Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp2539365lqz; Wed, 3 Apr 2024 00:27:34 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWOZcSQUBvJeYCdOoBXBos1arnPWYC5W+LF1NjnUZUt6jj5VgYNZcgYNa0G6dak/kLSQeUcYYfcN6e8A4yNw+0YZGDQPcECjy9xTdSzew== X-Google-Smtp-Source: AGHT+IE8IgQUGideJCuBBXQV+sZ5tryOsePlBdybzYoH7zZvuaI0WZk0O0NFjgdMEFLHFBKX8/PN X-Received: by 2002:a17:903:1ce:b0:1e0:8b6:d7a4 with SMTP id e14-20020a17090301ce00b001e008b6d7a4mr18339898plh.19.1712129254172; Wed, 03 Apr 2024 00:27:34 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712129254; cv=pass; d=google.com; s=arc-20160816; b=fbTcpU4mx4G1pTc2T/LAdNYQXhTIJ0Lb+owSVbQxncy6b/WOLEdEpNOUqYjEhlXR8G 6RnbngSsWaslfK8+Vx4uCv9BrLNapkbjCnEw+BgYNtJeijr+p94GaU4lfXFM2WXBbeNI P9NiQleEyf0mwjxZ6SVQ24RS6iXPCLfMmyRk9e2hSbNIVb/xaRNen6mThaTX6p4OUuG2 HYxllJXUyNIA8oh/X8MOKXa3H/6ldi+R+9P6hKUNWlFymVDCHWPodjSr0+6FMz8GQYtV mmHtTevbGdIThNiSaI7zAKiVPV8cemz1QDxfoj8B36KNsj3exq4VrxOAJEiqi/0TyASU H9Ng== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=JH7Vt8YAyHDW7nmaE6ey6Z+wbrQjRBFrB1PYgSLOII8=; fh=eefIYMwmEqFnd4SajZf2zTICG0n3iqQKnGPy1ETuj48=; b=y6Ywc0smq5TzRauGMhyPbY2/U/7TAOjwbInycEaHK4x0MsSpOhC0scclsBxVShP355 mBnwpvmdNFjnJYOlt/cp4iVJGz9+HYrjZLrf83Iv5orRjcIVBjUlpX5rctdtvbw5pQzp nAR4K0WJYKkXU6Zp/lGKpwi/z0Xc5uMC2MdTIPzDeVNka2NDtskc7lJyfqBrNtrOTqcv DyGv16kBdyo8M/IPS2W3h4Ewy5iVABfKlPRoyG3PPwKac3+MQC6Om5qb4ZR2ElgGa06K kHXHMMJYKLBizH6/7zo/+gwjMPzloFRMbp6Z+7LdMahwxC+40e012QnJp6QNw1EwvAqy Fa0Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=vNfnwlCR; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-129168-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-129168-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id z16-20020a170903019000b001e09507084bsi13076127plg.467.2024.04.03.00.27.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 00:27:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-129168-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=vNfnwlCR; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-129168-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-129168-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id D8489284F0B for ; Wed, 3 Apr 2024 07:27:33 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8DA845CDD0; Wed, 3 Apr 2024 07:27:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="vNfnwlCR" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A1ADB5A0F3 for ; Wed, 3 Apr 2024 07:27:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712129233; cv=none; b=QWY37icSakya0qKeSneifr9B1Way0OUiSAzPSF0l6LtawYSLH4ML+if0m99mJ2uIlPZCwDeSCOE0EbUnjFQv9u+F0t/665kpnfEqKuReJQeD8wsOG6YH4Ry3WgyrLJswM7iTZvsAE6tumjIlkLA37sCFjv1MFXW7lpv0I5qJOwM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712129233; c=relaxed/simple; bh=+VzjS3lYs6MmEFgAWLAK/tBPyrT/NYGIq1NsetZK0N4=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type; b=F29lBKSdG+yf2cZr95ZHBBfVxSHhuEYIso4HENW9KTii0vIJje4iAk/wyG+ba8/6C5mx6UuxNIFh80hRkGlgon7e6qyKJmoU/97FMhOUg2DOsqxZBzdbocb6V7a5TblSpKbcoJxaAhFpqZRviqbXZ3fZWWSfexbqecBSOqmnxS4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=vNfnwlCR; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 506BAC4166C; Wed, 3 Apr 2024 07:27:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712129233; bh=+VzjS3lYs6MmEFgAWLAK/tBPyrT/NYGIq1NsetZK0N4=; h=From:To:Cc:Subject:Date:From; b=vNfnwlCRbrrs+6oRiuY5HnZ1jnEcpXLfT282PXD+b5CWl/fw1eWCrbdibGIarc/N6 I9ZYikj4gLFF7GdgIpYozxHKpugugvRROjc6lX9liupSFYD+6sUcteJRJPRylPOBld j897gZXMVtm8PL5BptbZZV9YHO8zziyhfjmqv+IUGzps6Oetq3dRalD3QexSmRLGik tzKzUF3FlI3pWmLUapkwV4G084eIboYExqbOCraW0uPIdl9tWsrVU+BADUop4HUS/j 4+4QDriYAo9nkL9zEOtS05U9eYGngEQ6j1fzQQ0bN41R2R/j6j0jTS81luAO2Gwfu/ NLhh2CxQTBL2Q== From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= To: Paul Walmsley , Palmer Dabbelt , Albert Ou , Andy Chiu , linux-riscv@lists.infradead.org Cc: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , Conor Dooley , Heiko Stuebner , Vincent Chen , Ben Dooks , Greentime Hu , Haorong Lu , Jerry Shih , Nick Knight , linux-kernel@vger.kernel.org, Vineet Gupta , Charlie Jenkins , Vineet Gupta Subject: [PATCH] riscv: Fix vector state restore in rt_sigreturn() Date: Wed, 3 Apr 2024 09:26:38 +0200 Message-Id: <20240403072638.567446-1-bjorn@kernel.org> X-Mailer: git-send-email 2.40.