From patchwork Sun Mar 6 06:44:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Max Filippov X-Patchwork-Id: 12770577 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80FACC433FE for ; Sun, 6 Mar 2022 06:45:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232985AbiCFGqQ (ORCPT ); Sun, 6 Mar 2022 01:46:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50266 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232667AbiCFGqP (ORCPT ); Sun, 6 Mar 2022 01:46:15 -0500 Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10F1C55756; Sat, 5 Mar 2022 22:45:24 -0800 (PST) Received: by mail-pg1-x531.google.com with SMTP id 6so6437416pgg.0; Sat, 05 Mar 2022 22:45:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Vn86MqaNE+8bzgojaUINglDz6clTYZ9LAosUzacL80A=; b=YwBiiZ7I+E85ORti/PYYYhjPsIDGufl9k/7Wz8fEqsppI+xugtWhet1WCcRLgV4ZSJ xwhiCzkwiEAQKalDcMsnBA6zZAzNaMImMCitjlGxZvgqsqIMYLL/Inu7gOyOrYvqjdgy zfv59kp8Ysk4c1G21uF7aPfPKTT7FNPPmBNS2kh5GP03vlcw81StSSzoAiJWl4YCUZcZ 08XNivWE4/f2GDSiOiPtkITviGISlKed+KQMfO4CeFdiRv+sPHxqEQoFpK1oC9YlkHKe lvzoJTM8EtKYM7BsXKMGR6wKeIZsPhAfPpm6f4KNxsiXONss8iXJjbrB0CpyNffp0fvk xVYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Vn86MqaNE+8bzgojaUINglDz6clTYZ9LAosUzacL80A=; b=PWNk3p7EvXrWGCsDdj3bhASrNLZxNKpaHSIVHCzuNDQ7DJ2tNiw6NJjU3yRVUWtDA1 OEHOhrAaMNhqceSkKVPLyAX5hVtkPkwIlKSvU2dX0UXbqycIzpLBaAldFrPiMwFjCODF nJTu1JtjZAtcVmIYnRb512B/8BhGt1HMDPKR16mFxuiKWX/vtNqb+jjZT5PS+eAPDLcR 9ladK2O6UXcMQEKpANN9svZcumex1Yotaz7+Chfs9oJXoQ7n8lY3tXlEiJdshyFV4kTu i08sxkyXrGgH2m3cJH15W8B8t7Do0O7vIMnZ6qhIrA8qg5aDRxffaASq5tLh0ylu1Q8l pvoQ== X-Gm-Message-State: AOAM532nM04wM5lG19mqfkLrnu9iYHT+Xx21p+ye11LF1yag8Te5XROj IyrkXSgnsZ95o3uIOvqFxKc= X-Google-Smtp-Source: ABdhPJwlrD1njWvf7o8plAZAQF8uzPMwTsHIgRlSwPp5PehtjyHLkrtmSX+lz0vbr2eZxEKo9Lh2jQ== X-Received: by 2002:a63:5756:0:b0:36c:67bc:7f3f with SMTP id h22-20020a635756000000b0036c67bc7f3fmr5190429pgm.389.1646549123605; Sat, 05 Mar 2022 22:45:23 -0800 (PST) Received: from octofox.hsd1.ca.comcast.net ([2601:641:401:1d20:dcdb:d868:b18f:a9a8]) by smtp.gmail.com with ESMTPSA id 132-20020a62168a000000b004f40e8b3133sm12229047pfw.188.2022.03.05.22.45.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 05 Mar 2022 22:45:23 -0800 (PST) From: Max Filippov To: linux-xtensa@linux-xtensa.org Cc: Chris Zankel , linux-kernel@vger.kernel.org, Kees Cook , linux-hardening@vger.kernel.org, Max Filippov Subject: [PATCH 1/2] xtensa: rename PT_SIZE to PT_KERNEL_SIZE Date: Sat, 5 Mar 2022 22:44:34 -0800 Message-Id: <20220306064435.256328-2-jcmvbkbc@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220306064435.256328-1-jcmvbkbc@gmail.com> References: <20220306064435.256328-1-jcmvbkbc@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org PT_SIZE is used by the xtensa port to designate kernel exception frame size. In preparation for struct pt_regs size change rename PT_SIZE to PT_KERNEL_SIZE for clarity and change its definition