Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp7049820rwp; Tue, 18 Jul 2023 09:17:11 -0700 (PDT) X-Google-Smtp-Source: APBJJlGqxQCwfi065v/bBRHSMJlIeR2yPnIK/BeNdpoJafj0JA4O7d1XdU0wdQKJVUx33Zih3W/6 X-Received: by 2002:a17:902:e882:b0:1b6:6b90:7c2f with SMTP id w2-20020a170902e88200b001b66b907c2fmr2131plg.55.1689697031178; Tue, 18 Jul 2023 09:17:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689697031; cv=none; d=google.com; s=arc-20160816; b=tXJKtEd4CE3ME5gifpwsQxkpQmHqwnLB/OyrOoLaNdCHA00mcsUQceuqrwZNDFGLXZ WCvIIo4X9EzfPO5xjxDUJUL3DOmerrxk67RX+4UDEO/2c+z1TuTDxSwpgxz/caCU/uS+ MIps+VgGs8mCU0LUjY0W8CjdgcQJAtOOJXzsme00Az4DWBHGdxcdUJWPqEzcg30cHTbo zr+qoE4uN++SGp9WYcVDr8nJ3q4aDHu1gy9QSYgAf/OrCcALIMH0VvPAmQaoXLnk8BWE DWxyNysC6mKGjBzD/d6umy8mSobH1MK317oKJC6+Zelhc7D0kqoL/8V8WmPYGVsqMcun Yw1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=6usP1mWM3GxXfKqGQc3GEa/0nZE/UFIhKEnNTRZSUiQ=; fh=LgV8C0cbdVHBC80nT0PZ36UiUlVW6zcAEFGWwIzYkA0=; b=CqLZ5+uprOdS8J/e0NqLY662CfKpYKjVZMJh54vM/Qk6h0cdABRBX6SHp/AaqC1Voq GAiss7tYqRErYaoc0ufmIVsTd9VJ+E7vA8Z7lEnSSv1TLeCV1cryitK2pUD72qh0OjuF 3Lo7wSBVndbId4y7Qw2v3+/xVmZBLuvaTik8xwUNsy7vunzjVuPOfGdtOQPvPZAkMdeA CLkvRpVFwsdwPNzyZTkKRy/RqpMULQV/yISQpytZPitGjRJZfZTMQTRCzTzGVJ2u56XD IXVJ0VAtcU6pLsr3GVhNv8eLYDrVHL8FLY5vwyI7KvAeRFcMDXVD3gjPLXDdUalpKwPf 6Stg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=ioTADJn5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u5-20020a170903124500b001b9d2010b27si1933008plh.119.2023.07.18.09.16.58; Tue, 18 Jul 2023 09:17:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=ioTADJn5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232916AbjGRPrL (ORCPT + 99 others); Tue, 18 Jul 2023 11:47:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232905AbjGRPrK (ORCPT ); Tue, 18 Jul 2023 11:47:10 -0400 Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E11C2A9 for ; Tue, 18 Jul 2023 08:47:08 -0700 (PDT) Received: by mail-lj1-x236.google.com with SMTP id 38308e7fff4ca-2b734aea34aso91450171fa.0 for ; Tue, 18 Jul 2023 08:47:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689695227; x=1692287227; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=6usP1mWM3GxXfKqGQc3GEa/0nZE/UFIhKEnNTRZSUiQ=; b=ioTADJn52gEsnZQX2iJR8ZF9nzAHkpp/ckKrOvfItEnVDlruq6Bq7Z6YWAgl46eQPN GUoLoX7MC4Lv/q8FaGu6M9Ihrs6YmGVskOuDFLrC4WzUEfQ7uKzKnfukfAyBdwxOcybp xTPonM2mwbhfvCvHAMhhvBo6D+jSQJnks7aiAkCIZXkgooqW/NKWWdrBWTjTITvtqYCG qoAOLtZBPw4Oc/egoAU7xi4dV6bed4AAn/Mtle1yi0a5rOnMoY8fxesjbj+9tdHzaZSA WUbE+IsSPWqIEMC5jZ3Lr2c07o3XwPb1O5L6D78IOytjFxMJKcZIycmuZb1AIfkifToz wP5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689695227; x=1692287227; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6usP1mWM3GxXfKqGQc3GEa/0nZE/UFIhKEnNTRZSUiQ=; b=O2X6xHiqfrQm47zR9O8ZPTPVlUO/Fy2C4aEWKB2VbhPDgNXyAgrigrr1KcQnUcp2Hx FG+P3ScVrn5JWkvpWgg1LKVnpQ5Yai69u3NS/A058FMYZD8kRNEHrzz3Pw3hjFYbuSkB QIMgCGRq+JlNMzVxG2HD5+BwkGX3AGAgLIXp0jBMrVrmDqjb3mD+hCPJ8jP3cbxgQMrv nrQi5ddLft2Zsk1pNaHpuGYkbdGaJrjkK8cOICT91twcpJiKkhIj5w59bq/ylqKLRPwV Vnp2Vy0RQJZGWfQRKeUO6UmVPZ5MHaWa0Akhc6UlIaoGegEvls6iLqVNbLT0e/sHjeaJ onsQ== X-Gm-Message-State: ABy/qLaus+8HqVKrYjVGw0yx/8aPuy1wf58SIM62q3EY3EDeYxVX18qk kR++1k1UZZoYbfMfL0W32zJvbVDvdS043eoSKg== X-Received: by 2002:a2e:b0d7:0:b0:2b7:a64:6c3e with SMTP id g23-20020a2eb0d7000000b002b70a646c3emr11228841ljl.26.1689695226824; Tue, 18 Jul 2023 08:47:06 -0700 (PDT) MIME-Version: 1.0 References: <20230718134446.168654-1-brgerst@gmail.com> <20230718134446.168654-3-brgerst@gmail.com> In-Reply-To: From: Brian Gerst Date: Tue, 18 Jul 2023 11:46:54 -0400 Message-ID: Subject: Re: [PATCH 2/6] x86/entry/64: Convert SYSRET validation tests to C To: =?UTF-8?Q?Mika_Penttil=C3=A4?