From patchwork Thu Aug 8 00:12:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 11083009 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4DB0313B1 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3FA2428AD6 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 343FB28AD7; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C6DA028AD3 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389044AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 Received: from mga09.intel.com ([134.134.136.24]:51237 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730459AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 17:12:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; d="scan'208";a="165519345" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.41]) by orsmga007.jf.intel.com with ESMTP; 07 Aug 2019 17:12:58 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Shay Katz-zamir , Serge Ayoun Subject: [PATCH for_v22 01/11] x86/sgx: Fix an SECS collision with enclave page at VA=0 Date: Wed, 7 Aug 2019 17:12:44 -0700 Message-Id: <20190808001254.11926-2-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190808001254.11926-1-sean.j.christopherson@intel.com> References: <20190808001254.11926-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Detect the SECS in paging related flows by explicitly checking the page against the enclave's SECS page. Assuming a page with VA=0 is the SECS will break enclaves that actually use VA=0, which is extremely unlikely but theoretically possible. Signed-off-by: Sean Christopherson --- arch/x86/kernel/cpu/sgx/encl.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c index 909af9a664f0..6da1c36a01e6 100644 --- a/arch/x86/kernel/cpu/sgx/encl.c +++ b/arch/x86/kernel/cpu/sgx/encl.c @@ -12,10 +12,14 @@ #include "encls.h" #include "sgx.h" +static bool sgx_encl_is_secs(struct sgx_encl *encl, struct sgx_encl_page *page) +{ + return page == &encl->secs; +} + static int __sgx_encl_eldu(struct sgx_encl_page *encl_page, struct sgx_epc_page *epc_page) { - unsigned long addr = SGX_ENCL_PAGE_ADDR(encl_page); unsigned long va_offset = SGX_ENCL_PAGE_VA_OFFSET(encl_page); struct sgx_encl *encl = encl_page->encl; pgoff_t page_index = sgx_encl_get_index(encl, encl_page); @@ -38,11 +42,11 @@ static int __sgx_encl_eldu(struct sgx_encl_page *encl_page, goto err_pcmd; } - pginfo.addr = addr; + pginfo.addr = SGX_ENCL_PAGE_ADDR(encl_page); pginfo.contents = (unsigned long)kmap_atomic(backing); pginfo.metadata = (unsigned long)kmap_atomic(pcmd) + pcmd_offset; - pginfo.secs = addr ? (unsigned long)sgx_epc_addr(encl->secs.epc_page) : - 0; + pginfo.secs = sgx_encl_is_secs(encl, encl_page) ? 0 : + (unsigned long)sgx_epc_addr(encl->secs.epc_page); ret = __eldu(&pginfo, sgx_epc_addr(epc_page), sgx_epc_addr(encl_page->va_page->epc_page) + va_offset); @@ -546,7 +550,7 @@ void sgx_encl_release(struct kref *ref) */ pgoff_t sgx_encl_get_index(struct sgx_encl *encl, struct sgx_encl_page *page) { - if (!PFN_DOWN(page->desc)) + if (sgx_encl_is_secs(encl, page)) return PFN_DOWN(encl->size); return PFN_DOWN(page->desc - encl->base); From patchwork Thu Aug 8 00:12:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 11083007 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 21C97912 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 114D028AD6 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 05FD028AD7; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A52F728AD2 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389026AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 Received: from mga09.intel.com ([134.134.136.24]:51242 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729960AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 17:12:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; d="scan'208";a="165519348" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.41]) by orsmga007.jf.intel.com with ESMTP; 07 Aug 2019 17:12:58 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Shay Katz-zamir , Serge Ayoun Subject: [PATCH for_v22 02/11] x86/sgx: Fix incorrect NULL pointer check Date: Wed, 7 Aug 2019 17:12:45 -0700 Message-Id: <20190808001254.11926-3-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190808001254.11926-1-sean.j.christopherson@intel.com> References: <20190808001254.11926-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The file pointer returned from fget() can be NULL, whereas a file's ops are guaranteed to be non-NULL. Signed-off-by: Sean Christopherson Acked-by: Jarkko Sakkinen --- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c index f4a80585a519..89b3fb81c15b 100644 --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c @@ -801,7 +801,7 @@ static long sgx_ioc_enclave_set_attribute(struct file *filep, void __user *arg) return -EFAULT; attribute_file = fget(params.attribute_fd); - if (!attribute_file->f_op) + if (!attribute_file) return -EINVAL; if (attribute_file->f_op != &sgx_provision_fops) { From patchwork Thu Aug 8 00:12:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 11083013 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A55F41709 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 951DA28AD2 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 89A0028ADA; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 85F9F28AD4 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387536AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 Received: from mga09.intel.com ([134.134.136.24]:51237 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730382AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 17:12:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; d="scan'208";a="165519350" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.41]) by orsmga007.jf.intel.com with ESMTP; 07 Aug 2019 17:12:58 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Shay Katz-zamir , Serge Ayoun Subject: [PATCH for_v22 03/11] x86/sgx: Return '0' when sgx_ioc_enclave_set_attribute() succeeds Date: Wed, 7 Aug 2019 17:12:46 -0700 Message-Id: <20190808001254.11926-4-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190808001254.11926-1-sean.j.christopherson@intel.com> References: <20190808001254.11926-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Ensure the local ret variable is set to zero when being returned via the success path. Reported-by: Shay Katz-zamir Signed-off-by: Sean Christopherson Acked-by: Jarkko Sakkinen --- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c index 89b3fb81c15b..ebb71eb3323a 100644 --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c @@ -810,6 +810,7 @@ static long sgx_ioc_enclave_set_attribute(struct file *filep, void __user *arg) } encl->allowed_attributes |= SGX_ATTR_PROVISIONKEY; + ret = 0; out: fput(attribute_file); From patchwork Thu Aug 8 00:12:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 11083001 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6AE8613B1 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5A8AE28AD2 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4EC8C28AD5; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 019AA28AD2 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730337AbfHHAM7 (ORCPT ); Wed, 7 Aug 2019 20:12:59 -0400 Received: from mga09.intel.com ([134.134.136.24]:51237 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730038AbfHHAM7 (ORCPT ); Wed, 7 Aug 2019 20:12:59 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 17:12:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; d="scan'208";a="165519353" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.41]) by orsmga007.jf.intel.com with ESMTP; 07 Aug 2019 17:12:58 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Shay Katz-zamir , Serge Ayoun Subject: [PATCH for_v22 04/11] x86/sgx: x86/sgx: Require EADD destination to be page aligned Date: Wed, 7 Aug 2019 17:12:47 -0700 Message-Id: <20190808001254.11926-5-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190808001254.11926-1-sean.j.christopherson@intel.com> References: <20190808001254.11926-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Check that the destination enclave address is page aligned, i.e. bits 11:0 are zero. The userspace controlled address is used to initialize page->desc, e.g. userspace can set kernel-internal flags by passing in an unaligned address. Reported-by: Shay Katz-zamir Signed-off-by: Sean Christopherson