I broke this recently when I changed pt_regs->r8..r11 clearing logic
in INT 80 code path.
There is a branch from SYSENTER/SYSCALL code to INT 80 code:
if we fail to retrieve arg6, we return EFAULT. Before this patch,
in this case we don't clear pt_regs->r8..r11.
This patch fixes this. The resulting code is smaller and simpler.
While at it, remove incorrect comment about syscall dispatching CALL insn:
it does not use RIP-relative addressing form (the comment was meant to be
"TODO: make this rip-relative", and morphed since then, dropping "TODO").
Signed-off-by: Denys Vlasenko <[email protected]>
CC: Linus Torvalds <[email protected]>
CC: Steven Rostedt <[email protected]>
CC: Ingo Molnar <[email protected]>
CC: Borislav Petkov <[email protected]>
CC: "H. Peter Anvin" <[email protected]>
CC: Andy Lutomirski <[email protected]>
CC: Oleg Nesterov <[email protected]>
CC: Frederic Weisbecker <[email protected]>
CC: Alexei Starovoitov <[email protected]>
CC: Will Drewry <[email protected]>
CC: Kees Cook <[email protected]>
CC: [email protected]
CC: [email protected]
---
arch/x86/entry/entry_64_compat.S | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
index 9558dac..b80f8d4 100644
--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -413,9 +413,7 @@ END(ia32_cstar_target)
ia32_badarg:
ASM_CLAC
- movq $-EFAULT, %rax
- jmp ia32_sysret
-
+ movq $-EFAULT, RAX(%rsp)
ia32_ret_from_sys_call:
xorl %eax, %eax /* Do not leak kernel information */
movq %rax, R11(%rsp)
@@ -486,9 +484,7 @@ ia32_do_call:
cmpq $(IA32_NR_syscalls-1), %rax
ja 1f
- call *ia32_sys_call_table(, %rax, 8) /* RIP relative */
-
-ia32_sysret:
+ call *ia32_sys_call_table(, %rax, 8)
movq %rax, RAX(%rsp)
1:
jmp int_ret_from_sys_call
--
1.8.1.4
* Denys Vlasenko <[email protected]> wrote:
> I broke this recently when I changed pt_regs->r8..r11 clearing logic
> in INT 80 code path.
>
> There is a branch from SYSENTER/SYSCALL code to INT 80 code:
> if we fail to retrieve arg6, we return EFAULT. Before this patch,
> in this case we don't clear pt_regs->r8..r11.
>
> This patch fixes this. The resulting code is smaller and simpler.
So how did you notice this bug - through actual info leak testing, or review?
Thanks,
Ingo
On 06/08/2015 08:50 AM, Ingo Molnar wrote:
> * Denys Vlasenko <[email protected]> wrote:
>
>> I broke this recently when I changed pt_regs->r8..r11 clearing logic
>> in INT 80 code path.
>>
>> There is a branch from SYSENTER/SYSCALL code to INT 80 code:
>> if we fail to retrieve arg6, we return EFAULT. Before this patch,
>> in this case we don't clear pt_regs->r8..r11.
>>
>> This patch fixes this. The resulting code is smaller and simpler.
>
> So how did you notice this bug - through actual info leak testing, or review?
By reviewing my own patch.
Commit-ID: eb47854415825a69b1c578e7487da571227ba25a
Gitweb: http://git.kernel.org/tip/eb47854415825a69b1c578e7487da571227ba25a
Author: Denys Vlasenko <[email protected]>
AuthorDate: Sun, 7 Jun 2015 20:24:30 +0200
Committer: Ingo Molnar <[email protected]>
CommitDate: Mon, 8 Jun 2015 23:43:37 +0200
x86/asm/entry/32: Reinstate clearing of pt_regs->r8..r11 on EFAULT path
I broke this recently when I changed pt_regs->r8..r11 clearing
logic in INT 80 code path.
There is a branch from SYSENTER/SYSCALL code to INT 80 code:
if we fail to retrieve arg6, we return EFAULT. Before this
patch, in this case we don't clear pt_regs->r8..r11.
This patch fixes this. The resulting code is smaller and
simpler.
While at it, remove incorrect comment about syscall dispatching
CALL insn: it does not use RIP-relative addressing form (the
comment was meant to be "TODO: make this rip-relative", and
morphed since then, dropping "TODO").
Signed-off-by: Denys Vlasenko <[email protected]>
Cc: Alexei Starovoitov <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Frederic Weisbecker <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Oleg Nesterov <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Steven Rostedt <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Will Drewry <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
---
arch/x86/entry/entry_64_compat.S | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
index 59840e3..5757dde 100644
--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -413,9 +413,7 @@ END(entry_SYSCALL_compat)
ia32_badarg:
ASM_CLAC
- movq $-EFAULT, %rax
- jmp ia32_sysret
-
+ movq $-EFAULT, RAX(%rsp)
ia32_ret_from_sys_call:
xorl %eax, %eax /* Do not leak kernel information */
movq %rax, R11(%rsp)
@@ -486,9 +484,7 @@ ia32_do_call:
cmpq $(IA32_NR_syscalls-1), %rax
ja 1f
- call *ia32_sys_call_table(, %rax, 8) /* RIP relative */
-
-ia32_sysret:
+ call *ia32_sys_call_table(, %rax, 8)
movq %rax, RAX(%rsp)
1:
jmp int_ret_from_sys_call