Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp6003893ybc; Wed, 27 Nov 2019 13:14:07 -0800 (PST) X-Google-Smtp-Source: APXvYqyt2Wa5Q0qADX7eoRZ9X20Tp5LZH3fdowajLR1jWsqe5vLEnQ1EtWVGnhTna/188YJ36Q2y X-Received: by 2002:a17:906:2e41:: with SMTP id r1mr27870034eji.127.1574889247766; Wed, 27 Nov 2019 13:14:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574889247; cv=none; d=google.com; s=arc-20160816; b=Q2Vd0wKENb7nq0bbfeeIEZzDD1w9FcOTOJ/baLFWpsJpGyYfImahMFEZsBIJNtSouj A8wgcxI2WZQygI8lQK/x9Cdn9mds2u+EJ/kUUPP6aQnKHBDn/VcmDSyDy/DU/CUzIe90 WK61Yl7vxtf4VTDzfaorNLNuHGA+za1ZXx0UB5dyxkNEYPEvPGfXp2ynEH28NSWHuy8i GIWMJKotyGg/hIXNjjmfFzJYsoA9ETSP8G3pzXwrfFKetyLqWtxRmU+y1+Yxl5rBKNaH XkD6I/QIftiCFJmCvCiN7M2AV4dyyGdfp4BAh437Yre9EQDQNOo4CTyeya8PXnjBvJ1K 6A2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=81cIJK1IcVQTGC144t1+Hfk6qk0MCsDZyYoCbgx8Hlo=; b=CSCQzXrxZn9bf4MAjnebKqR0HddJOuz76iDAjujWdZGsJbUhONKuq88ERYW+iD2P2n m3xu4KUzW7huMiKmZDSWkUIgUdtlRvpoChAAqvQKhEyCULXU6uLxCMvkKKVZ4SWr85TC B3Hi+bgTguRzACsTx4e9lZgV0TlP7oMYu0c7N670fxvWgvGWu9RtJOkkRRgMpYQkR1tH BBOJLPV0h4iPnb3RBxAKoXt3sPp6JBJzII4bq57KjQ2rmq2mXG9ORxdxjjvg5B35EAM+ GNcra0jqlhlj7APmth/OtiZ66qrSRustUS9GxgibZ3jFio0Vi0K2gcHb7rEjdm3TzXBZ g2Bw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=EvkzFqje; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cb26si12658476edb.106.2019.11.27.13.13.44; Wed, 27 Nov 2019 13:14:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=EvkzFqje; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733072AbfK0VKl (ORCPT + 99 others); Wed, 27 Nov 2019 16:10:41 -0500 Received: from mail.kernel.org ([198.145.29.99]:37996 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733064AbfK0VKj (ORCPT ); Wed, 27 Nov 2019 16:10:39 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 444CF2176D; Wed, 27 Nov 2019 21:10:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574889037; bh=JdTkV7/44ucTxykzjuJkfEkDyJYwgFjz7gDeCoZMK9Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EvkzFqjexPN92jZ7MngfKEblvs/1PBEjzwlPzIquk+kqae1YlN3PstZSuHXBdwkXa Ic806my3gdIor/HXZMHK+nKMgTi7X26Ervz47JlSEGluZUZ+h9Kv/VBqwrU1btsb4J xZYsLWeXMjr5Y7c5EUqRDYs+utSxYoUhelZ+q1QU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andy Lutomirski , "Peter Zijlstra (Intel)" , stable@kernel.org Subject: [PATCH 5.3 60/95] x86/entry/32: Unwind the ESPFIX stack earlier on exception entry Date: Wed, 27 Nov 2019 21:32:17 +0100 Message-Id: <20191127202927.235334004@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191127202845.651587549@linuxfoundation.org> References: <20191127202845.651587549@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Andy Lutomirski commit a1a338e5b6fe9e0a39c57c232dc96c198bb53e47 upstream. Right now, we do some fancy parts of the exception entry path while SS might have a nonzero base: we fill in regs->ss and regs->sp, and we consider switching to the kernel stack. This results in regs->ss and regs->sp referring to a non-flat stack and it may result in overflowing the entry stack. The former issue means that we can try to call iret_exc on a non-flat stack, which doesn't work. Tested with selftests/x86/sigreturn_32. Fixes: 45d7b255747c ("x86/entry/32: Enter the kernel via trampoline stack") Signed-off-by: Andy Lutomirski Signed-off-by: Peter Zijlstra (Intel) Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman --- arch/x86/entry/entry_32.S | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -210,8 +210,6 @@ /* * The high bits of the CS dword (__csh) are used for CS_FROM_*. * Clear them in case hardware didn't do this for us. - * - * Be careful: we may have nonzero SS base due to ESPFIX. */ andl $0x0000ffff, 4*4(%esp) @@ -307,12 +305,21 @@ .Lfinished_frame_\@: .endm -.macro SAVE_ALL pt_regs_ax=%eax switch_stacks=0 skip_gs=0 +.macro SAVE_ALL pt_regs_ax=%eax switch_stacks=0 skip_gs=0 unwind_espfix=0 cld .if \skip_gs == 0 PUSH_GS .endif pushl %fs + + pushl %eax + movl $(__KERNEL_PERCPU), %eax + movl %eax, %fs +.if \unwind_espfix > 0 + UNWIND_ESPFIX_STACK +.endif + popl %eax + FIXUP_FRAME pushl %es pushl %ds @@ -326,8 +333,6 @@ movl $(__USER_DS), %edx movl %edx, %ds movl %edx, %es - movl $(__KERNEL_PERCPU), %edx - movl %edx, %fs .if \skip_gs == 0 SET_KERNEL_GS %edx .endif @@ -1153,18 +1158,17 @@ ENDPROC(entry_INT80_32) lss (%esp), %esp /* switch to the normal stack segment */ #endif .endm + .macro UNWIND_ESPFIX_STACK + /* It's safe to clobber %eax, all other regs need to be preserved */ #ifdef CONFIG_X86_ESPFIX32 movl %ss, %eax /* see if on espfix stack */ cmpw $__ESPFIX_SS, %ax - jne 27f - movl $__KERNEL_DS, %eax - movl %eax, %ds - movl %eax, %es + jne .Lno_fixup_\@ /* switch to normal stack */ FIXUP_ESPFIX_STACK -27: +.Lno_fixup_\@: #endif .endm @@ -1458,10 +1462,9 @@ END(page_fault) common_exception_read_cr2: /* the function address is in %gs's slot on the stack */ - SAVE_ALL switch_stacks=1 skip_gs=1 + SAVE_ALL switch_stacks=1 skip_gs=1 unwind_espfix=1 ENCODE_FRAME_POINTER - UNWIND_ESPFIX_STACK /* fixup %gs */ GS_TO_REG %ecx @@ -1483,9 +1486,8 @@ END(common_exception_read_cr2) common_exception: /* the function address is in %gs's slot on the stack */ - SAVE_ALL switch_stacks=1 skip_gs=1 + SAVE_ALL switch_stacks=1 skip_gs=1 unwind_espfix=1 ENCODE_FRAME_POINTER - UNWIND_ESPFIX_STACK /* fixup %gs */ GS_TO_REG %ecx