Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp37775pxb; Tue, 12 Apr 2022 16:07:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzMRzytZHACcIdOk7mzZuUQbktUg5FrftbRg7t2D4OdqMdC79VM/yYhnYDi0g4Za2otPwem X-Received: by 2002:aa7:8256:0:b0:4e0:78ad:eb81 with SMTP id e22-20020aa78256000000b004e078adeb81mr40308760pfn.30.1649804875322; Tue, 12 Apr 2022 16:07:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649804875; cv=none; d=google.com; s=arc-20160816; b=loCUukbpCH0JeqhBKLEImSBvAbsXlRbK2VM5eFBFwvf8mnzjRZT3QBk8S8M3jJXGjO CKtiDX7Npp436JaxaltRyxjTY5e1M1afH1KkVw53xoTsI3g59tg8qAwgCPhlbgIFlUuK KrEk9K+gK0rSidekXbS371hUbA8XgtaTw/M1g3xtaf+3XsMBLi4cLg7T+7tFWsObVE4d y3uwBu9n+t4OEUP4+XLGzFZep3BhXEPMM4an11smjvZNcTzOyfwHc6+PELir7oT6TIAM FYZHgJp8PJ6WBATslBPDsoYl1GBu6hh2t+ryz2MDYagmA9Ff4/nxYZ+7SNlm4d+bguRL J/Qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=SBWFAF/XPapM1EK+gmdZ5oUq3bsgCRTxORe+fGjXmTg=; b=hV+YMsFTuxcVCOgTgNNubz+/wsN3B3EJedUnO5JI09B+WbOgiOv4+RdPFy4jKUwD8w eRNAz1MDYM1IpcNyXPRbvMNHQY5DegwtnWjaYDGEkiOEeTCpe9+xFQkoFNhOtCpPzWiD yUUq79k9Ua159BgmQ7h11RznJHwE/0xhaKqh2XpHTwYI1/HzzZ20N7aORDW1/aOLIavU A0fRVrGbFCvf5QF5gF0FsYKoNgxAZ+70uTGGrSyg8sPOh6b2xqWUjz6Ni7vrZA6BVqLk wN8h9r7gIzn0USw8x1JQG/ycdM/dDS+qXxgKDKlrXyXYRSREqx7B/MATdZLZZHbUNOSD DXTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=hS5tvpYd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id z8-20020a170902ccc800b0015682eea101si12557302ple.557.2022.04.12.16.07.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Apr 2022 16:07:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=hS5tvpYd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 71D061F762B; Tue, 12 Apr 2022 14:50:24 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356105AbiDLNI0 (ORCPT + 99 others); Tue, 12 Apr 2022 09:08:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46322 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356980AbiDLNEM (ORCPT ); Tue, 12 Apr 2022 09:04:12 -0400 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 573F539B8C for ; Tue, 12 Apr 2022 05:48:23 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id bg24so5982112pjb.1 for ; Tue, 12 Apr 2022 05:48:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=SBWFAF/XPapM1EK+gmdZ5oUq3bsgCRTxORe+fGjXmTg=; b=hS5tvpYdRrcQrLpo6fyXay4Ko5tB5b0Tk9kxF6AXKdzCyRXRoKXlRtxnU0LPrXzC2T RVrBLWWd7e5dI5mwyLXJfdQOLRQ//pBARSuvuIAsUb5g2IxgOjr9QCmNueWBYCULomA8 JI0C1mUlAXbCR9eLQBpFpfhJOQqV0yvnJb3pFmJ+s16ppdIZVkB2ds8cI3pf65QacvAH MwIQEUA1PjaP3S/rvKF7GavLtSJ7gdJWbWt1zRMQm/Muu1YuL8TxSDjlIfq3RQXNXLyf WY0a+kjOgpq7UvXsef0O5WHaQxgE04XbXEBmlHn1C2FVjiuI2V5pHcLuhbk8IBpg3pEn sGCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=SBWFAF/XPapM1EK+gmdZ5oUq3bsgCRTxORe+fGjXmTg=; b=Q4xRjOrtGbxA7vsgBzXXTZlk7+gK2qcLRyTno3EazF+0V7G3B4dfUV0QGCyVtKeOGh p88tdY/51rifAx/vcm6ITPAgoT7O+jf5APDiSEJUYRLJsy6BoHzNgaMiOp9SXNYJ2q6A Pba0dvdYdyI91rVaWhehVwwR2hBO2XbknXR3c7cBckdBFSdqn+pBeecMCGcbk8Tk/i/6 VhZWDdAnTxALftQlQ8zWr1fs/mdTac8qSNE9d8CqbolBgzH+9c2y96H7ogIVpkmxHLil keHUQOX7NpBPGA4glhPT8dbHVHlTTdgL3uITH2heLP1LfTjYqf7t+PuVgiz8RYndHOJS tVqQ== X-Gm-Message-State: AOAM530Wn88OWEjTVBt9bSvtCEsaBkhglCp60xe8VjRMXYM/LpFi1NKd 1DMKkj7hBjq51hzC4JTIr8qmCzWyG9c= X-Received: by 2002:a17:902:c94d:b0:158:4e50:7a32 with SMTP id i13-20020a170902c94d00b001584e507a32mr13357373pla.163.1649767702559; Tue, 12 Apr 2022 05:48:22 -0700 (PDT) Received: from localhost ([47.251.4.198]) by smtp.gmail.com with ESMTPSA id n24-20020aa79058000000b00505686a982asm17899192pfo.125.2022.04.12.05.48.