Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD2A7C433EF for ; Fri, 19 Nov 2021 17:38:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C39D061A89 for ; Fri, 19 Nov 2021 17:38:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236799AbhKSRlU (ORCPT ); Fri, 19 Nov 2021 12:41:20 -0500 Received: from mail.kernel.org ([198.145.29.99]:42240 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236575AbhKSRlO (ORCPT ); Fri, 19 Nov 2021 12:41:14 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 915F261A62; Fri, 19 Nov 2021 17:38:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1637343492; bh=ztAVo747u6WfirGIBdmQahZKOolmM5TvS/+XfIaW8Bo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qaDUkMuPUmyA+Zxv7XwePdzoB6aHfYH9D/RnpWHUr3vD8fS1Pn2hjGHKPWp0vi0kk vNQ2Z/wQvAy0VbVyG3KL7lKK8doJ6DLmBhWLulO7k0LzwnIbdx/Ma3pl1HVEzm/wmx wd1q0EuKtKqHMn8XikzR8ReEyAT/70FQ8C8S84I8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ondrej Zary , "Peter Zijlstra (Intel)" , Thomas Gleixner , stable@kernel.org Subject: [PATCH 5.10 12/21] x86/iopl: Fake iopl(3) CLI/STI usage Date: Fri, 19 Nov 2021 18:37:47 +0100 Message-Id: <20211119171444.279834831@linuxfoundation.org> X-Mailer: git-send-email 2.34.0 In-Reply-To: <20211119171443.892729043@linuxfoundation.org> References: <20211119171443.892729043@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Peter Zijlstra commit b968e84b509da593c50dc3db679e1d33de701f78 upstream. Since commit c8137ace5638 ("x86/iopl: Restrict iopl() permission scope") it's possible to emulate iopl(3) using ioperm(), except for the CLI/STI usage. Userspace CLI/STI usage is very dubious (read broken), since any exception taken during that window can lead to rescheduling anyway (or worse). The IOPL(2) manpage even states that usage of CLI/STI is highly discouraged and might even crash the system. Of course, that won't stop people and HP has the dubious honour of being the first vendor to be found using this in their hp-health package. In order to enable this 'software' to still 'work', have the #GP treat the CLI/STI instructions as NOPs when iopl(3). Warn the user that their program is doing dubious things. Fixes: a24ca9976843 ("x86/iopl: Remove legacy IOPL option") Reported-by: Ondrej Zary Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Thomas Gleixner Cc: stable@kernel.org # v5.5+ Link: https://lkml.kernel.org/r/20210918090641.GD5106@worktop.programming.kicks-ass.net Signed-off-by: Ondrej Zary Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/insn-eval.h | 1 + arch/x86/include/asm/processor.h | 1 + arch/x86/kernel/process.c | 1 + arch/x86/kernel/traps.c | 34 ++++++++++++++++++++++++++++++++++ arch/x86/lib/insn-eval.c | 2 +- 5 files changed, 38 insertions(+), 1 deletion(-) --- a/arch/x86/include/asm/insn-eval.h +++ b/arch/x86/include/asm/insn-eval.h @@ -21,6 +21,7 @@ int insn_get_modrm_rm_off(struct insn *i int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs); unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx); int insn_get_code_seg_params(struct pt_regs *regs); +unsigned long insn_get_effective_ip(struct pt_regs *regs); int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]); int insn_fetch_from_user_inatomic(struct pt_regs *regs, --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -534,6 +534,7 @@ struct thread_struct { */ unsigned long iopl_emul; + unsigned int iopl_warn:1; unsigned int sig_on_uaccess_err:1; /* Floating point and extended processor state */ --- a/arch/x86/kernel/process.c +++ b/arch/x86/kernel/process.c @@ -138,6 +138,7 @@ int copy_thread(unsigned long clone_flag frame->ret_addr = (unsigned long) ret_from_fork; p->thread.sp = (unsigned long) fork_frame; p->thread.io_bitmap = NULL; + p->thread.iopl_warn = 0; memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps)); #ifdef CONFIG_X86_64 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -523,6 +523,37 @@ static enum kernel_gp_hint get_kernel_gp #define GPFSTR "general protection fault" +static bool fixup_iopl_exception(struct pt_regs *regs) +{ + struct thread_struct *t = ¤t->thread; + unsigned char byte; + unsigned long ip; + + if (!IS_ENABLED(CONFIG_X86_IOPL_IOPERM) || t->iopl_emul != 3) + return false; + + ip = insn_get_effective_ip(regs); + if (!ip) + return false; + + if (get_user(byte, (const char __user *)ip)) + return false; + + if (byte != 0xfa && byte != 0xfb) + return false; + + if (!t->iopl_warn && printk_ratelimit()) { + pr_err("%s[%d] attempts to use CLI/STI, pretending it's a NOP, ip:%lx", + current->comm, task_pid_nr(current), ip); + print_vma_addr(KERN_CONT " in ", ip); + pr_cont("\n"); + t->iopl_warn = 1; + } + + regs->ip += 1; + return true; +} + DEFINE_IDTENTRY_ERRORCODE(exc_general_protection) { char desc[sizeof(GPFSTR) + 50 + 2*sizeof(unsigned long) + 1] = GPFSTR; @@ -548,6 +579,9 @@ DEFINE_IDTENTRY_ERRORCODE(exc_general_pr tsk = current; if (user_mode(regs)) { + if (fixup_iopl_exception(regs)) + goto exit; + tsk->thread.error_code = error_code; tsk->thread.trap_nr = X86_TRAP_GP; --- a/arch/x86/lib/insn-eval.c +++ b/arch/x86/lib/insn-eval.c @@ -1415,7 +1415,7 @@ void __user *insn_get_addr_ref(struct in } } -static unsigned long insn_get_effective_ip(struct pt_regs *regs) +unsigned long insn_get_effective_ip(struct pt_regs *regs) { unsigned long seg_base = 0;