Acked-by: Jarkko Sakkinen --- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c index ebb71eb3323a..ae381bf4cfd7 100644 --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c @@ -600,6 +600,9 @@ static long sgx_ioc_enclave_add_page(struct file *filep, void __user *arg) if (copy_from_user(&addp, arg, sizeof(addp))) return -EFAULT; + if (!IS_ALIGNED(addp.addr, PAGE_SIZE)) + return -EINVAL; + if (copy_from_user(&secinfo, (void __user *)addp.secinfo, sizeof(secinfo))) return -EFAULT; From patchwork Thu Aug 8 00:12:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 11082999 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 319851850 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 22EC728AD3 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1734C28AD5; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BDCAA28AD4 for ; Thu, 8 Aug 2019 00:12:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730328AbfHHAM7 (ORCPT ); Wed, 7 Aug 2019 20:12:59 -0400 Received: from mga09.intel.com ([134.134.136.24]:51237 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729960AbfHHAM7 (ORCPT ); Wed, 7 Aug 2019 20:12:59 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 17:12:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; d="scan'208";a="165519357" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.41]) by orsmga007.jf.intel.com with ESMTP; 07 Aug 2019 17:12:58 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Shay Katz-zamir , Serge Ayoun Subject: [PATCH for_v22 05/11] x86/sgx: Require EADD source to be page aligned Date: Wed, 7 Aug 2019 17:12:48 -0700 Message-Id: <20190808001254.11926-6-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190808001254.11926-1-sean.j.christopherson@intel.com> References: <20190808001254.11926-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Reject the EADD ioctl() if the source address provided by userspace is not page aligned. Page alignment is required by hardware, but this is not enforced on userspace as the kernel first copies the source page to an internal (page aligned) buffer. Require the userspace address to be page aligned so that the driver can, in the future, directly consume the userspace address via EADD without breaking backwards compatibility, e.g. to avoid the overhead of alloc+memcpy. Signed-off-by: Sean Christopherson --- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c index ae381bf4cfd7..11d90a31e7c2 100644 --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c @@ -600,7 +600,8 @@ static long sgx_ioc_enclave_add_page(struct file *filep, void __user *arg) if (copy_from_user(&addp, arg, sizeof(addp))) return -EFAULT; - if (!IS_ALIGNED(addp.addr, PAGE_SIZE)) + if (!IS_ALIGNED(addp.addr, PAGE_SIZE) || + !IS_ALIGNED(addp.src, PAGE_SIZE)) return -EINVAL; if (copy_from_user(&secinfo, (void __user *)addp.secinfo, From patchwork Thu Aug 8 00:12:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 11083003 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A1F7B18A6 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9166828AD2 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8643428AD5; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3D3EB28AD3 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730433AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 Received: from mga09.intel.com ([134.134.136.24]:51237 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729960AbfHHAM7 (ORCPT ); Wed, 7 Aug 2019 20:12:59 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 17:12:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; d="scan'208";a="165519359" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.41]) by orsmga007.jf.intel.com with ESMTP; 07 Aug 2019 17:12:58 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Shay Katz-zamir , Serge Ayoun Subject: [PATCH for_v22 06/11] x86/sgx: Check the bounds of the enclave address against ELRANGE Date: Wed, 7 Aug 2019 17:12:49 -0700 Message-Id: <20190808001254.11926-7-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190808001254.11926-1-sean.j.christopherson@intel.com> References: <20190808001254.11926-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Reject EADD if the