Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension
* Ingo Molnar wrote: > > * Andy Lutomirski wrote: > > > The fault handling code tries to validate that a page fault from > > user mode that would extend the stack is within a certain range of > > the user SP. regs->sp is only equal to the user SP if > > user_mode(regs). In the extremely unlikely event that that > > sw_error_code had the USER bit set but the faulting instruction was > > in the kernel (i.e. the faulting instruction was WRUSS), then the > > *kernel* stack pointer would have been checked, which would be an > > info leak. > > > > Note to -stable maintainers: don't backport this unless you backport > > CET. The bug it fixes is unobservable in current kernels. > > > > Signed-off-by: Andy Lutomirski > > --- > > arch/x86/mm/fault.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c > > index 91d4d2722f2e..eae7ee3ce89b 100644 > > --- a/arch/x86/mm/fault.c > > +++ b/arch/x86/mm/fault.c > > @@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs, > > bad_area(regs, sw_error_code, address); > > return; > > } > > - if (sw_error_code & X86_PF_USER) { > > + if (user_mode(regs)) { > > /* > > * Accessing the stack below %sp is always a bug. > > * The large cushion allows instructions like enter > > Note that this check is gone now due to: > > 1d8ca3be86eb: x86/mm/fault: Allow stack access below %rsp > > Thanks, Ok, I like your series - I have applied the first ~7 patches of it to tip:x86/mm, the rest is interacting with 1d8ca3be86eb - will apply the rest as well once you send a v2. Thanks, Ingo
Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension
* Ingo Molnar wrote: > > * Andy Lutomirski wrote: > > > The fault handling code tries to validate that a page fault from > > user mode that would extend the stack is within a certain range of > > the user SP. regs->sp is only equal to the user SP if > > user_mode(regs). In the extremely unlikely event that that > > sw_error_code had the USER bit set but the faulting instruction was > > in the kernel (i.e. the faulting instruction was WRUSS), then the > > *kernel* stack pointer would have been checked, which would be an > > info leak. > > > > Note to -stable maintainers: don't backport this unless you backport > > CET. The bug it fixes is unobservable in current kernels. > > > > Signed-off-by: Andy Lutomirski > > --- > > arch/x86/mm/fault.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c > > index 91d4d2722f2e..eae7ee3ce89b 100644 > > --- a/arch/x86/mm/fault.c > > +++ b/arch/x86/mm/fault.c > > @@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs, > > bad_area(regs, sw_error_code, address); > > return; > > } > > - if (sw_error_code & X86_PF_USER) { > > + if (user_mode(regs)) { > > /* > > * Accessing the stack below %sp is always a bug. > > * The large cushion allows instructions like enter > > Note that this check is gone now due to: > > 1d8ca3be86eb: x86/mm/fault: Allow stack access below %rsp > > Thanks, Ok, I like your series - I have applied the first ~7 patches of it to tip:x86/mm, the rest is interacting with 1d8ca3be86eb - will apply the rest as well once you send a v2. Thanks, Ingo
Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension
* Andy Lutomirski wrote: > The fault handling code tries to validate that a page fault from > user mode that would extend the stack is within a certain range of > the user SP. regs->sp is only equal to the user SP if > user_mode(regs). In the extremely unlikely event that that > sw_error_code had the USER bit set but the faulting instruction was > in the kernel (i.e. the faulting instruction was WRUSS), then the > *kernel* stack pointer would have been checked, which would be an > info leak. > > Note to -stable maintainers: don't backport this unless you backport > CET. The bug it fixes is unobservable in current kernels. > > Signed-off-by: Andy Lutomirski > --- > arch/x86/mm/fault.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c > index 91d4d2722f2e..eae7ee3ce89b 100644 > --- a/arch/x86/mm/fault.c > +++ b/arch/x86/mm/fault.c > @@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs, > bad_area(regs, sw_error_code, address); > return; > } > - if (sw_error_code & X86_PF_USER) { > + if (user_mode(regs)) { > /* >* Accessing the stack below %sp is always a bug. >* The large cushion allows instructions like enter Note that this check is gone now due to: 1d8ca3be86eb: x86/mm/fault: Allow stack access below %rsp Thanks, Ingo
Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension
* Andy Lutomirski wrote: > The fault handling code tries to validate that a page fault from > user mode that would extend the stack is within a certain range of > the user SP. regs->sp is only equal to the user SP if > user_mode(regs). In the extremely unlikely event that that > sw_error_code had the USER bit set but the faulting instruction was > in the kernel (i.e. the faulting instruction was WRUSS), then the > *kernel* stack pointer would have been checked, which would be an > info leak. > > Note to -stable maintainers: don't backport this unless you backport > CET. The bug it fixes is unobservable in current kernels. > > Signed-off-by: Andy Lutomirski > --- > arch/x86/mm/fault.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c > index 91d4d2722f2e..eae7ee3ce89b 100644 > --- a/arch/x86/mm/fault.c > +++ b/arch/x86/mm/fault.c > @@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs, > bad_area(regs, sw_error_code, address); > return; > } > - if (sw_error_code & X86_PF_USER) { > + if (user_mode(regs)) { > /* >* Accessing the stack below %sp is always a bug. >* The large cushion allows instructions like enter Note that this check is gone now due to: 1d8ca3be86eb: x86/mm/fault: Allow stack access below %rsp Thanks, Ingo
[PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension
The fault handling code tries to validate that a page fault from user mode that would extend the stack is within a certain range of the user SP. regs->sp is only equal to the user SP if user_mode(regs). In the extremely unlikely event that that sw_error_code had the USER bit set but the faulting instruction was in the kernel (i.e. the faulting instruction was WRUSS), then the *kernel* stack pointer would have been checked, which would be an info leak. Note to -stable maintainers: don't backport this unless you backport CET. The bug it fixes is unobservable in current kernels. Signed-off-by: Andy Lutomirski --- arch/x86/mm/fault.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index 91d4d2722f2e..eae7ee3ce89b 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs, bad_area(regs, sw_error_code, address); return; } - if (sw_error_code & X86_PF_USER) { + if (user_mode(regs)) { /* * Accessing the stack below %sp is always a bug. * The large cushion allows instructions like enter -- 2.17.2
[PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension
The fault handling code tries to validate that a page fault from user mode that would extend the stack is within a certain range of the user SP. regs->sp is only equal to the user SP if user_mode(regs). In the extremely unlikely event that that sw_error_code had the USER bit set but the faulting instruction was in the kernel (i.e. the faulting instruction was WRUSS), then the *kernel* stack pointer would have been checked, which would be an info leak. Note to -stable maintainers: don't backport this unless you backport CET. The bug it fixes is unobservable in current kernels. Signed-off-by: Andy Lutomirski --- arch/x86/mm/fault.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index 91d4d2722f2e..eae7ee3ce89b 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs, bad_area(regs, sw_error_code, address); return; } - if (sw_error_code & X86_PF_USER) { + if (user_mode(regs)) { /* * Accessing the stack below %sp is always a bug. * The large cushion allows instructions like enter -- 2.17.2