On 15/10/2020 08:27, Jan Beulich wrote:
> On 14.10.2020 20:00, Andrew Cooper wrote:
>> On 13/10/2020 16:51, Jan Beulich wrote:
>>> On 12.10.2020 15:49, Andrew Cooper wrote:
>>>> All interrupts and exceptions pass a struct cpu_user_regs up into C. This
>>>> contains the legacy vm86 fields from 32bit days, which are beyond the
>>>> hardware-pushed frame.
>>>>
>>>> Accessing these fields is generally illegal, as they are logically out of
>>>> bounds for anything other than an interrupt/exception hitting ring1/3 code.
>>>>
>>>> Unfortunately, the #DF handler uses these fields as part of preparing the
>>>> state dump, and being IST, accesses the adjacent stack frame.
>>>>
>>>> This has been broken forever, but c/s 6001660473 "x86/shstk: Rework the
>>>> stack
>>>> layout to support shadow stacks" repositioned the #DF stack to be adjacent
>>>> to
>>>> the guard page, which turns this OoB write into a fatal pagefault:
>>>>
>>>> (XEN) *** DOUBLE FAULT ***
>>>> (XEN) ----[ Xen-4.15-unstable x86_64 debug=y Tainted: C ]----
>>>> (XEN) ----[ Xen-4.15-unstable x86_64 debug=y Tainted: C ]----
>>>> (XEN) CPU: 4
>>>> (XEN) RIP: e008:[<ffff82d04031fd4f>] traps.c#read_registers+0x29/0xc1
>>>> (XEN) RFLAGS: 0000000000050086 CONTEXT: hypervisor (d1v0)
>>>> ...
>>>> (XEN) Xen call trace:
>>>> (XEN) [<ffff82d04031fd4f>] R traps.c#read_registers+0x29/0xc1
>>>> (XEN) [<ffff82d0403207b3>] F do_double_fault+0x3d/0x7e
>>>> (XEN) [<ffff82d04039acd7>] F double_fault+0x107/0x110
>>>> (XEN)
>>>> (XEN) Pagetable walk from ffff830236f6d008:
>>>> (XEN) L4[0x106] = 80000000bfa9b063 ffffffffffffffff
>>>> (XEN) L3[0x008] = 0000000236ffd063 ffffffffffffffff
>>>> (XEN) L2[0x1b7] = 0000000236ffc063 ffffffffffffffff
>>>> (XEN) L1[0x16d] = 8000000236f6d161 ffffffffffffffff
>>>> (XEN)
>>>> (XEN) ****************************************
>>>> (XEN) Panic on CPU 4:
>>>> (XEN) FATAL PAGE FAULT
>>>> (XEN) [error_code=0003]
>>>> (XEN) Faulting linear address: ffff830236f6d008
>>>> (XEN) ****************************************
>>>> (XEN)
>>>>
>>>> and rendering the main #DF analysis broken.
>>>>
>>>> The proper fix is to delete cpu_user_regs.es and later, so no
>>>> interrupt/exception path can access OoB, but this needs disentangling from
>>>> the
>>>> PV ABI first.
>>>>
>>>> Not-really-fixes: 6001660473 ("x86/shstk: Rework the stack layout to
>>>> support shadow stacks")
>>>> Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com>
>>> Reviewed-by: Jan Beulich <jbeul...@suse.com>
>>>
>>> Is it perhaps worth also saying explicitly that the other IST
>>> stacks don't suffer the same problem because show_registers()
>>> makes an local copy of the passed in struct? (Doing so also
>>> for #DF would apparently be an alternative solution.)
>> They're not safe. They merely don't explode.
>>
>> https://lore.kernel.org/xen-devel/1532546157-5974-1-git-send-email-andrew.coop...@citrix.com/
>> was "fixed" by CET-SS turning the guard page from not present to
>> read-only, but the same CET-SS series swapped #DB for #DF when it comes
>> to the single OoB write problem case.
> I see. While indeed I didn't pay attention to the OoB read aspect,
> me saying "the other IST stacks don't suffer the same problem" was
> still correct, wasn't it? Anyway - not a big deal.
I've tweaked the commit message to make this more clear.
--8<---
Accessing these fields is generally illegal, as they are logically out of
bounds for anything other than an interrupt/exception hitting ring1/3 code.
show_registers() unconditionally reads these fields, but the content is
discarded before use. This is benign right now, as all parts of the
stack are
readable, including the guard pages.
However, read_registers() in the #DF handler writes to these fields as
part of
preparing the state dump, and being IST, hits the adjacent stack frame.
--8<--
~Andrew