destination address lies outside the bounds of the enclave's ELRANGE as tracked by encl->base and encl->size. Lack of a check allows userspace to induce a #GP on EADD. Reported-by: Shay Katz-zamir Signed-off-by: Sean Christopherson Acked-by: Jarkko Sakkinen --- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c index 11d90a31e7c2..6a580361e20e 100644 --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c @@ -604,6 +604,9 @@ static long sgx_ioc_enclave_add_page(struct file *filep, void __user *arg) !IS_ALIGNED(addp.src, PAGE_SIZE)) return -EINVAL; + if (addp.addr < encl->base || addp.addr - encl->base >= encl->size) + return -EINVAL; + if (copy_from_user(&secinfo, (void __user *)addp.secinfo, sizeof(secinfo))) return -EFAULT; From patchwork Thu Aug 8 00:12:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 11083005 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DE82C1709 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CFEFC28AD6 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C447228AD7; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 64DB728AD6 for ; Thu, 8 Aug 2019 00:13:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730462AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 Received: from mga09.intel.com ([134.134.136.24]:51242 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730038AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 17:12:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; d="scan'208";a="165519362" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.41]) by orsmga007.jf.intel.com with ESMTP; 07 Aug 2019 17:12:58 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Shay Katz-zamir , Serge Ayoun Subject: [PATCH for_v22 07/11] x86/sgx: Check that enclave is created at beginning of EADD/EINIT ioctl Date: Wed, 7 Aug 2019 17:12:50 -0700 Message-Id: <20190808001254.11926-8-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190808001254.11926-1-sean.j.christopherson@intel.com> References: <20190808001254.11926-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Move the EADD/EINIT checks on SGX_ENCL_CREATED to the very beginning of the ioctl() flows. Deferring the check until the core code is fragile as all code leading up to that point must be careful that it only uses members of @encl that are initialized at allocation time. For example, the flush_work() call in sgx_encl_init() will crash if the enclave has not been created. Note, there is no need to take encl->lock to check SGX_ENCL_CREATED so long as SGX_ENCL_CREATED is set only after the enclave is fully initialized, it's not the kernel's responsibility to guard against sgx_encl_create() racing with EADD/EINIT. Add a comment to highlight the dependency. Signed-off-by: Sean Christopherson Acked-by: Jarkko Sakkinen --- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c index 6a580361e20e..700d65c96b9a 100644 --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c @@ -326,6 +326,12 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) encl->base = secs->base; encl->size = secs->size; encl->ssaframesize = secs->ssa_frame_size; + + /* + * Set SGX_ENCL_CREATED only after the enclave is fully prepped. This + * allows other flows to check if the enclave has been created without + * taking encl->lock. + */ encl->flags |= SGX_ENCL_CREATED; mutex_unlock(&encl->lock); @@ -516,8 +522,7 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long addr, mutex_lock(&encl->lock); - if (!(encl->flags & SGX_ENCL_CREATED) || - (encl->flags & (SGX_ENCL_INITIALIZED | SGX_ENCL_DEAD))) { + if (encl->flags & (SGX_ENCL_INITIALIZED | SGX_ENCL_DEAD)) { ret = -EFAULT; goto out; } @@ -597,6 +602,9 @@ static long sgx_ioc_enclave_add_page(struct file *filep, void __user *arg) void *data; int ret; + if (!(encl->flags & SGX_ENCL_CREATED)) + return -EINVAL; + if (copy_from_user(&addp, arg, sizeof(addp))) return -EFAULT; @@ -685,8 +693,7 @@ static int sgx_encl_init(struct sgx_encl *encl, struct sgx_sigstruct *sigstruct, mutex_lock(&encl->lock); - if (!(encl->flags & SGX_ENCL_CREATED) || - (encl->flags & (SGX_ENCL_INITIALIZED | SGX_ENCL_DEAD))) { + if (encl->flags & (SGX_ENCL_INITIALIZED | SGX_ENCL_DEAD)) { ret = -EFAULT; goto err_out; } @@ -753,6 +760,9 @@ static long sgx_ioc_enclave_init(struct file *filep, void __user *arg) struct page *initp_page; int ret; + if (!