Received: by 2002:a89:288:0:b0:1f7:eeee:6653 with SMTP id j8csp436753lqh; Tue, 7 May 2024 04:02:12 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXJbj+EQ0/tbfp72F++bYMT3jQIu0ozQeRydLJO/KQnHbHPmOUeKTL0J2I+TztdIwPuj2hGtBMFvN9FoQAnahqBegDmesddlkHd8VE7Bg== X-Google-Smtp-Source: AGHT+IGgizGZHFyZlvgoKCeb7ZnYKNMgZneWDQ9zuiDL5QHK+goKMAGSwucKLMDYiF0GAyniUIJW X-Received: by 2002:a05:6a00:181a:b0:6ee:1b6e:662a with SMTP id y26-20020a056a00181a00b006ee1b6e662amr12551334pfa.32.1715079732251; Tue, 07 May 2024 04:02:12 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715079732; cv=pass; d=google.com; s=arc-20160816; b=jpt5weT6V+dzPKWuU5RaX4mRojZk4B6k5xdbXC4KNnX3w9444CWrcmaW+qJXTwQd+d yrBdc9Kxgo53AoecHIo2LynbNXDV0oljhkaHOWy4I28OMiHadFPFw3Re0Fc8HkYnfiTF pDisyTZVyVktHbGA7Gn0IGNbtmS7V8Cv40HP9yzSwQ4BAzVqarXW4+XxIjRvJdOc80na 814vDOA5PDJAwv5u6IOrXXeDQzkiMGkKnDDZrSJQYKP8A+021vyup8oZ5kq2g34MF8rx fbNQtOepM3RPGXUWUnFcMOOaIlm1KDg4MJXouOjhH9XvuhQHBQFvIUmTVtscf28JMbKW Z0Cw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=DmJn85eVut1HJY5t2p1oWFEbWLIRoSlQs9oAG4j/nAA=; fh=nmDo0evxWwTAvBlxNELHY/fYZbxD4K9pluaUjPt1MrQ=; b=a2NDGA/lxG2jD//eWJo4sbchJWkMh0qcrTjoBUd6QigdDC/h9tTlyZ6lqvYKpN/tph ZcgQZ34XAXR4xoB7s7sYahvK+4ZwSfkwkKKIgwh1G3MCh4TrPY/qn8kdr2AOR0JLop80 n2dbn8hCJDmymU9vJbrgie/Kxsb3g06w01YMzviu2BMsAhzRoyuUrejkqosv2MevCRD5 thYYvrNaCWvcTl/8fkk4efkYuA6OnIS3smgtka9Ni2/Mh64fzWHQAHHOrpXGFWDiZWkj QlMikIHQuviAAYaEOCTvwPg8/xLGx1SsjjL+ZMjk9ftpnfydzH9xkICK3Si/W0SS0eEs r46A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=YbzXVIRM; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-171156-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-171156-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id ll12-20020a056a00728c00b006ed5f9e39c4si10059095pfb.386.2024.05.07.04.02.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 May 2024 04:02:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-171156-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=YbzXVIRM; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-171156-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-171156-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 2FE7E28A1DF for ; Tue, 7 May 2024 10:57:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C260815E7E8; Tue, 7 May 2024 10:54:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="YbzXVIRM" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DC8671514C9; Tue, 7 May 2024 10:54:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715079286; cv=none; b=mlVLNLswge13FbUKt/DsYSWlf0HPCk1bx0fyLsh9aFPzQd6bKa7vrBQJeXKfRFqbhmL26GA+C1z0frkxWuFWGdSoWn+tl3KgfXg4K8cpiRF2c0ePt0lDBWHOolqGukpSW7VhLzqCOucMCu3EEV6owcKS1xplnlQnQn9Jg2O2sVI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715079286; c=relaxed/simple; bh=jAXKnqAimwcay1qElQR4j+I/IkSSXznYDTBurbcpNU4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SVgoGvdPj6Vtp2J5vuLnTaQY5dSGLDNRMq2Zt1yRm7gflLrwpCl3P3pxRi3NJx+XYVqbJXaQrq1wO1NphYekBX11dW7DrFSB9A19dOoMf0M0oCvxX885godNLakHIhfE82i8GjCaNwZSORwvQVaGnQfvv+KQMpZiFCIH9eEoBtk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=YbzXVIRM; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5C680C2BBFC; Tue, 7 May 2024 10:54:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1715079285; bh=jAXKnqAimwcay1qElQR4j+I/IkSSXznYDTBurbcpNU4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YbzXVIRM67EcqLKqbNDmmL/w2VZo6AcKf7MgMIDIssD51cpu4vRefzjzg1HTrt0kV TtD9HO3QKnc6fh5VL0ZYimrNS5o2c2Ws16dgIzUVdZlJfN4aInVFE9i/KaVJKRiYkg 6Tbv2qhmhmBfZpXuQYR/Qmoi2WRElv+UhrB78eo8j7JBoWRD+/KYKKI0F+xMbkOjS2 Z7OwXlwie6964TU/iInjXURazie7rSckzqVWHQ7nj9gkHg+TqQKJkfz3KDuByG+kKh 4YCGGUX33mjRlSDWwDO6m0P7zvt54t49Jj1Djg2NEAi6F0ZTlBr/3/tTcSFQ0iDzRY c70qlqbEMcKLA== From: Jiri Olsa To: Steven Rostedt , Masami Hiramatsu , Oleg Nesterov , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko Cc: linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, linux-api@vger.kernel.org, linux-man@vger.kernel.org, x86@kernel.org, bpf@vger.kernel.org, Song Liu , Yonghong Song , John Fastabend , Peter Zijlstra , Thomas Gleixner , "Borislav Petkov (AMD)" , Ingo Molnar , Andy Lutomirski , "Edgecombe, Rick P" , Deepak Gupta Subject: [PATCHv5 bpf-next 6/8] x86/shstk: Add return uprobe support Date: Tue, 7 May 2024 12:53:19 +0200 Message-ID: <20240507105321.71524-7-jolsa@kernel.