[PATCH v5 02/17] x86/entry/64/compat: Fix bad fast syscall arg failure path

From: Andy Lutomirski
Date: Fri Jul 03 2015 - 15:45:11 EST

Next message: Andy Lutomirski: "[PATCH v5 01/17] selftests/x86: Add a test for 32-bit fast syscall arg faults"
Previous message: Andy Lutomirski: "[PATCH v5 03/17] uml: Fix do_signal() prototype"
In reply to: tip-bot for Ingo Molnar: "[tip:x86/asm] um: Fix do_signal() prototype"
Next in thread: tip-bot for Andy Lutomirski: "[tip:x86/asm] x86/entry/64/compat: Fix bad fast syscall arg failure path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If user code does SYSCALL32 or SYSENTER without a valid stack, then
our attempt to determine the syscall args will result in a failed
uaccess fault. Previously, we would try to recover by jumping to
the syscall exit code, but we'd run the syscall exit work even
though we never made it to the syscall entry work.

Clean it up by treating the failure path as a non-syscall entry and
exit pair.

This fixes strace's output when running the syscall_arg_fault test.
Without this fix, strace would get out of sync and would fail to
associate syscall entries with syscall exits.

Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxx>
---
arch/x86/entry/entry_64.S | 2 +-
arch/x86/entry/entry_64_compat.S | 35 +++++++++++++++++++++++++++++++++--
2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index 3bb2c4302df1..141a5d49dddc 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -613,7 +613,7 @@ ret_from_intr:
testb $3, CS(%rsp)
jz retint_kernel
/* Interrupt came from user space */
-retint_user:
+GLOBAL(retint_user)
GET_THREAD_INFO(%rcx)

/* %rcx: thread info. Interrupts are off. */
diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
index bb187a6a877c..efe0b1e499fa 100644
--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -425,8 +425,39 @@ cstar_tracesys:
END(entry_SYSCALL_compat)

ia32_badarg:
- ASM_CLAC
- movq $-EFAULT, RAX(%rsp)
+ /*
+ * So far, we've entered kernel mode, set AC, turned on IRQs, and
+ * saved C regs except r8-r11. We haven't done any of the other
+ * standard entry work, though. We want to bail, but we shouldn't
+ * treat this as a syscall entry since we don't even know what the
+ * args are. Instead, treat this as a non-syscall entry, finish
+ * the entry work, and immediately exit after setting AX = -EFAULT.
+ *
+ * We're really just being polite here. Killing the task outright
+ * would be a reasonable action, too. Given that the only valid
+ * way to have gotten here is through the vDSO, and we already know
+ * that the stack pointer is bad, the task isn't going to survive
+ * for long no matter what we do.
+ */
+
+ ASM_CLAC /* undo STAC */
+ movq $-EFAULT, RAX(%rsp) /* return -EFAULT if possible */
+
+ /* Fill in the rest of pt_regs */
+ xorl %eax, %eax
+ movq %rax, R11(%rsp)
+ movq %rax, R10(%rsp)
+ movq %rax, R9(%rsp)
+ movq %rax, R8(%rsp)
+ SAVE_EXTRA_REGS
+
+ /* Turn IRQs back off. */
+ DISABLE_INTERRUPTS(CLBR_NONE)
+ TRACE_IRQS_OFF
+
+ /* And exit again. */
+ jmp retint_user
+
ia32_ret_from_sys_call:
xorl %eax, %eax /* Do not leak kernel information */
movq %rax, R11(%rsp)
--
2.4.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andy Lutomirski: "[PATCH v5 01/17] selftests/x86: Add a test for 32-bit fast syscall arg faults"
Previous message: Andy Lutomirski: "[PATCH v5 03/17] uml: Fix do_signal() prototype"
In reply to: tip-bot for Ingo Molnar: "[tip:x86/asm] um: Fix do_signal() prototype"
Next in thread: tip-bot for Andy Lutomirski: "[tip:x86/asm] x86/entry/64/compat: Fix bad fast syscall arg failure path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]