(encl->flags & SGX_ENCL_CREATED)) + return -EINVAL; + if (copy_from_user(&einit, arg, sizeof(einit))) return -EFAULT; From patchwork Thu Aug 8 00:12:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 11082997 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E83BF1709 for ; Thu, 8 Aug 2019 00:12:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D9F7B28AD2 for ; Thu, 8 Aug 2019 00:12:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CE3E728AD5; Thu, 8 Aug 2019 00:12:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7F48728AD3 for ; Thu, 8 Aug 2019 00:12:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730302AbfHHAM7 (ORCPT ); Wed, 7 Aug 2019 20:12:59 -0400 Received: from mga09.intel.com ([134.134.136.24]:51237 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730038AbfHHAM7 (ORCPT ); Wed, 7 Aug 2019 20:12:59 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 17:12:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; d="scan'208";a="165519366" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.41]) by orsmga007.jf.intel.com with ESMTP; 07 Aug 2019 17:12:58 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Shay Katz-zamir , Serge Ayoun Subject: [PATCH for_v22 08/11] x86/sgx: Do not free enclave resources on redundant ECREATE Date: Wed, 7 Aug 2019 17:12:51 -0700 Message-Id: <20190808001254.11926-9-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190808001254.11926-1-sean.j.christopherson@intel.com> References: <20190808001254.11926-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Fix a bug where sgx_encl_create() incorrectly frees the enclave's SECS and backing storage when the enclave has already been created. Freeing the structures leads to various forms of faults due to dereferencing null pointers. Signed-off-by: Sean Christopherson Acked-by: Jarkko Sakkinen --- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c index 700d65c96b9a..18f6925ab2ed 100644 --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c @@ -277,7 +277,7 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) if (encl->flags & SGX_ENCL_CREATED) { ret = -EFAULT; - goto err_out; + goto err_out_unlock; } ssaframesize = sgx_calc_ssaframesize(secs->miscselect, secs->xfrm); @@ -348,6 +348,7 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) encl->backing = NULL; } +err_out_unlock: mutex_unlock(&encl->lock); return ret; } From patchwork Thu Aug 8 00:12:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 11083015 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B487318A6 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A49A528AD4 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9901928AD5; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 374BB28AD3 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388919AbfHHANB (ORCPT ); Wed, 7 Aug 2019 20:13:01 -0400 Received: from mga09.intel.com ([134.134.136.24]:51242 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388917AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 17:12:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; d="scan'208";a="165519368" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.41]) by orsmga007.jf.intel.com with ESMTP; 07 Aug 2019 17:12:58 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Shay Katz-zamir , Serge Ayoun Subject: [PATCH for_v22 09/11] x86/sgx: Refactor error handling for user of sgx_encl_grow() Date: Wed, 7 Aug 2019 17:12:52 -0700 Message-Id: <20190808001254.11926-10-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190808001254.11926-1-sean.j.christopherson@intel.com> References: <20190808001254.11926-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Refactor sgx_encl_add_page() and sgx_encl_create() to prepare for changes to sgx_encl_grow() that will introduce additional error paths. Neither approach scales well as is, and it'll help readability for both flows to use similar style error handling. No functional change intended. Signed-off-by: Sean Christopherson Acked-by: Jarkko Sakkinen --- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 