Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp715945yba; Wed, 24 Apr 2019 08:28:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqwm18ue9yS03jyu7hOmyTdHMl4yuD9Ltv29gA/XPBBLzEajP44NwkGWAaIGGTsuijKE13Rz X-Received: by 2002:a17:902:aa06:: with SMTP id be6mr10325493plb.224.1556119700661; Wed, 24 Apr 2019 08:28:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556119700; cv=none; d=google.com; s=arc-20160816; b=kKGbX6Dh+VYFNT39ZLXEqJUU1602uCH5LfNH5v1mIEG84WXwRAdxy5bmFBOFlMok+6 nrQXIS/wSOqrWtc/p/6mnvei+yeoISqjOMMm3dIvfkLRlNDFzQgwzN7OnyTCLWDjiqel 4mz5McuzBBXa0cHwUiHrk8UJ9keaJlBz6cdwbXUW2M5mIwYqraiQnoHgMMv6eXfAEk3U NLLEx8QYVgtf+SpQbu89Pgj/iUtQFoHK6e8NrqpJOzJukSIwufrSvtbWF1fuSg67Jg8B E6m7Qgc/PHHP1TqyuaiLxKYs8jFzGYH1qn2P8ng+M63GTPR/1o4t4EwSPQaplmaXjl/M fXpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:dkim-filter; bh=DCmt1f7ebDuw8znshKo0sgR6MYHScO2p10uW028uR5A=; b=c3y1i0TXh/ibWOa7dfzZHcLAuZQEd+HmmpSas4XHM7tMcuVXzNrosTUkXsThB5J+KY OgNDYnaSqztnUmYZm80u658vbpoWRXhw2wJ8SQD4r5/4Vt3B4J5s99bpxlMVCy+EfUEB 1+xPSp6BXrvvdbyj1htlvhfnrUQNSZGIZmwxSsydFYqbfhrEBmkZ/q6hLpJGKhLuO/Ow cIvuUuLVsrr/gmkiKd+AnwI9cse2fYBkDYq8IQqZ2Q6aFvmCHm5kvK/QWHSJ81UfTlhT Z75BFaHB1YmikI2D9d3zQJXjhi48NxjIwxLMjuWqJqB0aYajX77pWCsuFVFAWLYU2Xjz 1tMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@efficios.com header.s=default header.b=b73xLpSu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q18si18708583pls.319.2019.04.24.08.28.04; Wed, 24 Apr 2019 08:28:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@efficios.com header.s=default header.b=b73xLpSu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731507AbfDXP00 (ORCPT + 99 others); Wed, 24 Apr 2019 11:26:26 -0400 Received: from mail.efficios.com ([167.114.142.138]:57984 "EHLO mail.efficios.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731093AbfDXPZm (ORCPT ); Wed, 24 Apr 2019 11:25:42 -0400 Received: from localhost (ip6-localhost [IPv6:::1]) by mail.efficios.com (Postfix) with ESMTP id 11F361D91C9; Wed, 24 Apr 2019 11:25:41 -0400 (EDT) Received: from mail.efficios.com ([IPv6:::1]) by localhost (mail02.efficios.com [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id K9vbXd3f7roD; Wed, 24 Apr 2019 11:25:40 -0400 (EDT) Received: from localhost (ip6-localhost [IPv6:::1]) by mail.efficios.com (Postfix) with ESMTP id 853901D91C6; Wed, 24 Apr 2019 11:25:40 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.efficios.com 853901D91C6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficios.com; s=default; t=1556119540; bh=DCmt1f7ebDuw8znshKo0sgR6MYHScO2p10uW028uR5A=; h=From:To:Date:Message-Id; b=b73xLpSu+0Si1g8YTW+/YGwwyNQO3usuENff8DS3PAT9RptinZjKtzFE1zCa3+txp qwEaSfiKdfKm+nSB8uNRBqmtHL951ZLesWa4Wwwr4e0UD9EnylAN5Q38gnAy/cJH4J YStmMfqSD/lF09M81YWXEAZCNMNEsn+rOBgjFiDv3y4DFYB638TUIdfcfWOO9//+Bn qRxJ25MEZ8kw/Cr9s3jlqqfekuYNi8wrUz8SSdnXAJZjAhMg7ykBAKKNKBSk2NATz1 D7L6WAaYerMHqBuj2Cih1THrKyl554tLc8FfNLNT60UQO2wvnmbSLLmTgX/Vt7q9bB zzKaZ5CLg7rmQ== X-Virus-Scanned: amavisd-new at efficios.com Received: from mail.efficios.com ([IPv6:::1]) by localhost (mail02.efficios.com [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id KTSo_b_kNxZj; Wed, 24 Apr 2019 11:25:40 -0400 (EDT) Received: from thinkos.internal.efficios.com (192-222-157-41.qc.cable.ebox.net [192.222.157.41]) by mail.efficios.com (Postfix) with ESMTPSA id 032C81D9199; Wed, 24 Apr 2019 11:25:37 -0400 (EDT) From: Mathieu Desnoyers To: Peter Zijlstra , "Paul E . McKenney" , Boqun Feng Cc: linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Thomas Gleixner , Andy Lutomirski , Dave Watson , Paul Turner , Andrew Morton , Russell King , Ingo Molnar , "H . Peter Anvin" , Andi Kleen , Chris Lameter , Ben Maurer , Steven Rostedt , Josh Triplett , Linus Torvalds , Catalin Marinas , Will Deacon , Michael Kerrisk , Joel Fernandes , Shuah Khan , Mathieu Desnoyers , linux-kselftest@vger.kernel.org Subject: [RFC PATCH for 5.2 07/10] rseq/selftests: arm: use udf instruction for RSEQ_SIG Date: Wed, 24 Apr 2019 11:24:59 -0400 Message-Id: <20190424152502.14246-8-mathieu.desnoyers@efficios.