subject:"\[PATCH 02\/13\] x86\/fault\: Check user_mode\(regs\) when validating a stack extension"

Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

2018-11-20 Thread Ingo Molnar



* Ingo Molnar  wrote:

> 
> * Andy Lutomirski  wrote:
> 
> > The fault handling code tries to validate that a page fault from
> > user mode that would extend the stack is within a certain range of
> > the user SP.  regs->sp is only equal to the user SP if
> > user_mode(regs).  In the extremely unlikely event that that
> > sw_error_code had the USER bit set but the faulting instruction was
> > in the kernel (i.e. the faulting instruction was WRUSS), then the
> > *kernel* stack pointer would have been checked, which would be an
> > info leak.
> > 
> > Note to -stable maintainers: don't backport this unless you backport
> > CET.  The bug it fixes is unobservable in current kernels.
> > 
> > Signed-off-by: Andy Lutomirski 
> > ---
> >  arch/x86/mm/fault.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
> > index 91d4d2722f2e..eae7ee3ce89b 100644
> > --- a/arch/x86/mm/fault.c
> > +++ b/arch/x86/mm/fault.c
> > @@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs,
> > bad_area(regs, sw_error_code, address);
> > return;
> > }
> > -   if (sw_error_code & X86_PF_USER) {
> > +   if (user_mode(regs)) {
> > /*
> >  * Accessing the stack below %sp is always a bug.
> >  * The large cushion allows instructions like enter
> 
> Note that this check is gone now due to:
> 
>   1d8ca3be86eb: x86/mm/fault: Allow stack access below %rsp
> 
> Thanks,

Ok, I like your series - I have applied the first ~7 patches of it to 
tip:x86/mm, the rest is interacting with 1d8ca3be86eb - will apply the 
rest as well once you send a v2.

Thanks,

Ingo

Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

2018-11-20 Thread Ingo Molnar



* Ingo Molnar  wrote:

> 
> * Andy Lutomirski  wrote:
> 
> > The fault handling code tries to validate that a page fault from
> > user mode that would extend the stack is within a certain range of
> > the user SP.  regs->sp is only equal to the user SP if
> > user_mode(regs).  In the extremely unlikely event that that
> > sw_error_code had the USER bit set but the faulting instruction was
> > in the kernel (i.e. the faulting instruction was WRUSS), then the
> > *kernel* stack pointer would have been checked, which would be an
> > info leak.
> > 
> > Note to -stable maintainers: don't backport this unless you backport
> > CET.  The bug it fixes is unobservable in current kernels.
> > 
> > Signed-off-by: Andy Lutomirski 
> > ---
> >  arch/x86/mm/fault.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
> > index 91d4d2722f2e..eae7ee3ce89b 100644
> > --- a/arch/x86/mm/fault.c
> > +++ b/arch/x86/mm/fault.c
> > @@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs,
> > bad_area(regs, sw_error_code, address);
> > return;
> > }
> > -   if (sw_error_code & X86_PF_USER) {
> > +   if (user_mode(regs)) {
> > /*
> >  * Accessing the stack below %sp is always a bug.
> >  * The large cushion allows instructions like enter
> 
> Note that this check is gone now due to:
> 
>   1d8ca3be86eb: x86/mm/fault: Allow stack access below %rsp
> 
> Thanks,

Ok, I like your series - I have applied the first ~7 patches of it to 
tip:x86/mm, the rest is interacting with 1d8ca3be86eb - will apply the 
rest as well once you send a v2.

Thanks,

Ingo

Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

2018-11-19 Thread Ingo Molnar



* Andy Lutomirski  wrote:

> The fault handling code tries to validate that a page fault from
> user mode that would extend the stack is within a certain range of
> the user SP.  regs->sp is only equal to the user SP if
> user_mode(regs).  In the extremely unlikely event that that
> sw_error_code had the USER bit set but the faulting instruction was
> in the kernel (i.e. the faulting instruction was WRUSS), then the
> *kernel* stack pointer would have been checked, which would be an
> info leak.
> 
> Note to -stable maintainers: don't backport this unless you backport
> CET.  The bug it fixes is unobservable in current kernels.
> 
> Signed-off-by: Andy Lutomirski 
> ---
>  arch/x86/mm/fault.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
> index 91d4d2722f2e..eae7ee3ce89b 100644
> --- a/arch/x86/mm/fault.c
> +++ b/arch/x86/mm/fault.c
> @@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs,
>   bad_area(regs, sw_error_code, address);
>   return;
>   }
> - if (sw_error_code & X86_PF_USER) {
> + if (user_mode(regs)) {
>   /*
>* Accessing the stack below %sp is always a bug.
>* The large cushion allows instructions like enter

