Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp7006503rwp; Tue, 18 Jul 2023 08:43:46 -0700 (PDT) X-Google-Smtp-Source: APBJJlHoQaIAbkYM0Az3N8N5qHXGX3bd1P3/LeCKlHBgx8Z23bvjAB90FY8SO98v2AkQRBGGN4uy X-Received: by 2002:a05:6a00:21c9:b0:67b:2eba:bed4 with SMTP id t9-20020a056a0021c900b0067b2ebabed4mr4028pfj.14.1689695026117; Tue, 18 Jul 2023 08:43:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689695026; cv=none; d=google.com; s=arc-20160816; b=JgmfbMU23z6VvKSO3u+bi8NugeMeSDaVMzSjtk3p2u5OxfSi6D68UjNSoWXBhi+fyg v0O8wMZTSKo+/cscKoIELhv8UJYZUYyjg/2SOKKwu/mw9gQhgJf09kRPUKNlUtmf+jRU mDNpOKFm/AOMuVWClk7NQD0gCugrsvUEo1VwuSRWx9LjOo3cnWTRMXYXUyre3EkqbNG3 gUnAhSeXQEGNdic+Z1suQDeCEG0kb91sAFNkDZpuMQ1rDUyQlzS2BP6/SK6MRl9KDgFA qD5PZy1iENqOW9qcDxvs6mLTQzOFdbxA3NjbkPDUGx/aC5+cbrc93nz6bdlmLIG9wfz+ ulsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=hLxUwQKdUnLhIEfILgYdu4kHBHhDSMlRlhRfKuBqvIU=; fh=LgV8C0cbdVHBC80nT0PZ36UiUlVW6zcAEFGWwIzYkA0=; b=E2S1ey+iJnOq6gs/+OxLquNapbT07Bc7xNq6EAervPmLonSueYGKTOyJJgO6O7WAkY vSBJHSbokB9AudRm25VrLgqdw8q457TpJbBNJKB4zIuR+GVRbu/vbMSEz9LlB8qLlYDa dzgLsAJ76meizu0YMC1CJjbcPqyZdQFm/pfohmSR8jm/g4g4n71pn1jZYVDyuBzNdu7l LA22ClU45Lj/KnXe7QBxeqpW1Mn8sf4KC56DbbJxyCv2ij4stg4xlPyeKxqbMKd0FJM1 cMHOcfw3aowSkyX01soWByACDOpG6hWUbgTDf96JhwRcfQnH1k9kQTFpGoAPdh7R8scp OSPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=SjUFUCKh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id be23-20020a056a001f1700b0068254b9108bsi1710126pfb.71.2023.07.18.08.43.33; Tue, 18 Jul 2023 08:43:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=SjUFUCKh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233545AbjGRPWb (ORCPT + 99 others); Tue, 18 Jul 2023 11:22:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54924 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233445AbjGRPWa (ORCPT ); Tue, 18 Jul 2023 11:22:30 -0400 Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 629FC1FE2 for ; Tue, 18 Jul 2023 08:22:04 -0700 (PDT) Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2b6ff1ada5dso89452531fa.2 for ; Tue, 18 Jul 2023 08:22:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689693697; x=1692285697; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=hLxUwQKdUnLhIEfILgYdu4kHBHhDSMlRlhRfKuBqvIU=; b=SjUFUCKhkwmEpgQC+24njer/T+Q6NJrEP4V36XbJbg8Re23QnQoHaDvr4ts8y2kiiV DjJTX9v5HZcnpySDJWyIt2zXG3XGNQ92N8qMY5eACtpv5MM6q1MxlIM//DFF4bjdCbUe bpTcnWbAbYUbkX/cb5rjjDfxLMWJj+yxw2V9chDgeMPVj3GhpbNp/gG/vTUryH/l4GFP OFS6Xck14fHLbArFQ/xmVf6M1pAJDgjsQ6AVl/Ybtuq4ttV8h05rW3/i8jM0FZMR7KPB MZJcY1FGSM+bTbv674MKqJzSqH2W3+e1/8pVmOtclT1p/CtZPZFvwcmG9FO0Z45KMbng nMBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689693697; x=1692285697; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hLxUwQKdUnLhIEfILgYdu4kHBHhDSMlRlhRfKuBqvIU=; b=TeV0j88DFgTEzigm59wsflCFcOB8mRiP14wpHV7LjzkaoVZ6RpQwY9D7UZ7oLl5jcD sO4F9XrPLz9sNvLpoGUXJDxigRtSTHvzi7VOcnQ2D7+vFGDG/E2o+FGVvNQnMmvOnM3z MvxcV/2JeLmYTwVqEcvwZ7UGSbyTDkKkfmr61Pzp4hyChl4vuf1zGJ5Bbfvu843bkDrR UDVga52cmWlivJ7cVCXjwAOFW3uo4LfAMj544KJsC6i1XYwZg2aCFm+KP48Z8FdH0Kqw dGaMw0z5wYVtL6YQZ3CmJ3A8EBb29OmeBBjsr2ZtlLM/6ExBr1BAFdg/D9ccHVj/Dgl9 m+TQ== X-Gm-Message-State: ABy/qLaKMkdQt+qzdeb7YoRv8kK1yFnkkVCrM3HKLYe33OUHw6Pri8S4 y3iNLZMRGXsFRRc2WofsQ50BjmpxFDn00ElwgB/hhdAyoQ== X-Received: by 2002:a2e:8456:0:b0:2b6:e6cc:9057 with SMTP id u22-20020a2e8456000000b002b6e6cc9057mr10354291ljh.51.1689693696650; Tue, 18 Jul 2023 08:21:36 -0700 (PDT) MIME-Version: 1.0 References: <20230718134446.168654-1-brgerst@gmail.com> <20230718134446.168654-3-brgerst@gmail.com> In-Reply-To: From: Brian Gerst Date: Tue, 18 Jul 2023 11:21:24 -0400 Message-ID: Subject: Re: [PATCH 2/6] x86/entry/64: Convert SYSRET validation tests to C To: =?UTF-8?Q?Mika_Penttil=C3=A4?