Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3194982pxk;
        Mon, 28 Sep 2020 10:39:20 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxCMcr2Or/VRBfpxNEx+bPg66TXC3LQcCVG6fEifHU4lssZMAncXr14cKGokMA/IxKmyZ/a
X-Received: by 2002:a05:6402:17da:: with SMTP id s26mr3025276edy.221.1601314760106;
        Mon, 28 Sep 2020 10:39:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1601314760; cv=none;
        d=google.com; s=arc-20160816;
        b=w1+uep2ozTu4wlYNuqv4D19QONGrUe4Ni96C9khB+yRkekCy/5J1EXc6UnsHMs6GAS
         hBXnN/Fon+wRsKD8nJk2KORRiUUAymkBCYiLCBG67DxLVNLFB+AMVbJIOnkAg92VOIUg
         PL+/vFJNgiDEMXkg3t3FMbnsgs67fnZJB/vBE/UJpncNAwJlOWmXoJEHDh8Vvzc39UoM
         OaGZ+Ncoz/+lqCuMQIS46hZFZDVl+pmdBewUCYBhylvofIJCAgWDt1rUybVjzjVtgGVx
         uA2w1kZPmJBqeVy9cAsTIVp7r6HiVx7YLf014UTUjYVhDOnlxl+mp+rQDa9f/8EjQ0Jx
         nQdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=u2qn9fTFdTDRMSPbuM2DmhEkFJvA3dVJqW7pdOh87fc=;
        b=vkur377JzQqg+6s99R11Ky7kR8f1X7obfm1jD5MK33gT3jdexQhZ/SKyrZ21qjss8e
         MZfgzhydBC0viYkS2Stg3By+tKHG4X+2GTPXVd1XVwomtsbLMvVntHE/wN/BHG+7NQO9
         pe5fT6MN7LJpHiRlZWbRzsXmjbxs8KacOJX/JfSXaG6aPp1/onj312Ga2VEmzb0r3+3w
         bDT/H/wIOXNALZo3n/HAXuaUgpVO4trnGjn225EzH9IS8gh5yMKw2gwS0r87pg+RYSse
         fkZFbopc3aIza8nDZ0NfQDzcVQFxtSv7eCZnY92xZapDxs6wMwvpQvSb1PhyDYkBBbzq
         /wfw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="BWf0gF/1";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u20si1044556edy.509.2020.09.28.10.38.56;
        Mon, 28 Sep 2020 10:39:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="BWf0gF/1";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726589AbgI1Rh5 (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Mon, 28 Sep 2020 13:37:57 -0400
Received: from mail.kernel.org ([198.145.29.99]:47580 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726552AbgI1Rh5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 Sep 2020 13:37:57 -0400
Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D67D923899
        for <linux-kernel@vger.kernel.org>; Mon, 28 Sep 2020 17:37:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1601314677;
        bh=NigSMLyumIm9ggwTyG5LDnbruxmBhHyjdEZJ9Az6pxk=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=BWf0gF/1Q2N2DRi0WitlGM15dK3OoCFj7ovB6s6ZXn5zi2NKs3faVDgZTWbQcnGc0
         cGifc3fJghySiXTrJ7GmiKOHhCYNGczgcFgzS1ey7Yzx4wfjeZSNbAhghZBhCql8PV
         XM6gRGQYTk2QBxa7BidHfDlS6u3mAqGTqwZNQJ1I=
Received: by mail-wm1-f51.google.com with SMTP id q9so1976498wmj.2
        for <linux-kernel@vger.kernel.org>; Mon, 28 Sep 2020 10:37:56 -0700 (PDT)
X-Gm-Message-State: AOAM530CMkXv4d2e4ji62hiUQ6WpGbNlgotDFrJOVeHhZ0Q6CjXwnckv
        ptegQO2tWJnqhmpFFWcRlQOWLd0yKQxhi3m2pgCHcg==
X-Received: by 2002:a1c:740c:: with SMTP id p12mr291853wmc.176.1601314675297;
 Mon, 28 Sep 2020 10:37:55 -0700 (PDT)
MIME-Version: 1.0
References: <d0e4077e-129f-6823-dcea-a101ef626e8c@intel.com>
 <99B32E59-CFF2-4756-89BD-AEA0021F355F@amacapital.net> <d9099183dadde8fe675e1b10e589d13b0d46831f.camel@intel.com>
In-Reply-To: <d9099183dadde8fe675e1b10e589d13b0d46831f.camel@intel.com>
From:   Andy Lutomirski <luto@kernel.org>
Date:   Mon, 28 Sep 2020 10:37:42 -0700
X-Gmail-Original-Message-ID: <CALCETrWuhPE3A7eWC=ERJa7i7jLtsXnfu04PKUFJ-Gybro+p=Q@mail.gmail.com>
Message-ID: <CALCETrWuhPE3A7eWC=ERJa7i7jLtsXnfu04PKUFJ-Gybro+p=Q@mail.gmail.com>
Subject: Re: [PATCH v13 8/8] x86/vsyscall/64: Fixup Shadow Stack and Indirect
 Branch Tracking for vsyscall emulation
To:     Yu-cheng Yu <yu-cheng.yu@intel.com>
Cc:     Andy Lutomirski <luto@kernel.org>, X86 ML <x86@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        Linux-MM <linux-mm@kvack.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Arnd Bergmann <arnd@arndb.de>,
        Balbir Singh <bsingharora@gmail.com>,
        Borislav Petkov <bp@alien8.de>,
        Cyrill Gorcunov <gorcunov@gmail.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Eugene Syromiatnikov <esyr@redhat.com>,
        Florian Weimer <fweimer@redhat.com>,
        "H.J. Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
        Jonathan Corbet <corbet@lwn.net>,
        Kees Cook <keescook@chromium.org>,
        Mike Kravetz <mike.kravetz@oracle.com>,
        Nadav Amit <nadav.amit@gmail.com>,
        Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
        Peter Zijlstra <peterz@infradead.org>,
        Randy Dunlap <rdunlap@infradead.org>,
        "Ravi V. Shankar" <ravi.v.shankar@intel.com>,
        Vedvyas Shanbhogue <vedvyas.shanbhogue@intel.com>,
        Dave Martin <Dave.Martin@arm.com>,
        Weijiang Yang <weijiang.yang@intel.com>,
        Pengfei Xu <pengfei.xu@intel.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Sep 28, 2020 at 9:59 AM Yu-cheng Yu <yu-cheng.yu@intel.com> wrote:
>
> On Fri, 2020-09-25 at 09:51 -0700, Andy Lutomirski wrote:
> > > On Sep 25, 2020, at 9:48 AM, Yu, Yu-cheng <yu-cheng.yu@intel.com> wrote:
> +
> +               cet = get_xsave_addr(&fpu->state.xsave, XFEATURE_CET_USER);
> +               if (!cet) {
> +                       /*
> +                        * This is an unlikely case where the task is
> +                        * CET-enabled, but CET xstate is in INIT.
> +                        */
> +                       WARN_ONCE(1, "CET is enabled, but no xstates");

