Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp385094imm; Mon, 2 Jul 2018 13:24:09 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfeF5f+sbRl3+bQsB+4Vp3bze+NVnaZIQjym4oGaxcLO4/x6LmM7mzgzY4fiAgKqroGCb/x X-Received: by 2002:a62:93d4:: with SMTP id r81-v6mr9456062pfk.55.1530563049408; Mon, 02 Jul 2018 13:24:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530563049; cv=none; d=google.com; s=arc-20160816; b=iw8OWGuSf6E2o2RelRJ8uT60anytSk/10VqZjJ1Ft0MYQxJ6I8wxa46OrSM4qAg4KC K7zN/7whcpSF/Np3QsLmhjswPznUFID+jOlHF6gXtGLqNS6bIC/uTOMxtDuRZy0KeIyY OQF3t9hHQ1mFIkI0IIdMuL/jap9zgllQd9VC9OipEqPBmKahhihNk0Lu/00HTHrCL23h OwrzcliEEZ9u/Q5bOzMewAaKym3NjMCcqveqUH9yozWSMfkWCyiu3G0+XaG7GIRZqEHZ n8j2nShBGNFqPVbi1r3wOyC39WfxFHV76CBjgWwc9XitD5zSYXoYTLcwl7qFt92F7Gll mTJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=7QF5l3yU2aMDNxSqAlUSxWtCE9gKfVxcgj2EprIdGy8=; b=yThAbCmxApFU333BVWdE1Fn7alGtTYgZylH9o0p2357oXzDWL3MAwJR2tFF9c4KjvM mchfwcHBdEo1IP4DZeHyTiAkVrXQmTHgsMrkcFtD4/11iA16n5B3+aK4WaXa1Qdr6SWc cyGiuQwOHPZhpxJQkqZ+gkrx+sUyVe+n2QMGyiFlGw3s69/2e3MHYAxZNa/gCLwWgaLp 8B//662/BpSemODRdNtwuty+7sNwBxB63uBzXHol8EGh51b9yyeF+cYqr/MB3UF3GMiQ H1s2YkC5ois/KRGkpfehWWj8LCjQJAhf5ijW1SUu/tq/g8ph/C3KQtdmIjppHbcSZu4G 37jQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=KzjV7nkO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e9-v6si18115790plk.130.2018.07.02.13.23.55; Mon, 02 Jul 2018 13:24:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=KzjV7nkO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753465AbeGBUXD (ORCPT + 99 others); Mon, 2 Jul 2018 16:23:03 -0400 Received: from mail-io0-f193.google.com ([209.85.223.193]:45594 "EHLO mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752684AbeGBUXB (ORCPT ); Mon, 2 Jul 2018 16:23:01 -0400 Received: by mail-io0-f193.google.com with SMTP id l25-v6so15794547ioh.12; Mon, 02 Jul 2018 13:23:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7QF5l3yU2aMDNxSqAlUSxWtCE9gKfVxcgj2EprIdGy8=; b=KzjV7nkOpoylKEVuDgEWoHdX2pAaquTUHU228ie3kbhD56MOAuiOXBl3ABlu0ssVOr fxHClaQodcjIc2bRA4pp9d8ZmCqmGPL4wYyKnEqxkffKQr0Mo7ZB8rnCBeowGJyLhvwC 96m7rgj2OVIq5B5sIozmgdpPtKslDgePOuz18= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7QF5l3yU2aMDNxSqAlUSxWtCE9gKfVxcgj2EprIdGy8=; b=AXuf2ZZ+jHNP+Wm+q+koO0V4Cgxr9WJB673p6Ld7iK+8mr4cLF+upCPDKtjTpAEtSC 1EA015IYyTjifZ2piv7Z4Sc5NrplmZgA/1wivCEvWmfo84KbVv+1oq/gTIb6UwYYi64C NIJ0PcieeXzHED6vKg8vy/E04ui0G0TB4gadNsheyiYPMBFHRwmcR6U+uEwtPMC9dMi/ EIYZJPCygHmScbqq45FZptkXnIZM+NYP2O69hvLdQ1ppGtyEhehypkgUCYxnoQ+wc6Da ZHHbzfrg9y07rlpeX/Gv6r8cf7f6QEUx05Ni0AgLa34tKntRGDOE4hflzthiFIhxsQTs fV3A== X-Gm-Message-State: APt69E1a8RLdPng79Ia4r6W8kIFLbH46jXitj2SplS+5JY2YmknSiiM6 3BMdG+O14+wtmK0t1ph2DHNzhW7YzGzIL2h0xyA= X-Received: by 2002:a6b:274f:: with SMTP id n76-v6mr23230886ion.259.1530562980936; Mon, 02 Jul 2018 13:23:00 -0700 (PDT) MIME-Version: 1.0 References: <20180628162359.9054-1-mathieu.desnoyers@efficios.com> <247789350.9741.1530288432573.JavaMail.zimbra@efficios.com> <184287091.10022.1530301738384.JavaMail.zimbra@efficios.com> <1527399163.10673.1530541966296.JavaMail.zimbra@efficios.com> <84003252.10754.1530558015813.JavaMail.zimbra@efficios.com> In-Reply-To: From: Linus Torvalds Date: Mon, 2 Jul 2018 13:22:49 -0700 Message-ID: Subject: Re: [RFC PATCH for 4.18 1/2] rseq: validate rseq_cs fields are < TASK_SIZE To: Andrew Lutomirski Cc: Mathieu Desnoyers , Thomas Gleixner , Linux Kernel Mailing List , Linux API , Peter Zijlstra , Paul McKenney , Boqun Feng , Dave Watson , Paul Turner , Andrew Morton , Russell King - ARM Linux , Ingo Molnar , Peter Anvin , Andi Kleen , Christoph Lameter , Ben Maurer , Steven Rostedt , Josh Triplett , Catalin Marinas , Will Deacon , Michael Kerrisk , Joel Fernandes Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 2, 2018 at 1:13 PM Andy Lutomirski wrote: > > Like this: > > diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c > index 3b2490b81918..ec40223c8856 100644 > --- a/arch/x86/entry/common.c > +++ b/arch/x86/entry/common.c > @@ -170,6 +170,26 @@ static void exit_to_usermode_loop(struct pt_regs > *regs, u32 cached_flags) > if (cached_flags & _TIF_USER_RETURN_NOTIFY) > fire_user_return_notifiers(); > > + if (unlikely(!user_64bit_mode(regs) && > + (regs->ip & 0xffffffff00000000ull))) { I'd be afraid that code generation is atrocious. So more something like this: static noinline send_sigsegv(..) { } ... if (unlikely(!user_64bit_mode(regs)) { if (unlikely(*(1+(u32 *)®s->ip))) send_sigsegv(tsk); to make sure it doesn't do crazy big constants in the normal path, and doesn't allocate silly stack frames. But as mentioned, I'm not entirely convinced this is worth it. But I wasn't sure it's worth it for rseq. So basically, *if* we do these kinds of checks, I'd personally rather do a *generic* "we don't return to garbage 64-bit values in compat mode" than have special case code that is only for rseq and is truly irrelevant to all normal cases. The generic case might even be worth a test-case. And if we do that, we should probably check that we don't do something odd like sign-extending the %rip value we load from stack for signal return etc, that just happens to work because nobody cared about the upper bits. So there's a lot of these kinds of small details that are of questionable importance, but might in theory be worth it. Linus