From nobody Thu Apr 25 18:58:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1602510610; cv=none; d=zohomail.com; s=zohoarc; b=Nbm/ZVnHO/PH/imdL3hvlde1Rxrk3JYTxCS+HWL4ySXBIfbKWF5mWxgWGoDHUJbJw7h8tiPosms0LwHGt3BiA7sLI2Xv4xztBJzZlUl2xGounU/N/ceeZayX9BvRf1FVNrE3NHPXVxGJSat25mlqmWeWZVv2b7yiRfjLW9mVnMc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1602510610; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=RfZE/9Ls/WOUJDPhje6ov+p0q7yfPQLBDdAB+azm47E=; b=g6iV8n1BtAg8BEZvGiItqgTbuK4H35bF8jd3SP3wnFWr8KYRb5YRpw0aI/RuEjKbsbXX3VtIQcswxrlSj9Godh1fcQ5GpWKMk9XICZJKcdIxKGxCh3PtWqihFcEt9fSABM1zCjwlBCf6AuctrhQzsW05VvVMYY8yMC/ZmJ0+7KI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1602510610788136.0836113698988; Mon, 12 Oct 2020 06:50:10 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.5949.15497 (Exim 4.92) (envelope-from ) id 1kRyCq-00019b-5s; Mon, 12 Oct 2020 13:49:40 +0000 Received: by outflank-mailman (output) from mailman id 5949.15497; Mon, 12 Oct 2020 13:49:40 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kRyCq-00019U-21; Mon, 12 Oct 2020 13:49:40 +0000 Received: by outflank-mailman (input) for mailman id 5949; Mon, 12 Oct 2020 13:49:39 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kRyCp-00019P-7Q for xen-devel@lists.xenproject.org; Mon, 12 Oct 2020 13:49:39 +0000 Received: from esa1.hc3370-68.iphmx.com (unknown [216.71.145.142]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id bafb4230-266c-4689-bde9-539d991aac2f; Mon, 12 Oct 2020 13:49:38 +0000 (UTC) Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kRyCp-00019P-7Q for xen-devel@lists.xenproject.org; Mon, 12 Oct 2020 13:49:39 +0000 Received: from esa1.hc3370-68.iphmx.com (unknown [216.71.145.142]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id bafb4230-266c-4689-bde9-539d991aac2f; Mon, 12 Oct 2020 13:49:38 +0000 (UTC) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: bafb4230-266c-4689-bde9-539d991aac2f DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1602510578; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=eUVqbV5KovsAwf7HOfovlf9L/YrWZ2fcZGUE1UEun/4=; b=Mex5Wt+jVepM34qWO/j2RTQVhl0fxxmPjZyZQ/3xYkexIv/us7bf0ejd +2APILytVpvLahs8nHDUh3j8a+0u6HMOjqNJY+2XCTtBRarXVseJT947v pk/j9ePDKJjVwodQjjpMp9jo7qW8dn1cJLyZCb1nG32LTYnSBVoqKQZKY k=; Authentication-Results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: fjjJ6Om0vv5+2l6+3zSDFJGlMzZgJniFcUzGJoxd9EjggT9IINx5POjs3WfXJzaqrEXaj5pifj XT5K+zW9KelE/TsFk3b+S0QJluGFeQn80O+9fdaPkRZPRvSveN1uZ4uThaLqqCYplKmAZha4XO qrzBThE8GtZnKIKhwiVu2lLBZz5ISciFp/40ALOX1ncVU6IgxPk3ofWFL+EYTZtXE2iT5xmQAY xkbNJtigtwfxEqykUXtQ63XfG8z35GC4m5B9k85qShCe9CH4GGzC9ivgmLhf3Hlp3lZyWL1jXj y0A= X-SBRS: 2.5 X-MesageID: 29129914 X-Ironport-Server: esa1.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.77,366,1596513600"; d="scan'208";a="29129914" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu , Julien Grall Subject: [PATCH] x86/traps: 'Fix' safety of read_registers() in #DF path Date: Mon, 12 Oct 2020 14:49:08 +0100 Message-ID: <20201012134908.27497-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) All interrupts and exceptions pass a struct cpu_user_regs up into C. This contains the legacy vm86 fields from 32bit days, which are beyond the hardware-pushed frame. Accessing these fields is generally illegal, as they are logically out of bounds for anything other than an interrupt/exception hitting ring1/3 code. Unfortunately, the #DF handler uses these fields as part of preparing the state dump, and being IST, accesses the adjacent stack frame. This has been broken forever, but c/s 6001660473 "x86/shstk: Rework the sta= ck layout to support shadow stacks" repositioned the #DF stack to be adjacent = to the guard page, which turns this OoB write into a fatal pagefault: (XEN) *** DOUBLE FAULT *** (XEN) ----[ Xen-4.15-unstable x86_64 debug=3Dy Tainted: C ]---- (XEN) ----[ Xen-4.15-unstable x86_64 debug=3Dy Tainted: C ]---- (XEN) CPU: 4 (XEN) RIP: e008:[] traps.c#read_registers+0x29/0xc1 (XEN) RFLAGS: 0000000000050086 CONTEXT: hypervisor (d1v0) ... (XEN) Xen call trace: (XEN) [] R traps.c#read_registers+0x29/0xc1 (XEN) [] F do_double_fault+0x3d/0x7e (XEN) [] F double_fault+0x107/0x110 (XEN) (XEN) Pagetable walk from ffff830236f6d008: (XEN) L4[0x106] =3D 80000000bfa9b063 ffffffffffffffff (XEN) L3[0x008] =3D 0000000236ffd063 ffffffffffffffff (XEN) L2[0x1b7] =3D 0000000236ffc063 ffffffffffffffff (XEN) L1[0x16d] =3D 8000000236f6d161 ffffffffffffffff (XEN) (XEN) **************************************** (XEN) Panic on CPU 4: (XEN) FATAL PAGE FAULT (XEN) [error_code=3D0003] (XEN) Faulting linear address: ffff830236f6d008 (XEN) **************************************** (XEN) and rendering the main #DF analysis broken. The proper fix is to delete cpu_user_regs.es and later, so no interrupt/exception path can access OoB, but this needs disentangling from = the PV ABI first. Not-really-fixes: 6001660473 ("x86/shstk: Rework the stack layout to suppor= t shadow stacks") Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monn=C3=A9 CC: Wei Liu CC: Julien Grall --- xen/arch/x86/cpu/common.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c index da74172776..a684519a20 100644 --- a/xen/arch/x86/cpu/common.c +++ b/xen/arch/x86/cpu/common.c @@ -770,7 +770,13 @@ void load_system_tables(void) tss->ist[IST_MCE - 1] =3D stack_top + (1 + IST_MCE) * PAGE_SIZE; tss->ist[IST_NMI - 1] =3D stack_top + (1 + IST_NMI) * PAGE_SIZE; tss->ist[IST_DB - 1] =3D stack_top + (1 + IST_DB) * PAGE_SIZE; - tss->ist[IST_DF - 1] =3D stack_top + (1 + IST_DF) * PAGE_SIZE; + /* + * Gross bodge. The #DF handler uses the vm86 fields of cpu_user_regs + * beyond the hardware frame. Adjust the stack entrypoint so this + * doesn't manifest as an OoB write which hits the guard page. + */ + tss->ist[IST_DF - 1] =3D stack_top + (1 + IST_DF) * PAGE_SIZE - + (sizeof(struct cpu_user_regs) - offsetof(struct cpu_user_regs, es)); tss->bitmap =3D IOBMP_INVALID_OFFSET; =20 /* All other stack pointers poisioned. */ --=20 2.11.0