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240507105321.71524-1-jolsa@kernel.org> References: <20240507105321.71524-1-jolsa@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Adding return uprobe support to work with enabled shadow stack. Currently the application with enabled shadow stack will crash if it sets up return uprobe. The reason is the uretprobe kernel code changes the user space task's stack, but does not update shadow stack accordingly. Adding new functions to update values on shadow stack and using them in uprobe code to keep shadow stack in sync with uretprobe changes to user stack. Signed-off-by: Jiri Olsa --- arch/x86/include/asm/shstk.h | 4 ++++ arch/x86/kernel/shstk.c | 29 +++++++++++++++++++++++++++++ arch/x86/kernel/uprobes.c | 12 +++++++++++- 3 files changed, 44 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/shstk.h b/arch/x86/include/asm/shstk.h index 42fee8959df7..2e1ddcf98242 100644 --- a/arch/x86/include/asm/shstk.h +++ b/arch/x86/include/asm/shstk.h @@ -21,6 +21,8 @@ unsigned long shstk_alloc_thread_stack(struct task_struct *p, unsigned long clon void shstk_free(struct task_struct *p); int setup_signal_shadow_stack(struct ksignal *ksig); int restore_signal_shadow_stack(void); +int shstk_update_last_frame(unsigned long val); +int shstk_push_frame(unsigned long val); #else static inline long shstk_prctl(struct task_struct *task, int option, unsigned long arg2) { return -EINVAL; } @@ -31,6 +33,8 @@ static inline unsigned long shstk_alloc_thread_stack(struct task_struct *p, static inline void shstk_free(struct task_struct *p) {} static inline int setup_signal_shadow_stack(struct ksignal *ksig) { return 0; } static inline int restore_signal_shadow_stack(void) { return 0; } +static inline int shstk_update_last_frame(unsigned long val) { return 0; } +static inline int shstk_push_frame(unsigned long val) { return 0; } #endif /* CONFIG_X86_USER_SHADOW_STACK */ #endif /* __ASSEMBLY__ */ diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 59e15dd8d0f8..66434dfde52e 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -577,3 +577,32 @@ long shstk_prctl(struct task_struct *task, int option, unsigned long arg2) return wrss_control(true); return -EINVAL; } + +int shstk_update_last_frame(unsigned long val) +{ + unsigned long ssp; + + if (!features_enabled(ARCH_SHSTK_SHSTK)) + return 0; + + ssp = get_user_shstk_addr(); + return write_user_shstk_64((u64 __user *)ssp, (u64)val); +} + +int shstk_push_frame(unsigned long val) +{ + unsigned long ssp; + + if (!features_enabled(ARCH_SHSTK_SHSTK)) + return 0; + + ssp = get_user_shstk_addr(); + ssp -= SS_FRAME_SIZE; + if (write_user_shstk_64((u64 __user *)ssp, (u64)val)) + return -EFAULT; + + fpregs_lock_and_load(); + wrmsrl(MSR_IA32_PL3_SSP, ssp); + fpregs_unlock(); + return 0; +} diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c index 81e6ee95784d..ae6c3458a675 100644 --- a/arch/x86/kernel/uprobes.c +++ b/arch/x86/kernel/uprobes.c @@ -406,6 +406,11 @@ SYSCALL_DEFINE0(uretprobe) * trampoline's ret instruction */ r11_cx_ax[2] = regs->ip; + + /* make the shadow stack follow that */ + if (shstk_push_frame(regs->ip)) + goto sigill; + regs->ip = ip; err = copy_to_user((void __user *)regs->sp, r11_cx_ax, sizeof(r11_cx_ax)); @@ -1191,8 +1196,13 @@ arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs return orig_ret_vaddr; nleft = copy_to_user((void __user *)regs->sp, &trampoline_vaddr, rasize); - if (likely(!nleft)) + if (likely(!nleft)) { + if (shstk_update_last_frame(trampoline_vaddr)) { + force_sig(SIGSEGV); + return -1; + } return orig_ret_vaddr; + } if (nleft != rasize) { pr_err("return address clobbered: pid=%d, %%sp=%#lx, %%ip=%#lx\n", -- 2.44.0