From patchwork Tue Jun 13 00:10:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 13277747 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D7349C7EE43 for ; Tue, 13 Jun 2023 00:13:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CDCCE8E0021; Mon, 12 Jun 2023 20:12:39 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C868A8E000B; Mon, 12 Jun 2023 20:12:39 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A64588E0021; Mon, 12 Jun 2023 20:12:39 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 8A7C18E000B for ; Mon, 12 Jun 2023 20:12:39 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 320E44033D for ; Tue, 13 Jun 2023 00:12:39 +0000 (UTC) X-FDA: 80895798438.29.2F46A49 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by imf08.hostedemail.com (Postfix) with ESMTP id 07F05160011 for ; Tue, 13 Jun 2023 00:12:36 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=eb5IGzFw; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf08.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.65 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1686615157; a=rsa-sha256; cv=none; b=VyaftKwI0I9n//x1TzaQj+sZ43KqO9MNZmqDb5GEUfB2AN6PHmUMzLncdvGYOJr+hH/K0l kp3V06l6xDP/+UIVdFnNKTKN7xJo1oWEOsO1dURVrn4pF/mCC4cuvsQa32nWTBSJe3DTQR Eeix8y7R17AWQMiV7LfQQnvPkx/UhnM= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=eb5IGzFw; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf08.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.65 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1686615157; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=VJQfD0Gy0U01zHXthnUY9VvfAHAiqWwVCIxa02ED0FQ=; b=LwFT/tPPaAiIhpnmk2IAnnrXz7xXRJxrZorOzcSiIvI2nPPufmsLnq/mn8pnJeYBdzs4hW SmfX9pyNbffij7F102ZpefPshDzs0w4hzXi7Fg5euxeXFzvA2DTwhJLZEe6AcOs5wAUBBz BlZBVgY/3zv1SiYD2WZfR9EnOvMaZAA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1686615157; x=1718151157; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=qj0G4UwqkNNGQlR4Z3X67pikfZ5WOGk4HokEGvo8sro=; b=eb5IGzFwghUhxxg5RCggzg8UdJIc673PHnjWpVHWN1qsJnhW8Ygro7kg A4PGBniAxNi0jb2RHIpkvqmjsCDZs0T9bz3g6h4ZUFmC39AyDlmUymb4x /EXSjQeh806eaNuVcDE54vP6iAYZp4DlhHVwIVh8UFgx5eqhDY48BczXl f3Po3lRVhMIGa4rD8BvUQq/sQWE8pTqqpNiYE11QPYhgWGmcPQBtSfvoG a5C62G1dbJlLsPiNsGHjyaZLZY8FZ660D79y1eDeXCEpKxtepmUlfoFg6 BH256noCPuqQztKiKCJk28ceI2EgL0z7DW8eRaal9Yjf8s+1bXhenE5EP Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10739"; a="361557423" X-IronPort-AV: E=Sophos;i="6.00,238,1681196400"; d="scan'208";a="361557423" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jun 2023 17:12:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10739"; a="835671113" X-IronPort-AV: E=Sophos;i="6.00,238,1681196400"; d="scan'208";a="835671113" Received: from almeisch-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.amr.corp.intel.com) ([10.209.42.242]) by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jun 2023 17:12:35 -0700 From: Rick Edgecombe To: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com, szabolcs.nagy@arm.com, torvalds@linux-foundation.org, broonie@kernel.org