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Björn Töpel The RISC-V Vector specification states in "Appendix D: Calling Convention for Vector State" [1] that "Executing a system call causes all caller-saved vector registers (v0-v31, vl, vtype) and vstart to become unspecified.". In the RISC-V kernel this is called "discarding the vstate". Returning from a signal handler via the rt_sigreturn() syscall, vector discard is also performed. However, this is not an issue since the vector state should be restored from the sigcontext, and therefore not care about the vector discard. The "live state" is the actual vector register in the running context, and the "vstate" is the vector state of the task. A dirty live state, means that the vstate and live state are not in synch. When vectorized user_from_copy() was introduced, an bug sneaked in at the restoration code, related to the discard of the live state. An example when this go wrong: 1. A userland application is executing vector code 2. The application receives a signal, and the signal handler is entered. 3. The application returns from the signal handler, using the rt_sigreturn() syscall. 4. The live vector state is discarded upon entering the rt_sigreturn(), and the live state is marked as "dirty", indicating that the live state need to be synchronized with the current vstate. 5. rt_sigreturn() restores the vstate, except the Vector registers, from the sigcontext 6. rt_sigreturn() restores the Vector registers, from the sigcontext, and now the vectorized user_from_copy() is used. The dirty live state from the discard is saved to the vstate, making the vstate corrupt. 7. rt_sigreturn() returns to the application, which crashes due to corrupted vstate. Note that the vectorized user_from_copy() is invoked depending on the value of CONFIG_RISCV_ISA_V_UCOPY_THRESHOLD. Default is 768, which means that vlen has to be larger than 128b for this bug to trigger. The fix is simply to mark the live state as non-dirty/clean prior performing the vstate restore. Link: https://github.com/riscv/riscv-isa-manual/releases/download/riscv-isa-release-8abdb41-2024-03-26/unpriv-isa-asciidoc.pdf # [1] Reported-by: Charlie Jenkins Reported-by: Vineet Gupta Fixes: c2a658d41924 ("riscv: lib: vectorize copy_to_user/copy_from_user") Signed-off-by: Björn Töpel --- arch/riscv/kernel/signal.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/arch/riscv/kernel/signal.c b/arch/riscv/kernel/signal.c index 501e66debf69..5a2edd7f027e 100644 --- a/arch/riscv/kernel/signal.c +++ b/arch/riscv/kernel/signal.c @@ -119,6 +119,13 @@ static long __restore_v_state(struct pt_regs *regs, void __user *sc_vec) struct __sc_riscv_v_state __user *state = sc_vec; void __user *datap; + /* + * Mark the vstate as clean prior performing the actual copy, + * to avoid getting the vstate incorrectly clobbered by the + * discarded vector state. + */ + riscv_v_vstate_set_restore(current, regs); + /* Copy everything of __sc_riscv_v_state except datap. */ err = __copy_from_user(¤t->thread.vstate, &state->v_state, offsetof(struct __riscv_v_ext_state, datap)); @@ -133,13 +140,7 @@ static long __restore_v_state(struct pt_regs *regs, void __user *sc_vec) * Copy the whole vector content from user space datap. Use * copy_from_user to prevent information leak. */ - err = copy_from_user(current->thread.vstate.datap, datap, riscv_v_vsize); - if (unlikely(err)) - return err; - - riscv_v_vstate_set_restore(current, regs); - - return err; + return copy_from_user(current->thread.vstate.datap, datap, riscv_v_vsize); } #else #define save_v_state(task, regs) (0) base-commit: 7115ff4a8bfed3b9294bad2e111744e6abeadf1a -- 2.40.1