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Apr 2022 05:48:22 -0700 (PDT) From: Lai Jiangshan To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, Lai Jiangshan , Joerg Roedel , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Oleg Nesterov , "Chang S. Bae" , Kees Cook Subject: [PATCH V2] x86/sev: Mark the code returning to user space as syscall gap Date: Tue, 12 Apr 2022 20:49:08 +0800 Message-Id: <20220412124909.10467-1-jiangshanlai@gmail.com> X-Mailer: git-send-email 2.19.1.6.gb485710b MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lai Jiangshan When returning to user space, the %rsp is user controlled value. If it is SNP-guest and the hypervisor decides to mess with the code-page for this path while a CPU is executing it. This will cause a #VC on that CPU and that could hit in the syscall return path and mislead the #VC handler. So make ip_within_syscall_gap() return true in this case. Cc: Joerg Roedel Signed-off-by: Lai Jiangshan --- [V1]: https://lore.kernel.org/lkml/20211213042215.3096-4-jiangshanlai@gmail.com/ Changed from V1: Update changelog. arch/x86/entry/entry_64.S | 2 ++ arch/x86/entry/entry_64_compat.S | 2 ++ arch/x86/include/asm/proto.h | 4 ++++ arch/x86/include/asm/ptrace.h | 4 ++++ 4 files changed, 12 insertions(+) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 4faac48ebec5..4f678b6045cd 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -215,8 +215,10 @@ syscall_return_via_sysret: popq %rdi popq %rsp +SYM_INNER_LABEL(entry_SYSRETQ_unsafe_stack, SYM_L_GLOBAL) swapgs sysretq +SYM_INNER_LABEL(entry_SYSRETQ_end, SYM_L_GLOBAL) SYM_CODE_END(entry_SYSCALL_64) /* diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S index 4fdb007cddbd..3c0e14960e2b 100644 --- a/arch/x86/entry/entry_64_compat.S +++ b/arch/x86/entry/entry_64_compat.S @@ -297,6 +297,7 @@ sysret32_from_system_call: * code. We zero R8-R10 to avoid info leaks. */ movq RSP-ORIG_RAX(%rsp), %rsp +SYM_INNER_LABEL(entry_SYSRETL_compat_unsafe_stack, SYM_L_GLOBAL) /* * The original userspace %rsp (RSP-ORIG_RAX(%rsp)) is stored @@ -314,6 +315,7 @@ sysret32_from_system_call: xorl %r10d, %r10d swapgs sysretl +SYM_INNER_LABEL(entry_SYSRETL_compat_end, SYM_L_GLOBAL) SYM_CODE_END(entry_SYSCALL_compat) /* diff --git a/arch/x86/include/asm/proto.h b/arch/x86/include/asm/proto.h index 0f899c8d7a4e..647d71535ce3 100644 --- a/arch/x86/include/asm/proto.h +++ b/arch/x86/include/asm/proto.h @@ -13,6 +13,8 @@ void syscall_init(void); #ifdef CONFIG_X86_64 void entry_SYSCALL_64(void); void entry_SYSCALL_64_safe_stack(void); +void entry_SYSRETQ_unsafe_stack(void); +void entry_SYSRETQ_end(void); long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2); #endif @@ -28,6 +30,8 @@ void entry_SYSENTER_compat(void); void __end_entry_SYSENTER_compat(void); void entry_SYSCALL_compat(void); void entry_SYSCALL_compat_safe_stack(void); +void entry_SYSRETL_compat_unsafe_stack(void); +void entry_SYSRETL_compat_end(void); void entry_INT80_compat(void); #ifdef CONFIG_XEN_PV void xen_entry_INT80_compat(void); diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h index 4357e0f2cd5f..f4db78b09c8f 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -186,9 +186,13 @@ static __always_inline bool ip_within_syscall_gap(struct pt_regs *regs) bool ret = (regs->ip >= (unsigned long)entry_SYSCALL_64 && regs->ip < (unsigned long)entry_SYSCALL_64_safe_stack); + ret = ret || (regs->ip >= (unsigned long)entry_SYSRETQ_unsafe_stack && + regs->ip < (unsigned long)entry_SYSRETQ_end); #ifdef CONFIG_IA32_EMULATION ret = ret || (regs->ip >= (unsigned long)entry_SYSCALL_compat && regs->ip < (unsigned long)entry_SYSCALL_compat_safe_stack); + ret = ret || (regs->ip >= (unsigned long)entry_SYSRETL_compat_unsafe_stack && + regs->ip < (unsigned long)entry_SYSRETL_compat_end); #endif return ret; -- 2.19.1.6.gb485710b