= Cc: linux-kernel@vger.kernel.org, x86@kernel.org, Thomas Gleixner , Borislav Petkov , "H . Peter Anvin" , Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 18, 2023 at 10:49=E2=80=AFAM Mika Penttil=C3=A4 wrote: > > > > On 18.7.2023 17.25, Brian Gerst wrote: > > On Tue, Jul 18, 2023 at 10:17=E2=80=AFAM Mika Penttil=C3=A4 wrote: > >> > >> Hi, > >> > >> > >> On 18.7.2023 16.44, Brian Gerst wrote: > >>> Signed-off-by: Brian Gerst > >>> --- > >>> arch/x86/entry/common.c | 50 ++++++++++++++++++++++++++++++= - > >>> arch/x86/entry/entry_64.S | 55 ++----------------------------= ---- > >>> arch/x86/include/asm/syscall.h | 2 +- > >>> 3 files changed, 52 insertions(+), 55 deletions(-) > >>> > >>> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c > >>> index 6c2826417b33..afe79c3f1c5b 100644 > >>> --- a/arch/x86/entry/common.c > >>> +++ b/arch/x86/entry/common.c > >>> @@ -70,8 +70,12 @@ static __always_inline bool do_syscall_x32(struct = pt_regs *regs, int nr) > >>> return false; > >>> } > >>> > >>> -__visible noinstr void do_syscall_64(struct pt_regs *regs, int nr) > >>> +/* Returns true to return using SYSRET, or false to use IRET */ > >>> +__visible noinstr bool do_syscall_64(struct pt_regs *regs, int nr) > >>> { > >>> + long rip; > >>> + unsigned int shift_rip; > >>> + > >>> add_random_kstack_offset(); > >>> nr =3D syscall_enter_from_user_mode(regs, nr); > >>> > >>> @@ -84,6 +88,50 @@ __visible noinstr void do_syscall_64(struct pt_reg= s *regs, int nr) > >>> > >>> instrumentation_end(); > >>> syscall_exit_to_user_mode(regs); > >>> + > >>> + /* > >>> + * Check that the register state is valid for using SYSRET to e= xit > >>> + * to userspace. Otherwise use the slower but fully capable IR= ET > >>> + * exit path. > >>> + */ > >>> + > >>> + /* XEN PV guests always use IRET path */ > >>> + if (cpu_feature_enabled(X86_FEATURE_XENPV)) > >>> + return false; > >>> + > >>> + /* SYSRET requires RCX =3D=3D RIP and R11 =3D=3D EFLAGS */ > >>> + if (unlikely(regs->cx !=3D regs->ip || regs->r11 !=3D regs->fla= gs)) > >>> + return false; > >>> + > >>> + /* CS and SS must match the values set in MSR_STAR */ > >>> + if (unlikely(regs->cs !=3D __USER_CS || regs->ss !=3D __USER_DS= )) > >>> + return false; > >>> + > >>> + /* > >>> + * On Intel CPUs, SYSRET with non-canonical RCX/RIP will #GP > >>> + * in kernel space. This essentially lets the user take over > >>> + * the kernel, since userspace controls RSP. > >>> + * > >>> + * Change top bits to match most significant bit (47th or 56th = bit > >>> + * depending on paging mode) in the address. > >>> + */ > >>> + shift_rip =3D (64 - __VIRTUAL_MASK_SHIFT + 1); > >> > >> Should this be: > >> > >> shift_rip =3D (64 - __VIRTUAL_MASK_SHIFT - 1); > >> ? > > > > I removed a set of parentheses, which switched the sign from -1 to +1. > > I could put it back if that's less confusing. > > > > I mean isn't it supposed to be: > shift_rip =3D (64 - 48) for 4 level, now it's > shift_rip =3D (64 - 46) > > __VIRTUAL_MASK_SHIFT =3D=3D 47 Original: (64 - (47 + 1)) =3D (64 - 48) =3D 16 c5: 48 c1 e1 10 shl $0x10,%rcx c9: 48 c1 f9 10 sar $0x10,%rcx New: (64 - 47 - 1) =3D (17 - 1) =3D 16 18b: b9 10 00 00 00 mov $0x10,%ecx 193: 48 d3 e2 shl %cl,%rdx 196: 48 d3 fa sar %cl,%rdx Anyways, I'll switch it back to the original formula. I'm not going to argue any more about basic math. Brian Gerst