Re: [PATCH v2 07/39] x86/cet: Add user control-protection fault handler
From: Peter Zijlstra
Date: Wed Oct 05 2022 - 05:40:46 EST
On Thu, Sep 29, 2022 at 03:29:04PM -0700, Rick Edgecombe wrote:
> diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
> index d62b2cb85cea..b7dde8730236 100644
> --- a/arch/x86/kernel/traps.c
> +++ b/arch/x86/kernel/traps.c
> @@ -229,16 +223,74 @@ enum cp_error_code {
> CP_ENCL = 1 << 15,
> };
>
> -DEFINE_IDTENTRY_ERRORCODE(exc_control_protection)
> +#ifdef CONFIG_X86_SHADOW_STACK
> +static const char * const control_protection_err[] = {
> + "unknown",
> + "near-ret",
> + "far-ret/iret",
> + "endbranch",
> + "rstorssp",
> + "setssbsy",
> +};
> +
> +static DEFINE_RATELIMIT_STATE(cpf_rate, DEFAULT_RATELIMIT_INTERVAL,
> + DEFAULT_RATELIMIT_BURST);
> +
> +static void do_user_control_protection_fault(struct pt_regs *regs,
> + unsigned long error_code)
> {
> - if (!cpu_feature_enabled(X86_FEATURE_IBT)) {
> - pr_err("Unexpected #CP\n");
> - BUG();
> + struct task_struct *tsk;
> + unsigned long ssp;
> +
> + /* Read SSP before enabling interrupts. */
> + rdmsrl(MSR_IA32_PL3_SSP, ssp);
> +
> + cond_local_irq_enable(regs);
> +
> + if (!cpu_feature_enabled(X86_FEATURE_SHSTK))
> + WARN_ONCE(1, "User-mode control protection fault with shadow support disabled\n");
> +
> + tsk = current;
> + tsk->thread.error_code = error_code;
> + tsk->thread.trap_nr = X86_TRAP_CP;
> +
> + /* Ratelimit to prevent log spamming. */
> + if (show_unhandled_signals && unhandled_signal(tsk, SIGSEGV) &&
> + __ratelimit(&cpf_rate)) {
> + unsigned int cpec;
> +
> + cpec = error_code & CP_EC;
> + if (cpec >= ARRAY_SIZE(control_protection_err))
> + cpec = 0;
> +
> + pr_emerg("%s[%d] control protection ip:%lx sp:%lx ssp:%lx error:%lx(%s)%s",
> + tsk->comm, task_pid_nr(tsk),
> + regs->ip, regs->sp, ssp, error_code,
> + control_protection_err[cpec],
> + error_code & CP_ENCL ? " in enclave" : "");
> + print_vma_addr(KERN_CONT " in ", regs->ip);
> + pr_cont("\n");
> }
>
> - if (WARN_ON_ONCE(user_mode(regs) || (error_code & CP_EC) != CP_ENDBR))
> - return;
Why are you removing the (error_code & CP_EC) != CP_ENDBR check from the
kernel handler?
> + force_sig_fault(SIGSEGV, SEGV_CPERR, (void __user *)0);
> + cond_local_irq_disable(regs);
> +}
> +#else
> +static void do_user_control_protection_fault(struct pt_regs *regs,
> + unsigned long error_code)
> +{
> + WARN_ONCE(1, "User-mode control protection fault with shadow support disabled\n");
> +}
> +#endif
> +
> +#ifdef CONFIG_X86_KERNEL_IBT
> +
> +static __ro_after_init bool ibt_fatal = true;
> +
> +extern void ibt_selftest_ip(void); /* code label defined in asm below */
>
> +static void do_kernel_control_protection_fault(struct pt_regs *regs)
> +{
> if (unlikely(regs->ip == (unsigned long)&ibt_selftest_ip)) {
> regs->ax = 0;
> return;
> @@ -283,9 +335,29 @@ static int __init ibt_setup(char *str)
> }
>
> __setup("ibt=", ibt_setup);
> -
> +#else
> +static void do_kernel_control_protection_fault(struct pt_regs *regs)
> +{
> + WARN_ONCE(1, "Kernel-mode control protection fault with IBT disabled\n");
> +}
> #endif /* CONFIG_X86_KERNEL_IBT */
>
> +#if defined(CONFIG_X86_KERNEL_IBT) || defined(CONFIG_X86_SHADOW_STACK)
> +DEFINE_IDTENTRY_ERRORCODE(exc_control_protection)
> +{
> + if (!cpu_feature_enabled(X86_FEATURE_IBT) &&
> + !cpu_feature_enabled(X86_FEATURE_SHSTK)) {
> + pr_err("Unexpected #CP\n");
> + BUG();
> + }
> +
> + if (user_mode(regs))
> + do_user_control_protection_fault(regs, error_code);
> + else
> + do_kernel_control_protection_fault(regs);
These function names are weirdly long, surely they can do without the
_fault part at the very least. And as stated above, I would really like
the kernel thing to retain the error_code argument.
> +}
> +#endif /* defined(CONFIG_X86_KERNEL_IBT) || defined(CONFIG_X86_SHADOW_STACK) */