Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp5046578ybi; Sat, 20 Jul 2019 11:41:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqw3G/vOZLhs8bQcV69A4nXI6EbWkTaU8qzxJk1JrE60JCFdZJeJzgZLoujUjU+UYxipV4FV X-Received: by 2002:a17:902:830c:: with SMTP id bd12mr65774620plb.237.1563648061823; Sat, 20 Jul 2019 11:41:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563648061; cv=none; d=google.com; s=arc-20160816; b=nQjvKTstxrCISvkHFkSBu6dvOZEzWMxpvx+jVUecR2AfBNHomTahOHZNXUQV0mJJ58 y3t2PAwi5ZSK3ErPPX8v1llsIo5QjxvGoCtpcGuvWu9Eql/uCEkXd7KwP5BEr7Fh0FNF RchRBIjtNBEmkr63rvPZNEVG3D0pUSqKlQ9NowIjuIBQe11N2+UJIvDx/kNXuzw6zXa5 07vGp09OXk/QUGsSkx6hGxJfQVIfX06YiQMpl3WulwSE4/u+08fK+yOyty5wSng1KS9a VJurhCVYdTPolAqoLkRbkSuk2pHJmkR2feDWCcmBzzShsJ9zD8x5nClwC4mN8k0g+/sF 4TPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=TpcXISv3G0sHQ/K92GNSvP/qIOM2B6CCZdAVQFOT98g=; b=moKzsJXD4Kf1Ln9kircOoG2466kNz9T0n3vHSfKFd3DYeW7RJFd7SRp+OCeoPU+vA3 2uAr8Qbtb4vGlfF8jhn6VpF94Ul/fs5YPxn5qs9NW7tgdHDMsJLo3VdMPUWhFdewPoBK +vzHHPaDvAT7UmnROMsurGmHUoi4RdERhYQQTpT2CvSq3VDzj/NQmXZ7eMzb6IvoMW7z IllVfXc0DNaZKsdkNNS9egVXi5DJsWE+oh9vXf4bZDEiSZ3vd0hOLprcUkLheoiyA2yv 7hBel7o6Dw8/DvhNxGvZSOQusoDJ892lfEfDwWj7QkbdLeCnTY+1mpsJ3B9VmLQGVQTh 9OUA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c70si3284400pfc.270.2019.07.20.11.40.19; Sat, 20 Jul 2019 11:41:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727165AbfGTI5I (ORCPT + 99 others); Sat, 20 Jul 2019 04:57:08 -0400 Received: from Galois.linutronix.de ([193.142.43.55]:33775 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727159AbfGTI5I (ORCPT ); Sat, 20 Jul 2019 04:57:08 -0400 Received: from pd9ef1cb8.dip0.t-ipconnect.de ([217.239.28.184] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1holAZ-00079f-6P; Sat, 20 Jul 2019 10:56:43 +0200 Date: Sat, 20 Jul 2019 10:56:41 +0200 (CEST) From: Thomas Gleixner To: Sean Christopherson cc: Steven Rostedt , Peter Zijlstra , Eiichi Tsukata , edwintorok@gmail.com, Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , x86@kernel.org, LKML , Josh Poimboeuf , Joel Fernandes , Andy Lutomirski , Dave Hansen Subject: [PATCH] x86/entry/64: Prevent clobbering of saved CR2 value In-Reply-To: Message-ID: References: <20190702053151.26922-1-devel@etsukata.com> <20190702072821.GX3419@hirez.programming.kicks-ass.net> <20190702113355.5be9ebfe@gandalf.local.home> <20190702133905.1482b87e@gandalf.local.home> <20190719202836.GB13680@linux.intel.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The recent fix for CR2 corruption introduced a new way to reliably corrupt the saved CR2 value. CR2 is saved early in the entry code in RDX, which is the third argument to the fault handling functions. But it missed that between saving and invoking the fault handler enter_from_user_mode() can be called. RDX is a caller saved register so the invoked function can freely clobber it with the obvious consequences. The TRACE_IRQS_OFF call is safe as it calls through the thunk which preserves RDX. Store CR2 in R12 instead which is a callee saved register and move R12 to RDX just before calling the fault handler. Fixes: a0d14b8909de ("x86/mm, tracing: Fix CR2 corruption") Reported-by: Sean Christopherson Signed-off-by: Thomas Gleixner --- arch/x86/entry/entry_64.S | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -875,7 +875,12 @@ apicinterrupt IRQ_WORK_VECTOR irq_work UNWIND_HINT_REGS .if \read_cr2 - GET_CR2_INTO(%rdx); /* can clobber %rax */ + /* + * Store CR2 early so subsequent faults cannot clobber it. Use R12 as + * intermediate storage as RDX can be clobbered in enter_from_user_mode(). + * GET_CR2_INTO can clobber RAX. + */ + GET_CR2_INTO(%r12); .endif .if \shift_ist != -1 @@ -904,6 +909,10 @@ apicinterrupt IRQ_WORK_VECTOR irq_work subq $\ist_offset, CPU_TSS_IST(\shift_ist) .endif + .if \read_cr2 + movq %r12, %rdx /* Move CR2 into 3rd argument */ + .endif + call \do_sym .if \shift_ist != -1