40 ++++++++++++++------------ 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c index 18f6925ab2ed..fec5e0a346f5 100644 --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c @@ -283,14 +283,14 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) ssaframesize = sgx_calc_ssaframesize(secs->miscselect, secs->xfrm); if (sgx_validate_secs(secs, ssaframesize)) { ret = -EINVAL; - goto err_out; + goto err_out_unlock; } backing = shmem_file_setup("SGX backing", encl_size + (encl_size >> 5), VM_NORESERVE); if (IS_ERR(backing)) { ret = PTR_ERR(backing); - goto err_out; + goto err_out_unlock; } encl->backing = backing; @@ -300,7 +300,7 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) secs_epc = sgx_alloc_page(&encl->secs, true); if (IS_ERR(secs_epc)) { ret = PTR_ERR(secs_epc); - goto err_out; + goto err_out_backing; } encl->secs.epc_page = secs_epc; @@ -338,15 +338,12 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) return 0; err_out: - if (encl->secs.epc_page) { - sgx_free_page(encl->secs.epc_page); - encl->secs.epc_page = NULL; - } + sgx_free_page(encl->secs.epc_page); + encl->secs.epc_page = NULL; - if (encl->backing) { - fput(encl->backing); - encl->backing = NULL; - } +err_out_backing: + fput(encl->backing); + encl->backing = NULL; err_out_unlock: mutex_unlock(&encl->lock); @@ -525,23 +522,28 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long addr, if (encl->flags & (SGX_ENCL_INITIALIZED | SGX_ENCL_DEAD)) { ret = -EFAULT; - goto out; + goto err_out_unlock; } encl_page = sgx_encl_page_alloc(encl, addr, prot); if (IS_ERR(encl_page)) { ret = PTR_ERR(encl_page); - goto out; + goto err_out_unlock; } ret = __sgx_encl_add_page(encl, encl_page, data, secinfo, mrmask); - if (ret) { - radix_tree_delete(&encl_page->encl->page_tree, - PFN_DOWN(encl_page->desc)); - kfree(encl_page); - } + if (ret) + goto err_out; -out: + mutex_unlock(&encl->lock); + return 0; + +err_out: + radix_tree_delete(&encl_page->encl->page_tree, + PFN_DOWN(encl_page->desc)); + kfree(encl_page); + +err_out_unlock: mutex_unlock(&encl->lock); return ret; } From patchwork Thu Aug 8 00:12:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 11083011 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 91E881850 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 806F028AD2 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7537928AD7; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0F2E528AD2 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389185AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 Received: from mga09.intel.com ([134.134.136.24]:51237 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388919AbfHHANA (ORCPT ); Wed, 7 Aug 2019 20:13:00 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 17:12:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; d="scan'208";a="165519372" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.41]) by orsmga007.jf.intel.com with ESMTP; 07 Aug 2019 17:12:58 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Shay Katz-zamir , Serge Ayoun Subject: [PATCH for_v22 10/11] x86/sgx: Call sgx_encl_grow() with the enclave's lock held Date: Wed, 7 Aug 2019 17:12:53 -0700 Message-Id: <20190808001254.11926-11-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190808001254.11926-1-sean.j.christopherson@intel.com> References: <20190808001254.11926-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Move the taking of the enclave's lock outside of sgx_encl_grow() in preparation for adding sgx_encl_shrink(), which will decrement the number of enclave pages and free any allocated VA page. When freeing a VA page, the enclave's lock needs to be held for the entire time between adding the VA page to the enclave's list and freeing the VA page so as to prevent it from being used by reclaim, e.g. to avoid a use-after-free scenario. Because sgx_encl_grow() can temporarily drop encl->lock, calling it with encl->lock held adds a subtle dependency on the ordering of checks against encl->flags, e.g. checking for SGX_ENCL_CREATED prior to calling sgx_encl_grow() could lead to a TOCTOU on ECREATE. Avoid this by passing in the disallowed flags to sgx_encl_grow() so that the the dependency