Note that this check is gone now due to:

  1d8ca3be86eb: x86/mm/fault: Allow stack access below %rsp

Thanks,

Ingo

Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

2018-11-19 Thread Ingo Molnar



* Andy Lutomirski  wrote:

> The fault handling code tries to validate that a page fault from
> user mode that would extend the stack is within a certain range of
> the user SP.  regs->sp is only equal to the user SP if
> user_mode(regs).  In the extremely unlikely event that that
> sw_error_code had the USER bit set but the faulting instruction was
> in the kernel (i.e. the faulting instruction was WRUSS), then the
> *kernel* stack pointer would have been checked, which would be an
> info leak.
> 
> Note to -stable maintainers: don't backport this unless you backport
> CET.  The bug it fixes is unobservable in current kernels.
> 
> Signed-off-by: Andy Lutomirski 
> ---
>  arch/x86/mm/fault.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
> index 91d4d2722f2e..eae7ee3ce89b 100644
> --- a/arch/x86/mm/fault.c
> +++ b/arch/x86/mm/fault.c
> @@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs,
>   bad_area(regs, sw_error_code, address);
>   return;
>   }
> - if (sw_error_code & X86_PF_USER) {
> + if (user_mode(regs)) {
>   /*
>* Accessing the stack below %sp is always a bug.
>* The large cushion allows instructions like enter

Note that this check is gone now due to:

  1d8ca3be86eb: x86/mm/fault: Allow stack access below %rsp

Thanks,

Ingo

[PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

2018-11-19 Thread Andy Lutomirski

The fault handling code tries to validate that a page fault from
user mode that would extend the stack is within a certain range of
the user SP.  regs->sp is only equal to the user SP if
user_mode(regs).  In the extremely unlikely event that that
sw_error_code had the USER bit set but the faulting instruction was
in the kernel (i.e. the faulting instruction was WRUSS), then the
*kernel* stack pointer would have been checked, which would be an
info leak.

Note to -stable maintainers: don't backport this unless you backport
CET.  The bug it fixes is unobservable in current kernels.

Signed-off-by: Andy Lutomirski 
---
 arch/x86/mm/fault.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 91d4d2722f2e..eae7ee3ce89b 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs,
bad_area(regs, sw_error_code, address);
return;
}
-   if (sw_error_code & X86_PF_USER) {
+   if (user_mode(regs)) {
/*
 * Accessing the stack below %sp is always a bug.
 * The large cushion allows instructions like enter
-- 
2.17.2

[PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

2018-11-19 Thread Andy Lutomirski

The fault handling code tries to validate that a page fault from
user mode that would extend the stack is within a certain range of
the user SP.  regs->sp is only equal to the user SP if
user_mode(regs).  In the extremely unlikely event that that
sw_error_code had the USER bit set but the faulting instruction was
in the kernel (i.e. the faulting instruction was WRUSS), then the
*kernel* stack pointer would have been checked, which would be an
info leak.

Note to -stable maintainers: don't backport this unless you backport
CET.  The bug it fixes is unobservable in current kernels.

Signed-off-by: Andy Lutomirski 
---
 arch/x86/mm/fault.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 91d4d2722f2e..eae7ee3ce89b 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1377,7 +1377,7 @@ void do_user_addr_fault(struct pt_regs *regs,
bad_area(regs, sw_error_code, address);
return;
}
-   if (sw_error_code & X86_PF_USER) {
+   if (user_mode(regs)) {
/*
 * Accessing the stack below %sp is always a bug.
 * The large cushion allows instructions like enter
-- 
2.17.2

Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

Re: [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

[PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

[PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension

6 matches

Site Navigation

Mail list logo

Footer information