= Cc: linux-kernel@vger.kernel.org, x86@kernel.org, Thomas Gleixner , Borislav Petkov , "H . Peter Anvin" , Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 18, 2023 at 11:21=E2=80=AFAM Brian Gerst wr= ote: > > On Tue, Jul 18, 2023 at 10:49=E2=80=AFAM Mika Penttil=C3=A4 wrote: > > > > > > > > On 18.7.2023 17.25, Brian Gerst wrote: > > > On Tue, Jul 18, 2023 at 10:17=E2=80=AFAM Mika Penttil=C3=A4 wrote: > > >> > > >> Hi, > > >> > > >> > > >> On 18.7.2023 16.44, Brian Gerst wrote: > > >>> Signed-off-by: Brian Gerst > > >>> --- > > >>> arch/x86/entry/common.c | 50 ++++++++++++++++++++++++++++= ++- > > >>> arch/x86/entry/entry_64.S | 55 ++--------------------------= ------ > > >>> arch/x86/include/asm/syscall.h | 2 +- > > >>> 3 files changed, 52 insertions(+), 55 deletions(-) > > >>> > > >>> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c > > >>> index 6c2826417b33..afe79c3f1c5b 100644 > > >>> --- a/arch/x86/entry/common.c > > >>> +++ b/arch/x86/entry/common.c > > >>> @@ -70,8 +70,12 @@ static __always_inline bool do_syscall_x32(struc= t pt_regs *regs, int nr) > > >>> return false; > > >>> } > > >>> > > >>> -__visible noinstr void do_syscall_64(struct pt_regs *regs, int nr) > > >>> +/* Returns true to return using SYSRET, or false to use IRET */ > > >>> +__visible noinstr bool do_syscall_64(struct pt_regs *regs, int nr) > > >>> { > > >>> + long rip; > > >>> + unsigned int shift_rip; > > >>> + > > >>> add_random_kstack_offset(); > > >>> nr =3D syscall_enter_from_user_mode(regs, nr); > > >>> > > >>> @@ -84,6 +88,50 @@ __visible noinstr void do_syscall_64(struct pt_r= egs *regs, int nr) > > >>> > > >>> instrumentation_end(); > > >>> syscall_exit_to_user_mode(regs); > > >>> + > > >>> + /* > > >>> + * Check that the register state is valid for using SYSRET to= exit > > >>> + * to userspace. Otherwise use the slower but fully capable = IRET > > >>> + * exit path. > > >>> + */ > > >>> + > > >>> + /* XEN PV guests always use IRET path */ > > >>> + if (cpu_feature_enabled(X86_FEATURE_XENPV)) > > >>> + return false; > > >>> + > > >>> + /* SYSRET requires RCX =3D=3D RIP and R11 =3D=3D EFLAGS */ > > >>> + if (unlikely(regs->cx !=3D regs->ip || regs->r11 !=3D regs->f= lags)) > > >>> + return false; > > >>> + > > >>> + /* CS and SS must match the values set in MSR_STAR */ > > >>> + if (unlikely(regs->cs !=3D __USER_CS || regs->ss !=3D __USER_= DS)) > > >>> + return false; > > >>> + > > >>> + /* > > >>> + * On Intel CPUs, SYSRET with non-canonical RCX/RIP will #GP > > >>> + * in kernel space. This essentially lets the user take over > > >>> + * the kernel, since userspace controls RSP. > > >>> + * > > >>> + * Change top bits to match most significant bit (47th or 56t= h bit > > >>> + * depending on paging mode) in the address. > > >>> + */ > > >>> + shift_rip =3D (64 - __VIRTUAL_MASK_SHIFT + 1); > > >> > > >> Should this be: > > >> > > >> shift_rip =3D (64 - __VIRTUAL_MASK_SHIFT - 1); > > >> ? > > > > > > I removed a set of parentheses, which switched the sign from -1 to +1= . > > > I could put it back if that's less confusing. > > > > > > > I mean isn't it supposed to be: > > shift_rip =3D (64 - 48) for 4 level, now it's > > shift_rip =3D (64 - 46) > > > > __VIRTUAL_MASK_SHIFT =3D=3D 47 My apologies, you were right. I've been sitting on this series for a while and finally got around to posting it and didn't catch that error. > > Original: > (64 - (47 + 1)) =3D (64 - 48) =3D 16 > > c5: 48 c1 e1 10 shl $0x10,%rcx > c9: 48 c1 f9 10 sar $0x10,%rcx This was wrong. I hastily compiled this after I had reverted to the original formula. > New: > (64 - 47 - 1) =3D (17 - 1) =3D 16 > > 18b: b9 10 00 00 00 mov $0x10,%ecx > 193: 48 d3 e2 shl %cl,%rdx > 196: 48 d3 fa sar %cl,%rdx > > Anyways, I'll switch it back to the original formula. I'm not going > to argue any more about basic math. I'll send a v2 later after any more feedback. Thanks. Brian Gerst