"unlikely" doesn't really cover this.

> +                       fpregs_unlock();
> +                       goto sigsegv;
> +               }
> +
> +               if (cet->user_ssp && ((cet->user_ssp + 8) < TASK_SIZE_MAX))
> +                       cet->user_ssp += 8;

This looks buggy.  The condition should be "if SHSTK is on, then add 8
to user_ssp".  If the result is noncanonical, then some appropriate
exception should be generated, probably by the FPU restore code -- see
below.  You should be checking the SHSTK_EN bit, not SSP.

Also, can you point me to where any of these canonicality rules are
documented in the SDM?  I looked and I can't find them.


This reminds me: this code in extable.c needs to change.

__visible bool ex_handler_fprestore(const struct exception_table_entry *fixup,
                                    struct pt_regs *regs, int trapnr,
                                    unsigned long error_code,
                                    unsigned long fault_addr)
{
        regs->ip = ex_fixup_addr(fixup);

        WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing
FPU registers.",
                  (void *)instruction_pointer(regs));

        __copy_kernel_to_fpregs(&init_fpstate, -1);

Now that we have supervisor states like CET, this is buggy.  This
should do something intelligent like initializing all the *user* state
and trying again.  If that succeeds, a signal should be sent rather
than just corrupting the task.  And if it fails, then perhaps some
actual intelligence is needed.  We certainly should not just disable
CET because something is wrong with the CET MSRs.