Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp46627pxf; Wed, 24 Mar 2021 20:31:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzlC5HKVFVeB6jDiVSN/jQg35HU09EWXVBXR/XbzWNCYiq2yQ9p6JpNIJ/racteF+mEiTbP X-Received: by 2002:a17:906:5646:: with SMTP id v6mr7319280ejr.126.1616643085544; Wed, 24 Mar 2021 20:31:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616643085; cv=none; d=google.com; s=arc-20160816; b=w048BGrCQlV6uDhDoHcW1Zh0WfKb5vsIQcP6k95YOmwcLrCzB6BhVO6AqBPjPhMXk9 1o4Ifv4L2TY1I7d+ZIWlUDzh1AjTdBo3U/BSbM1BhN1nvsV7hd+X0DHLngsET20So04F EPoM5zzyzKlj57W9G5G7w+4QuE+f0ovVaJfr24sGacjMwBl5cfuKRZZYOpNpXq85STSI J9o76aK/MduBLSFG0LCGJZI+69m8f5XubpKGXzsvy2/2EZtcV9T+OLV4wNumd89XGIHK fDrtPVEYMMKjNLHOnTwLolyNTA19fqNl1kef90MqDaJmyvHu2GUU2pcD4F0z2dzJE8gZ 2NSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:in-reply-to:cc:references:message-id:date :subject:mime-version:from:content-transfer-encoding:dkim-signature; bh=flIXUMrWcifVgFzaSDEmMehB8YW+PGNP6tRqoJaEbVE=; b=XfgfRs53NAywnJfkfohhg8KqFdO5NmCyiNk5nNcXSYMjq/5MTncShEAlEmutBRgNjs CfiIB+/TTAX8S/6S3AGF9njDE21SCivt9SnSbH+2c/pqZrVjKvessQVPU3n5jOz0btuE 0iyLSBc7NDwwYCZUG3PakUCWPNrNbi7Tt0aaW2Kgk6uDX3w140PgakPCscBTKKtvJPUW PriIZ9WGglMieVh4feJmMTKw7PugFFt9vaslKaBRtEpfvFjPt8Z7uCcEcIHJqcEBGFPJ gFJc1dFe0vEigyRKKSgHEkR5B6x1qNGtVpt2Q6LheWow0WZ+327jozX+T69EHVXJNxNx zjrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=w1YG5n57; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o13si3122077eje.367.2021.03.24.20.31.02; Wed, 24 Mar 2021 20:31:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=w1YG5n57; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232437AbhCXWM4 (ORCPT + 99 others); Wed, 24 Mar 2021 18:12:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232434AbhCXWMq (ORCPT ); Wed, 24 Mar 2021 18:12:46 -0400 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DB3DC06174A for ; Wed, 24 Mar 2021 15:12:46 -0700 (PDT) Received: by mail-pj1-x1032.google.com with SMTP id j6-20020a17090adc86b02900cbfe6f2c96so85997pjv.1 for ; Wed, 24 Mar 2021 15:12:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=flIXUMrWcifVgFzaSDEmMehB8YW+PGNP6tRqoJaEbVE=; b=w1YG5n57tU6V5WoPNofwTr8BVbm83cBU1pNJsbV0uPfNGfTqmjdyIMRvsABmu1cBOt z+4C4NbpkchDdr1RhFqHT0pyd9oJKf72oqDMaTJ8MVjWNkv82LxnyJdNONSTqodgP0/q t4kQ+hyH6dVcXAROJOeCMh5+qIhNwVADPOk63E9RZek5Spj7NHZAiFiCAkgzdzG8xGAv vamlBIHv+WOL+6v4+kPtRIHIuyCn2y/LCkHxlqqrLarBJq9xKdX18Am6rRJjuJaLKpVo iaEIxC/A6HD2WVbLs3shL0VE3qcq9DZrZduSa5huUefuGiTA9aFhME1IlJ3ld6af7DH2 Ggpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=flIXUMrWcifVgFzaSDEmMehB8YW+PGNP6tRqoJaEbVE=; b=tnRI1bw2lP60efTjE1aFTO3J39hYtfU20XR4QnAX4hSackY7B3DrpxsThU2RduKwya lh+EyO4t/lJayaP341WuauKBfHlYlhSqzgdBUi5i+3OADhW/+IFICljAsXQaA9rGdCQd kdbtJNrT6Qul0DqHOqd/hBKMSQ1klINMU2PzQdeBuR3v3As43Mmk/IGk74WvJAfFsVx7 m8QDFM+vGqXMBKSVupDmpdh6/MNwjnTa+p1JmrVJUZyw/DI3GfRY1Yxom0gFpOZj6rhB 68ov0lEOYhIHKIGASmApDlgIWISsSjNwjZjBUo9M83HL8maYnIkBLshAEwBMUgsDV4XG LxHw== X-Gm-Message-State: AOAM533IhlblNkeeL6P9dcFZDKv4QrheL0tlSxJ/c3d0BKzXQHQJppUC YNoX6ZxeDQljnnF0LhljvK1VBw== X-Received: by 2002:a17:90a:d801:: with SMTP id a1mr5638553pjv.84.1616623965676; Wed, 24 Mar 2021 15:12:45 -0700 (PDT) Received: from ?IPv6:2601:646:c200:1ef2:b9f9:ef01:c08a:fb13? ([2601:646:c200:1ef2:b9f9:ef01:c08a:fb13]) by smtp.gmail.com with ESMTPSA id o13sm3671100pgv.40.2021.03.24.15.12.