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190424152502.14246-1-mathieu.desnoyers@efficios.com> References: <20190424152502.14246-1-mathieu.desnoyers@efficios.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Use udf as the guard instruction for the restartable sequence abort handler. Previously, the chosen signature was not a valid instruction, based on the assumption that it could always sit in a literal pool. However, there are compilation environments in which literal pools are not availble, for instance execute-only code. Therefore, we need to choose a signature value that is also a valid instruction. Handle compiling with -mbig-endian on ARMv6+, which generates binaries with mixed code vs data endianness (little endian code, big endian data). Else mismatch between code endianness for the generated signatures and data endianness for the RSEQ_SIG parameter passed to the rseq registration will trigger application segmentation faults when the kernel try to abort rseq critical sections. Prior to ARMv6, -mbig-endian generates big-endian code and data, so endianness should not be reversed in that case. Signed-off-by: Mathieu Desnoyers CC: Peter Zijlstra CC: Thomas Gleixner CC: Joel Fernandes CC: Catalin Marinas CC: Dave Watson CC: Will Deacon CC: Shuah Khan CC: Andi Kleen CC: linux-kselftest@vger.kernel.org CC: "H . Peter Anvin" CC: Chris Lameter CC: Russell King CC: Michael Kerrisk CC: "Paul E . McKenney" CC: Paul Turner CC: Boqun Feng CC: Josh Triplett CC: Steven Rostedt CC: Ben Maurer CC: linux-api@vger.kernel.org CC: Andy Lutomirski CC: Andrew Morton CC: Linus Torvalds --- tools/testing/selftests/rseq/rseq-arm.h | 52 +++++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/rseq/rseq-arm.h b/tools/testing/selftests/rseq/rseq-arm.h index 5f262c54364f..e8ccfc37d685 100644 --- a/tools/testing/selftests/rseq/rseq-arm.h +++ b/tools/testing/selftests/rseq/rseq-arm.h @@ -5,7 +5,54 @@ * (C) Copyright 2016-2018 - Mathieu Desnoyers */ -#define RSEQ_SIG 0x53053053 +/* + * RSEQ_SIG uses the udf A32 instruction with an uncommon immediate operand + * value 0x5de3. This traps if user-space reaches this instruction by mistake, + * and the uncommon operand ensures the kernel does not move the instruction + * pointer to attacker-controlled code on rseq abort. + * + * The instruction pattern in the A32 instruction set is: + * + * e7f5def3 udf #24035 ; 0x5de3 + * + * This translates to the following instruction pattern in the T16 instruction + * set: + * + * little endian: + * def3 udf #243 ; 0xf3 + * e7f5 b.n <7f5> + * + * pre-ARMv6 big endian code: + * e7f5 b.n <7f5> + * def3 udf #243 ; 0xf3 + * + * ARMv6+ -mbig-endian generates mixed endianness code vs data: little-endian + * code and big-endian data. Ensure the RSEQ_SIG data signature matches code + * endianness. Prior to ARMv6, -mbig-endian generates big-endian code and data + * (which match), so there is no need to reverse the endianness of the data + * representation of the signature. However, the choice between BE32 and BE8 + * is done by the linker, so we cannot know whether code and data endianness + * will be mixed before the linker is invoked. + */ + +#define RSEQ_SIG_CODE 0xe7f5def3 + +#ifndef __ASSEMBLER__ + +#define RSEQ_SIG_DATA \ + ({ \ + int sig; \ + asm volatile ( "b 2f\n\t" \ + "1: .inst " __rseq_str(RSEQ_SIG_CODE) "\n\t" \ + "2:\n\t" \ + "ldr %[sig], 1b\n\t" \ + : [sig] "=r" (sig)); \ + sig; \ + }) + +#define RSEQ_SIG RSEQ_SIG_DATA + +#endif #define rseq_smp_mb() __asm__ __volatile__ ("dmb" ::: "memory", "cc") #define rseq_smp_rmb() __asm__ __volatile__ ("dmb" ::: "memory", "cc") @@ -78,7 +125,8 @@ do { \ __rseq_str(table_label) ":\n\t" \ ".word " __rseq_str(version) ", " __rseq_str(flags) "\n\t" \ ".word " __rseq_str(start_ip) ", 0x0, " __rseq_str(post_commit_offset) ", 0x0, " __rseq_str(abort_ip) ", 0x0\n\t" \ - ".word " __rseq_str(RSEQ_SIG) "\n\t" \ + ".arm\n\t" \ + ".inst " __rseq_str(RSEQ_SIG_CODE) "\n\t" \ __rseq_str(label) ":\n\t" \ teardown \ "b %l[" __rseq_str(abort_label) "]\n\t" -- 2.11.0