Re: [PATCH V5 08/11] riscv: Support HAVE_IRQ_EXIT_ON_IRQ_STACK
From: Peter Zijlstra
Date: Tue Sep 20 2022 - 03:28:23 EST
On Tue, Sep 20, 2022 at 02:08:55PM +0800, Guo Ren wrote:
> On Mon, Sep 19, 2022 at 9:45 PM Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
> >
> > On Sun, Sep 18, 2022 at 11:52:43AM -0400, guoren@xxxxxxxxxx wrote:
> >
> > > +ENTRY(call_on_stack)
> > > + /* Create a frame record to save our ra and fp */
> > > + addi sp, sp, -RISCV_SZPTR
> > > + REG_S ra, (sp)
> > > + addi sp, sp, -RISCV_SZPTR
> > > + REG_S fp, (sp)
> > > +
> > > + /* Save sp in fp */
> > > + move fp, sp
> > > +
> > > + /* Move to the new stack and call the function there */
> > > + li a3, IRQ_STACK_SIZE
> > > + add sp, a1, a3
> > > + jalr a2
> > > +
> > > + /*
> > > + * Restore sp from prev fp, and fp, ra from the frame
> > > + */
> > > + move sp, fp
> > > + REG_L fp, (sp)
> > > + addi sp, sp, RISCV_SZPTR
> > > + REG_L ra, (sp)
> > > + addi sp, sp, RISCV_SZPTR
> > > + ret
> > > +ENDPROC(call_on_stack)
> >
> > IIRC x86_64 moved away from a stack-switch function like this because it
> > presents a convenient exploit gadget.
> I found:
> https://lore.kernel.org/all/20210204204903.350275743@xxxxxxxxxxxxx/
>
> - The fact that the stack switching code ended up being an easy to find
> exploit gadget.
>
> What's the exploit gadget? Do you have a ref link? Thx.
Sadly no, I do not. Kees might. But basically it boils down to this
function taking both a stack pointer and a function pointer as
arguments (@a1 and @a2 resp. if I'm not reading this wrong).
If an attacker can call this with arguments of its choice then it gains
full control of subsequent execution.