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 24 Mar 2021 15:12:45 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Andy Lutomirski Mime-Version: 1.0 (1.0) Subject: Re: [PATCH v4 14/22] x86/fpu/xstate: Expand the xstate buffer on the first use of dynamic user state Date: Wed, 24 Mar 2021 15:12:43 -0700 Message-Id: <95242657-E9AC-470C-9834-40BDA2E852B9@amacapital.net> References: <90ea8d01-7fa5-100e-8590-d1ed80eb0d6a@intel.com> Cc: Len Brown , "Liu, Jing2" , Andy Lutomirski , Thomas Gleixner , Borislav Petkov , Ingo Molnar , X86 ML , Len Brown , "Liu, Jing2" , "Ravi V. Shankar" , LKML , "Bae, Chang Seok" In-Reply-To: <90ea8d01-7fa5-100e-8590-d1ed80eb0d6a@intel.com> To: Dave Hansen X-Mailer: iPhone Mail (18D61) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Mar 24, 2021, at 2:58 PM, Dave Hansen wrote: >=20 > =EF=BB=BFOn 3/24/21 2:42 PM, Andy Lutomirski wrote: >>>>> 3. user space always uses fully uncompacted XSAVE buffers. >>>>>=20 >>>> There is no reason we have to do this for new states. Arguably we >>>> shouldn=E2=80=99t for AMX to avoid yet another altstack explosion. >>> The thing that's worried me is that the list of OS-enabled states is >>> visible to apps via XGETBV. It doesn't seem too much of a stretch to >>> think that apps will see AMX enabled with XGETBV and them assume that >>> it's on the signal stack. >>>=20 >>> Please tell me I'm being too paranoid. If we can break this >>> assumption, it would get rid of a lot of future pain. >> There are no AMX apps. I sure hope that there are no apps that >> enumerate xfeatures with CPUID and try to decode the mess in the >> signal stack. >=20 > I don't think they quite need to decode it in order to be screwed over a > bit. For instance, I don't think it's too crazy if someone did: >=20 > xcr0 =3D xgetbv(0); > xrstor(xcr0, &sig_stack[something]); > // change some registers > xsave(xcr0, &sig_stack[something]); >=20 > The XRSTOR would work fine, but the XSAVE would overflow the stack > because it would save the AMX state. It also *looks* awfully benign. > This is true even if the silly signal handler didn't know about AMX at > *ALL*. >=20 > A good app would have checked that the xfeatures field in the header > matched xcr0. Ugh. On the other hand, if we require a syscall to flip the AMX bit in XCR0, we c= ould maybe get away with saying that programs that flip the bit and don=E2=80= =99t understand the new ABI get to keep both pieces. I don=E2=80=99t live futzing with the ABI like this, but AMX is really only b= arely compatible with everything before it.=