); regs->regs[1] = (unsigned long)&frame->info;