to always cover only the kernel exception frame. Signed-off-by: Max Filippov Reviewed-by: Kees Cook --- arch/xtensa/kernel/asm-offsets.c | 2 +- arch/xtensa/kernel/entry.S | 14 +++++++------- arch/xtensa/kernel/vectors.S | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/arch/xtensa/kernel/asm-offsets.c b/arch/xtensa/kernel/asm-offsets.c index f1fd1390d069..37278e2785fb 100644 --- a/arch/xtensa/kernel/asm-offsets.c +++ b/arch/xtensa/kernel/asm-offsets.c @@ -63,7 +63,7 @@ int main(void) DEFINE(PT_AREG15, offsetof (struct pt_regs, areg[15])); DEFINE(PT_WINDOWBASE, offsetof (struct pt_regs, windowbase)); DEFINE(PT_WINDOWSTART, offsetof(struct pt_regs, windowstart)); - DEFINE(PT_SIZE, sizeof(struct pt_regs)); + DEFINE(PT_KERNEL_SIZE, offsetof(struct pt_regs, areg[16])); DEFINE(PT_AREG_END, offsetof (struct pt_regs, areg[XCHAL_NUM_AREGS])); DEFINE(PT_USER_SIZE, offsetof(struct pt_regs, areg[XCHAL_NUM_AREGS])); DEFINE(PT_XTREGS_OPT, offsetof(struct pt_regs, xtregs_opt)); diff --git a/arch/xtensa/kernel/entry.S b/arch/xtensa/kernel/entry.S index a1029a5b6a1d..77a7c8da3ff5 100644 --- a/arch/xtensa/kernel/entry.S +++ b/arch/xtensa/kernel/entry.S @@ -341,8 +341,8 @@ KABI_W _bbsi.l a2, 3, 1f /* Copy spill slots of a0 and a1 to imitate movsp * in order to keep exception stack continuous */ - l32i a3, a1, PT_SIZE - l32i a0, a1, PT_SIZE + 4 + l32i a3, a1, PT_KERNEL_SIZE + l32i a0, a1, PT_KERNEL_SIZE + 4 s32e a3, a1, -16 s32e a0, a1, -12 #endif @@ -706,12 +706,12 @@ kernel_exception_exit: addi a0, a1, -16 l32i a3, a0, 0 l32i a4, a0, 4 - s32i a3, a1, PT_SIZE+0 - s32i a4, a1, PT_SIZE+4 + s32i a3, a1, PT_KERNEL_SIZE + 0 + s32i a4, a1, PT_KERNEL_SIZE + 4 l32i a3, a0, 8 l32i a4, a0, 12 - s32i a3, a1, PT_SIZE+8 - s32i a4, a1, PT_SIZE+12 + s32i a3, a1, PT_KERNEL_SIZE + 8 + s32i a4, a1, PT_KERNEL_SIZE + 12 /* Common exception exit. * We restore the special register and the current window frame, and @@ -821,7 +821,7 @@ ENTRY(debug_exception) bbsi.l a2, PS_UM_BIT, 2f # jump if user mode - addi a2, a1, -16-PT_SIZE # assume kernel stack + addi a2, a1, -16 - PT_KERNEL_SIZE # assume kernel stack 3: l32i a0, a3, DT_DEBUG_SAVE s32i a1, a2, PT_AREG1 diff --git a/arch/xtensa/kernel/vectors.S b/arch/xtensa/kernel/vectors.S index 407ece204e7c..1073fe4a584d 100644 --- a/arch/xtensa/kernel/vectors.S +++ b/arch/xtensa/kernel/vectors.S @@ -88,7 +88,7 @@ ENDPROC(_UserExceptionVector) * Kernel exception vector. (Exceptions with PS.UM == 0, PS.EXCM == 0) * * We get this exception when we were already in kernel space. - * We decrement the current stack pointer (kernel) by PT_SIZE and + * We decrement the current stack pointer (kernel) by PT_KERNEL_SIZE and * jump to the first-level handler associated with the exception cause. * * Note: we need to preserve space for the spill region. @@ -100,7 +100,7 @@ ENTRY(_KernelExceptionVector) xsr a3, excsave1 # save a3, and get dispatch table wsr a2, depc # save