Cc: rick.p.edgecombe@intel.com Subject: [PATCH v9 32/42] x86/shstk: Check that SSP is aligned on sigreturn Date: Mon, 12 Jun 2023 17:10:58 -0700 Message-Id: <20230613001108.3040476-33-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230613001108.3040476-1-rick.p.edgecombe@intel.com> References: <20230613001108.3040476-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 07F05160011 X-Stat-Signature: rryuokfr461iwjqbksnma5mbsm3f13ut X-HE-Tag: 1686615156-190575 X-HE-Meta: U2FsdGVkX1+GcCI7DMYhhWg06SKl1+dPJEA8ywUzZSluQuGwt5LH47peKl1eIToMJxD3T76CvQygUHlJoryQaOezf1Pti/AowkpSRsAB58D/hxVQQKy3U7axaWD5RgAJCC1kSojKH/19Y+zCcRPsUOUg0U5iObM322rXQVjUwruEcX7kij7FRKSJkVSGcZOpX60/N1Md554jGaUbHWRbkGPMdOoA9dY3KV8nD5C/wwYIfQc1M33WTdO554Jw/uBc/bEvlQ9bwIzlAkPrwVQ2hBisnRwaCJQgQjE9buYLfRfIfaRllXoL+RYKlRNNoSFlpfJgxCBsKeFUz4ozpN8YX5Q1LVmmi4ZFWj66jxZLen2Q7aIwDwLaLy7hfbHuPVUEJaKw8ZgY6TFfM4sxseLPofAEfjW9em65Jv2Ycf4E3aIcZlH3KqRc1BGA579d6MMY78j1KlmTxH+iY3pK0W8X0Zl7gwigzNTXsuHmeDXdIFHfdVI4w3IEwl68Wkm4MJqv5qoGEtXHvBASmKHjRoKV/wn65+LFi2d/UAzPCM2d6w7gnEX7t3E/eU602sR2Zvb0GiP0K/H2o/mXIPRPy8cOcr9HB9fSkmk5wmRz6G4L0gOhaF/VZ5eU63Ur2WVEwAz1A9sbIEG74plUtIQwNYLUi4LtDkmeHTIdt8MGI92kG7Mz4ylXR8lTH6gXpljrbIosH1JJf2lHkj0qWIR8GqtVvjqtsiF4QW4UI6qBy/oy0Lrc8Ww4QUDq/wZ+GfxTp/BrBF5MOGD8etGl1ALGeO3pLC/KgFlM7qJg5MgbHy5QaGRgTLW3hGeWG91nBfN4344z5IzOhQhtJEYoFHUiMwwQA9qvCyJ415pxmVjY93xz/ZgAg3eauj22piN+Y7gErJwyklD3iXOjzypVpGYiZy3P2JHSmC3DsOvhTHLwvNpLR1qXNbHMyPs3CzEAJkB8l/5egUPls84opPkj7JKRqHG uYmkBE8+ f6dJE7NF8NGybUK92T6phcXCkHwwOeRPL4qCt/XXIvafw6ez8E1UeRrx+56XqWVI5pIgqp2deHHXF41GcnsuBH+AIQPTqg+rr67HgIiFR8t22Ot81m1a5iNCuNxNzzVPWFNHNFaFBuBnQUH+ibyD1XWxyCpQ2NFgEUrT5fRhiUEKDLM9DEF9ecIEnYIZB7CSxTugtICFRhuUQ+tShWxzvUyzmraYlgCuke8K8hpy/Y+W6Xyw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The shadow stack signal frame is read by the kernel on sigreturn. It relies on shadow stack memory protections to prevent forgeries of this signal frame (which included the pre-signal SSP). It also relies on the shadow stack signal frame to have bit 63 set. Since this bit would not be set via typical shadow stack operations, so the kernel can assume it was a value it placed there. However, in order to support 32 bit shadow stack, the INCSSPD instruction can increment the shadow stack by 4 bytes. In this case SSP might be pointing to a region spanning two 8 byte shadow stack frames. It could confuse the checks described above. Since the kernel only supports shadow stack in 64 bit, just check that the SSP is 8 byte aligned in the sigreturn path. Signed-off-by: Rick Edgecombe --- v9: - New patch --- arch/x86/kernel/shstk.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index f02e8ea4f1b5..a8705f7d966c 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -252,6 +252,9 @@ static int shstk_pop_sigframe(unsigned long *ssp) unsigned long token_addr; int err; + if (!IS_ALIGNED(*ssp, 8)) + return -EINVAL; + err = get_shstk_data(&token_addr, (unsigned long __user *)*ssp); if (unlikely(err)) return err;