Xen project Mailing List

Re: [PATCH] x86/traps: 'Fix' safety of read_registers() in #DF path

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Thu, 15 Oct 2020 09:27:37 +0200

Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Julien Grall <julien@xxxxxxx>

Delivery-date: Thu, 15 Oct 2020 07:27:50 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 14.10.2020 20:00, Andrew Cooper wrote: > On 13/10/2020 16:51, Jan Beulich wrote: >> On 12.10.2020 15:49, Andrew Cooper wrote: >>> All interrupts and exceptions pass a struct cpu_user_regs up into C. This >>> contains the legacy vm86 fields from 32bit days, which are beyond the >>> hardware-pushed frame. >>> >>> Accessing these fields is generally illegal, as they are logically out of >>> bounds for anything other than an interrupt/exception hitting ring1/3 code. >>> >>> Unfortunately, the #DF handler uses these fields as part of preparing the >>> state dump, and being IST, accesses the adjacent stack frame. >>> >>> This has been broken forever, but c/s 6001660473 "x86/shstk: Rework the >>> stack >>> layout to support shadow stacks" repositioned the #DF stack to be adjacent >>> to >>> the guard page, which turns this OoB write into a fatal pagefault: >>> >>> (XEN) *** DOUBLE FAULT *** >>> (XEN) ----[ Xen-4.15-unstable x86_64 debug=y Tainted: C ]---- >>> (XEN) ----[ Xen-4.15-unstable x86_64 debug=y Tainted: C ]---- >>> (XEN) CPU: 4 >>> (XEN) RIP: e008:[<ffff82d04031fd4f>] traps.c#read_registers+0x29/0xc1 >>> (XEN) RFLAGS: 0000000000050086 CONTEXT: hypervisor (d1v0) >>> ... >>> (XEN) Xen call trace: >>> (XEN) [<ffff82d04031fd4f>] R traps.c#read_registers+0x29/0xc1 >>> (XEN) [<ffff82d0403207b3>] F do_double_fault+0x3d/0x7e >>> (XEN) [<ffff82d04039acd7>] F double_fault+0x107/0x110 >>> (XEN) >>> (XEN) Pagetable walk from ffff830236f6d008: >>> (XEN) L4[0x106] = 80000000bfa9b063 ffffffffffffffff >>> (XEN) L3[0x008] = 0000000236ffd063 ffffffffffffffff >>> (XEN) L2[0x1b7] = 0000000236ffc063 ffffffffffffffff >>> (XEN) L1[0x16d] = 8000000236f6d161 ffffffffffffffff >>> (XEN) >>> (XEN) **************************************** >>> (XEN) Panic on CPU 4: >>> (XEN) FATAL PAGE FAULT >>> (XEN) [error_code=0003] >>> (XEN) Faulting linear address: ffff830236f6d008 >>> (XEN) **************************************** >>> (XEN) >>> >>> and rendering the main #DF analysis broken. >>> >>> The proper fix is to delete cpu_user_regs.es and later, so no >>> interrupt/exception path can access OoB, but this needs disentangling from >>> the >>> PV ABI first. >>> >>> Not-really-fixes: 6001660473 ("x86/shstk: Rework the stack layout to >>> support shadow stacks") >>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> >> >> Is it perhaps worth also saying explicitly that the other IST >> stacks don't suffer the same problem because show_registers() >> makes an local copy of the passed in struct? (Doing so also >> for #DF would apparently be an alternative solution.) > > They're not safe. They merely don't explode. > > https://lore.kernel.org/xen-devel/1532546157-5974-1-git-send-email-andrew.cooper3@xxxxxxxxxx/ > was "fixed" by CET-SS turning the guard page from not present to > read-only, but the same CET-SS series swapped #DB for #DF when it comes > to the single OoB write problem case. I see. While indeed I didn't pay attention to the OoB read aspect, me saying "the other IST stacks don't suffer the same problem" was still correct, wasn't it? Anyway - not a big deal. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.