a2 - addi a2, a1, -16-PT_SIZE # adjust stack pointer + addi a2, a1, -16 - PT_KERNEL_SIZE # adjust stack pointer s32i a0, a2, PT_AREG0 # save a0 to ESF rsr a0, exccause # retrieve exception cause s32i a0, a2, PT_DEPC # mark it as a regular exception From patchwork Sun Mar 6 06:44:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Max Filippov X-Patchwork-Id: 12770578 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E4CFC433F5 for ; Sun, 6 Mar 2022 06:45:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233001AbiCFGqS (ORCPT ); Sun, 6 Mar 2022 01:46:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50370 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232994AbiCFGqR (ORCPT ); Sun, 6 Mar 2022 01:46:17 -0500 Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 639ED5520E; Sat, 5 Mar 2022 22:45:25 -0800 (PST) Received: by mail-pg1-x52c.google.com with SMTP id o23so10954082pgk.13; Sat, 05 Mar 2022 22:45:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Zp9QIUhBG8OJ8x8CE4qO1HhBpaKE+3Che/Qmp0Ai6ko=; b=REQkqHxdITNVnOCWzGsTiQNSXvvXNkJTV+EUOygAERP4xNm1Ql4y05mDbvLKWL4f/U 2SpXin/D0WaC2/ICGpZ9OWkBlKetshYPUVLqif0LpxfFlTBtk/49ad9oLsP28wnVSWQO /wPQP2yCgL7Y/ieNuD9ElbG6cPlglxiHFVj+3pGP1Lq41e0P3rqZ9qHspxLY0TcMYnQC R1Wyd4pks3og8iFbkPXlVkZcGd72wkHRmcS6CfnBnJuMguag6Amvl9S8HqLqHLPVeQdV U0ZyU8NESW5uq9Ly+kICiIqnDyqxAEShjaI1h8sKl7U3NEpS6s6idP90AHG7wli3I3St e5fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Zp9QIUhBG8OJ8x8CE4qO1HhBpaKE+3Che/Qmp0Ai6ko=; b=5hzI9xqbVp7CHytFajA7L58YIYdKfRF6qoeweYWVbP/YK44UII6gyYdLPKAHIaBM7w RYWZwwIxAvCu+zh3SPbqWI2x3fXRTmlK7CbmISqDZePlu0Nk2J1XymAVDN5jcoOxVmEu cbilmdZzu1l7/BlwIB+bDD2pCWMQoZKjBhKnYoGLYAZ/t1sCe9zayZpzFOKkXyp3wQpq 9LM8C53uHzZbb98rquAk42QtUng0GrHSz5Ga5VFobwZcqEqPc+tuD75SqHeBemtQtLBU 99MqJBlHApPQ8nAH8ZNcdZSIXN7nGj7n9ZWQMLGFmAXxc0TPlzN/hlOkQHElrxqkaOJV agJQ== X-Gm-Message-State: AOAM531RU6TxmKaicyKPAjVgF4bOlqLecf0EipkjlgEa0qjjZUs3E3WT IO4x3L32/JtZSlHPiL2vBSc= X-Google-Smtp-Source: ABdhPJzoLTMh64KfZAjnVf2ShWlrVil6iQL0UvGQlmJEk2oq/DSbszs2UzjmQkZzm/tRE4Hi8M1iJQ== X-Received: by 2002:a05:6a00:1687:b0:4e1:45d:3ded with SMTP id k7-20020a056a00168700b004e1045d3dedmr7211330pfc.0.1646549124892; Sat, 05 Mar 2022 22:45:24 -0800 (PST) Received: from octofox.hsd1.ca.comcast.net ([2601:641:401:1d20:dcdb:d868:b18f:a9a8]) by smtp.gmail.com with ESMTPSA id 132-20020a62168a000000b004f40e8b3133sm12229047pfw.188.2022.03.05.22.45.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 05 Mar 2022 22:45:24 -0800 (PST) From: Max Filippov To: linux-xtensa@linux-xtensa.org Cc: Chris Zankel , linux-kernel@vger.kernel.org, Kees Cook , linux-hardening@vger.kernel.org, Max Filippov Subject: [PATCH 2/2] xtensa: use XCHAL_NUM_AREGS as pt_regs::areg size Date: Sat, 5 Mar 2022 22:44:35 -0800 Message-Id: <20220306064435.256328-3-jcmvbkbc@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220306064435.256328-1-jcmvbkbc@gmail.com> References: <20220306064435.256328-1-jcmvbkbc@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org struct pt_regs is used to access both kernel and user exception frames. User exception frames may contain up to XCHAL_NUM_AREG registers that task creation and signal delivery code may access, but pt_regs::areg array has only 16 entries that cover only the kernel exception frame. This results in the following build error: arch/xtensa/kernel/process.c: In function 'copy_thread': arch/xtensa/kernel/process.c:262:52: error: array subscript 53 is above array bounds of 'long unsigned int[16]' [-Werror=array-bounds] 262 | put_user(regs->areg[caller_ars+1], Change struct pt_regs::areg size to XCHAL_NUM_AREGS so that it covers the whole user exception frame. Adjust task_pt_regs and drop additional register copying code from copy_thread now that the whole user exception stack frame is copied. Reported-by: Kees Cook Signed-off-by: Max Filippov Reviewed-by: Kees Cook --- arch/xtensa/include/asm/ptrace.h | 7 +++---- arch/xtensa/kernel/process.c | 10 ---------- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/arch/xtensa/include/asm/ptrace.h b/arch/xtensa/include/asm/ptrace.h index b109416dc07e..308f209a4740 100644 --- a/arch/xtensa/include/asm/ptrace.h +++ b/arch/xtensa/include/asm/ptrace.h @@ -44,6 +44,7 @@ #ifndef __ASSEMBLY__ #include +#include /* * This struct defines the way the registers are stored on the @@ -77,14 +78,12 @@ struct pt_regs { /* current register frame. * Note: The ESF for kernel exceptions ends after 16 registers! */ - unsigned long areg[16]; + unsigned long areg[XCHAL_NUM_AREGS]; }; -#include - # define arch_has_single_step() (1) # define task_pt_regs(tsk) ((struct pt_regs*) \ - (task_stack_page(tsk) + KERNEL_STACK_SIZE - (XCHAL_NUM_AREGS-16)*4) - 1) + (task_stack_page(tsk) + KERNEL_STACK_SIZE) - 1) # define user_mode(regs) (((regs)->ps & 0x00000020)!=0) # define instruction_pointer(regs) ((regs)->pc) # define return_pointer(regs) (MAKE_PC_FROM_RA((regs)->areg[0], \ diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c index bd80df890b1e..e8bfbca5f001 100644 --- a/arch/xtensa/kernel/process.c +++ b/arch/xtensa/kernel/process.c @@ -232,10 +232,6 @@ int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn, p->thread.ra = MAKE_RA_FOR_CALL( (unsigned long)ret_from_fork, 0x1); - /* This does not copy all the regs. - * In a bout of brilliance or madness, - * ARs beyond a0-a15 exist past the end of the struct. - */ *childregs = *regs; childregs->areg[1] = usp; childregs->areg[2] = 0; @@ -265,14 +261,8 @@ int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn, childregs->wmask = 1; childregs->windowstart = 1; childregs->windowbase = 0; - } else { - int len = childregs->wmask & ~0xf; - memcpy(&childregs->areg[XCHAL_NUM_AREGS - len/4], - ®s->areg[XCHAL_NUM_AREGS - len/4], len); } - childregs->syscall = regs->syscall; - if (clone_flags & CLONE_SETTLS) childregs->threadptr = tls; } else {