Re: [PATCH v2 07/39] x86/cet: Add user control-protection fault handler

From: Andy Lutomirski
Date: Mon Oct 03 2022 - 18:52:22 EST

Next message: Stephen Rothwell: "linux-next: manual merge of the vfs tree with the ext3 tree"
Previous message: Stephen Rothwell: "linux-next: manual merge of the statx-dioalign tree with the f2fs tree"
In reply to: Edgecombe, Rick P: "Re: [PATCH v2 07/39] x86/cet: Add user control-protection fault handler"
Next in thread: H. Peter Anvin: "Re: [PATCH v2 07/39] x86/cet: Add user control-protection fault handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/29/22 15:29, Rick Edgecombe wrote:

From: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx>

+static void do_user_control_protection_fault(struct pt_regs *regs,
+ unsigned long error_code)
{
- if (!cpu_feature_enabled(X86_FEATURE_IBT)) {
- pr_err("Unexpected #CP\n");
- BUG();
+ struct task_struct *tsk;
+ unsigned long ssp;
+
+ /* Read SSP before enabling interrupts. */
+ rdmsrl(MSR_IA32_PL3_SSP, ssp); > +
+ cond_local_irq_enable(regs);

I feel like I'm missing something. Either PL3_SSL is context switched correctly and reading it with IRQs off is useless, or it's not context switched, and I'm very confused.

Please either improve the comment or move it after the cond_local_irq_enable().

--Andy

+
+ if (!cpu_feature_enabled(X86_FEATURE_SHSTK))
+ WARN_ONCE(1, "User-mode control protection fault with shadow support disabled\n");
+
+ tsk = current;
+ tsk->thread.error_code = error_code;
+ tsk->thread.trap_nr = X86_TRAP_CP;
+
+ /* Ratelimit to prevent log spamming. */
+ if (show_unhandled_signals && unhandled_signal(tsk, SIGSEGV) &&
+ __ratelimit(&cpf_rate)) {
+ unsigned int cpec;
+
+ cpec = error_code & CP_EC;
+ if (cpec >= ARRAY_SIZE(control_protection_err))
+ cpec = 0;
+
+ pr_emerg("%s[%d] control protection ip:%lx sp:%lx ssp:%lx error:%lx(%s)%s",
+ tsk->comm, task_pid_nr(tsk),
+ regs->ip, regs->sp, ssp, error_code,
+ control_protection_err[cpec],
+ error_code & CP_ENCL ? " in enclave" : "");
+ print_vma_addr(KERN_CONT " in ", regs->ip);
+ pr_cont("\n");
}
- if (WARN_ON_ONCE(user_mode(regs) || (error_code & CP_EC) != CP_ENDBR))
- return;
+ force_sig_fault(SIGSEGV, SEGV_CPERR, (void __user *)0);
+ cond_local_irq_disable(regs);
+}
+#else
+static void do_user_control_protection_fault(struct pt_regs *regs,
+ unsigned long error_code)
+{
+ WARN_ONCE(1, "User-mode control protection fault with shadow support disabled\n");
+}
+#endif
+
+#ifdef CONFIG_X86_KERNEL_IBT
+
+static __ro_after_init bool ibt_fatal = true;
+
+extern void ibt_selftest_ip(void); /* code label defined in asm below */
+static void do_kernel_control_protection_fault(struct pt_regs *regs)
+{
if (unlikely(regs->ip == (unsigned long)&ibt_selftest_ip)) {
regs->ax = 0;
return;
@@ -283,9 +335,29 @@ static int __init ibt_setup(char *str)
}
__setup("ibt=", ibt_setup);
-
+#else
+static void do_kernel_control_protection_fault(struct pt_regs *regs)
+{
+ WARN_ONCE(1, "Kernel-mode control protection fault with IBT disabled\n");
+}
#endif /* CONFIG_X86_KERNEL_IBT */
+#if defined(CONFIG_X86_KERNEL_IBT) || defined(CONFIG_X86_SHADOW_STACK)
+DEFINE_IDTENTRY_ERRORCODE(exc_control_protection)
+{
+ if (!cpu_feature_enabled(X86_FEATURE_IBT) &&
+ !cpu_feature_enabled(X86_FEATURE_SHSTK)) {
+ pr_err("Unexpected #CP\n");
+ BUG();
+ }
+
+ if (user_mode(regs))
+ do_user_control_protection_fault(regs, error_code);
+ else
+ do_kernel_control_protection_fault(regs);
+}
+#endif /* defined(CONFIG_X86_KERNEL_IBT) || defined(CONFIG_X86_SHADOW_STACK) */
+
#ifdef CONFIG_X86_F00F_BUG
void handle_invalid_op(struct pt_regs *regs)
#else
diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
index 0ed2e487a693..57faa287163f 100644
--- a/arch/x86/xen/enlighten_pv.c
+++ b/arch/x86/xen/enlighten_pv.c
@@ -628,7 +628,7 @@ static struct trap_array_entry trap_array[] = {
TRAP_ENTRY(exc_coprocessor_error, false ),
TRAP_ENTRY(exc_alignment_check, false ),
TRAP_ENTRY(exc_simd_coprocessor_error, false ),
-#ifdef CONFIG_X86_KERNEL_IBT
+#if defined(CONFIG_X86_KERNEL_IBT) || defined(CONFIG_X86_SHADOW_STACK)
TRAP_ENTRY(exc_control_protection, false ),
#endif
};
diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S
index 6b4fdf6b9542..e45ff6300c7d 100644
--- a/arch/x86/xen/xen-asm.S
+++ b/arch/x86/xen/xen-asm.S
@@ -148,7 +148,7 @@ xen_pv_trap asm_exc_page_fault
xen_pv_trap asm_exc_spurious_interrupt_bug
xen_pv_trap asm_exc_coprocessor_error
xen_pv_trap asm_exc_alignment_check
-#ifdef CONFIG_X86_KERNEL_IBT
+#if defined(CONFIG_X86_KERNEL_IBT) || defined(CONFIG_X86_SHADOW_STACK)
xen_pv_trap asm_exc_control_protection
#endif
#ifdef CONFIG_X86_MCE
diff --git a/include/uapi/asm-generic/siginfo.h b/include/uapi/asm-generic/siginfo.h
index ffbe4cec9f32..0f52d0ac47c5 100644
--- a/include/uapi/asm-generic/siginfo.h
+++ b/include/uapi/asm-generic/siginfo.h
@@ -242,7 +242,8 @@ typedef struct siginfo {
#define SEGV_ADIPERR 7 /* Precise MCD exception */
#define SEGV_MTEAERR 8 /* Asynchronous ARM MTE error */
#define SEGV_MTESERR 9 /* Synchronous ARM MTE exception */
-#define NSIGSEGV 9
+#define SEGV_CPERR 10 /* Control protection fault */
+#define NSIGSEGV 10
/*
* SIGBUS si_codes

Next message: Stephen Rothwell: "linux-next: manual merge of the vfs tree with the ext3 tree"
Previous message: Stephen Rothwell: "linux-next: manual merge of the statx-dioalign tree with the f2fs tree"
In reply to: Edgecombe, Rick P: "Re: [PATCH v2 07/39] x86/cet: Add user control-protection fault handler"
Next in thread: H. Peter Anvin: "Re: [PATCH v2 07/39] x86/cet: Add user control-protection fault handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]