is clear. Retaking encl->lock in the failure paths is a bit ugly, but the alternative is to have sgx_encl_grow() drop encl->lock in all failure paths, which is arguably worse since the caller has to know which paths do/don't drop the lock. Signed-off-by: Sean Christopherson --- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 39 +++++++++----------------- 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c index fec5e0a346f5..a531cf615f3c 100644 --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c @@ -22,7 +22,7 @@ struct sgx_add_page_req { struct list_head list; }; -static int sgx_encl_grow(struct sgx_encl *encl) +static int sgx_encl_grow(struct sgx_encl *encl, unsigned int disallowed_flags) { struct sgx_va_page *va_page; int ret; @@ -30,30 +30,28 @@ static int sgx_encl_grow(struct sgx_encl *encl) BUILD_BUG_ON(SGX_VA_SLOT_COUNT != (SGX_ENCL_PAGE_VA_OFFSET_MASK >> 3) + 1); - mutex_lock(&encl->lock); - if (encl->flags & SGX_ENCL_DEAD) { - mutex_unlock(&encl->lock); + if (encl->flags & disallowed_flags) return -EFAULT; - } if (!(encl->page_cnt % SGX_VA_SLOT_COUNT)) { mutex_unlock(&encl->lock); va_page = kzalloc(sizeof(*va_page), GFP_KERNEL); - if (!va_page) + if (!va_page) { + mutex_lock(&encl->lock); return -ENOMEM; + } + va_page->epc_page = sgx_alloc_va_page(); + mutex_lock(&encl->lock); + if (IS_ERR(va_page->epc_page)) { ret = PTR_ERR(va_page->epc_page); kfree(va_page); return ret; - } - - mutex_lock(&encl->lock); - if (encl->flags & SGX_ENCL_DEAD) { + } else if (encl->flags & disallowed_flags) { sgx_free_page(va_page->epc_page); kfree(va_page); - mutex_unlock(&encl->lock); return -EFAULT; } else if (encl->page_cnt % SGX_VA_SLOT_COUNT) { sgx_free_page(va_page->epc_page); @@ -63,7 +61,6 @@ static int sgx_encl_grow(struct sgx_encl *encl) } } encl->page_cnt++; - mutex_unlock(&encl->lock); return 0; } @@ -269,16 +266,11 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) struct file *backing; long ret; - ret = sgx_encl_grow(encl); - if (ret) - return ret; - mutex_lock(&encl->lock); - if (encl->flags & SGX_ENCL_CREATED) { - ret = -EFAULT; + ret = sgx_encl_grow(encl, SGX_ENCL_CREATED | SGX_ENCL_DEAD); + if (ret) goto err_out_unlock; - } ssaframesize = sgx_calc_ssaframesize(secs->miscselect, secs->xfrm); if (sgx_validate_secs(secs, ssaframesize)) { @@ -514,16 +506,11 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long addr, return ret; } - ret = sgx_encl_grow(encl); - if (ret) - return ret; - mutex_lock(&encl->lock); - if (encl->flags & (SGX_ENCL_INITIALIZED | SGX_ENCL_DEAD)) { - ret = -EFAULT; + ret = sgx_encl_grow(encl, SGX_ENCL_INITIALIZED | SGX_ENCL_DEAD); + if (ret) goto err_out_unlock; - } encl_page = sgx_encl_page_alloc(encl, addr, prot); if (IS_ERR(encl_page)) { From patchwork Thu Aug 8 00:12:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 11083017 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3944213B1 for ; Thu, 8 Aug 2019 00:13:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 24E4B28AD2 for ; Thu, 8 Aug 2019 00:13:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 197C428AD4; Thu, 8 Aug 2019 00:13:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9CEEF28AD3 for ; Thu, 8 Aug 2019 00:13:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388917AbfHHANB (ORCPT ); Wed, 7 Aug 2019 20:13:01 -0400 Received: from mga09.intel.com ([134.134.136.24]:51237 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389045AbfHHANB (ORCPT ); Wed, 7 Aug 2019 20:13:01 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 17:12:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; d="scan'208";a="165519376" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.41]) by orsmga007.jf.intel.com with ESMTP; 07 Aug 2019 17:12:58 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Shay Katz-zamir , Serge Ayoun Subject: [PATCH for_v22 11/11] x86/sgx: Shrink the enclave if ECREATE/EADD fails Date: Wed, 7 Aug 2019 17:12:54 -0700 Message-Id: <20190808001254.11926-12-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190808001254.11926-1-sean.j.christopherson@intel.com> References: <20190808001254.11926-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Add sgx_encl_shrink() to pair with sgx_encl_grow() and use it to adjust the VA page count when ECREATE or EADD fails. Return the allocated VA page from sgx_encl_grow() so that it can be freed during shrink. Signed-off-by: Sean Christopherson Acked-by: Jarkko Sakkinen --- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 55 +++++++++++++++++++------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c index a531cf615f3c..173a405d59a5 100644 --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c @@ -22,16 +22,17 @@ struct sgx_add_page_req { struct list_head list; }; -static int sgx_encl_grow(struct sgx_encl *encl, unsigned int disallowed_flags) +static struct sgx_va_page *sgx_encl_grow(struct sgx_encl *encl, + unsigned int disallowed_flags) { - struct sgx_va_page *va_page; - int ret; + struct sgx_va_page *va_page = NULL; + void *err; BUILD_BUG_ON(SGX_VA_SLOT_COUNT != (SGX_ENCL_PAGE_VA_OFFSET_MASK >> 3) + 1); if (encl->flags & disallowed_flags) - return -EFAULT; + return ERR_PTR(-EFAULT); if (!(encl->page_cnt % SGX_VA_SLOT_COUNT)) { mutex_unlock(&encl->lock); @@ -46,22 +47,34 @@ static int sgx_encl_grow(struct sgx_encl *encl, unsigned int disallowed_flags) mutex_lock(&encl->lock); if (IS_ERR(va_page->epc_page)) { - ret = PTR_ERR(va_page->epc_page); + err = ERR_CAST(va_page->epc_page); kfree(va_page); - return ret; + return err; } else if (encl->flags & disallowed_flags) { sgx_free_page(va_page->epc_page); kfree(va_page); - return -EFAULT; + return ERR_PTR(-EFAULT); } else if (encl->page_cnt % SGX_VA_SLOT_COUNT) { sgx_free_page(va_page->epc_page); kfree(va_page); + va_page = NULL; } else { list_add(&va_page->list, &encl->va_pages); } } encl->page_cnt++; - return 0; + return va_page; +} + +static void sgx_encl_shrink(struct sgx_encl *encl, struct sgx_va_page *va_page) +{ + encl->page_cnt--; + + if (va_page) { + sgx_free_page(va_page->epc_page); + list_del(&va_page->list); + kfree(va_page); + } } static bool sgx_process_add_page_req(struct sgx_add_page_req *req, @@ -260,6 +273,7 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) { unsigned long encl_size = secs->size + PAGE_SIZE; struct sgx_epc_page *secs_epc; + struct sgx_va_page *va_page; unsigned long ssaframesize; struct sgx_pageinfo pginfo; struct sgx_secinfo secinfo; @@ -268,21 +282,23 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) mutex_lock(&encl->lock); - ret = sgx_encl_grow(encl, SGX_ENCL_CREATED | SGX_ENCL_DEAD); - if (ret) + va_page = sgx_encl_grow(encl, SGX_ENCL_CREATED | SGX_ENCL_DEAD); + if (IS_ERR(va_page)) { + ret = PTR_ERR(va_page); goto err_out_unlock; + } ssaframesize = sgx_calc_ssaframesize(secs->miscselect, secs->xfrm); if (sgx_validate_secs(secs, ssaframesize)) { ret = -EINVAL; - goto err_out_unlock; + goto err_out_shrink; } backing = shmem_file_setup("SGX backing", encl_size + (encl_size >> 5), VM_NORESERVE); if (IS_ERR(backing)) { ret = PTR_ERR(backing); - goto err_out_unlock; + goto err_out_shrink; } encl->backing = backing; @@ -337,6 +353,9 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) fput(encl->backing); encl->backing = NULL; +err_out_shrink: + sgx_encl_shrink(encl, va_page); + err_out_unlock: mutex_unlock(&encl->lock); return ret; @@ -496,6 +515,7 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long addr, { u64 page_type = secinfo->flags & SGX_SECINFO_PAGE_TYPE_MASK; struct sgx_encl_page *encl_page; + struct sgx_va_page *va_page; int ret; if (sgx_validate_secinfo(secinfo)) @@ -508,14 +528,16 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long addr, mutex_lock(&encl->lock); - ret = sgx_encl_grow(encl, SGX_ENCL_INITIALIZED | SGX_ENCL_DEAD); - if (ret) + va_page = sgx_encl_grow(encl, SGX_ENCL_INITIALIZED | SGX_ENCL_DEAD); + if (IS_ERR(va_page)) { + ret = PTR_ERR(va_page); goto err_out_unlock; + } encl_page = sgx_encl_page_alloc(encl, addr, prot); if (IS_ERR(encl_page)) { ret = PTR_ERR(encl_page); - goto err_out_unlock; + goto err_out_shrink; } ret = __sgx_encl_add_page(encl, encl_page, data, secinfo, mrmask); @@ -530,6 +552,9 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long addr, PFN_DOWN(encl_page->desc)); kfree(encl_page); +err_out_shrink: + sgx_encl_shrink(encl, va_page); + err_out_unlock: mutex_unlock(&encl->lock); return ret;