[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [PATCH v13 26/35] x86/fred: FRED entry/exit and dispatch code
> > +static noinstr void fred_intx(struct pt_regs *regs) { > > + switch (regs->fred_ss.vector) { > > + /* INT0 */ > > INTO (for overflow), not INT-zero. However... > > > + case X86_TRAP_OF: > > + exc_overflow(regs); > > + return; > > + > > + /* INT3 */ > > + case X86_TRAP_BP: > > + exc_int3(regs); > > + return; > > ... neither OF nor BP will ever enter fred_intx() because they're type SWEXC > not > SWINT. > > SWINT is strictly the INT $imm8 instruction. > > > ... > > +static noinstr void fred_extint(struct pt_regs *regs) { > > + unsigned int vector = regs->fred_ss.vector; > > + > > + if (WARN_ON_ONCE(vector < FIRST_EXTERNAL_VECTOR)) > > + return; > > + > > + if (likely(vector >= FIRST_SYSTEM_VECTOR)) { > > + irqentry_state_t state = irqentry_enter(regs); > > + > > + instrumentation_begin(); > > + sysvec_table[vector - FIRST_SYSTEM_VECTOR](regs); > > array_index_mask_nospec() > > This is easy for an attacker to abuse, to install non-function-pointer > targets into > the indirect predictor. > > > + instrumentation_end(); > > + irqentry_exit(regs, state); > > + } else { > > + common_interrupt(regs, vector); > > + } > > +} > > + > > +static noinstr void fred_exception(struct pt_regs *regs, unsigned > > +long error_code) { > > + /* Optimize for #PF. That's the only exception which matters performance > wise */ > > + if (likely(regs->fred_ss.vector == X86_TRAP_PF)) { > > + exc_page_fault(regs, error_code); > > + return; > > + } > > + > > + switch (regs->fred_ss.vector) { > > + case X86_TRAP_DE: return exc_divide_error(regs); > > + case X86_TRAP_DB: return fred_exc_debug(regs); > > + case X86_TRAP_BP: return exc_int3(regs); > > + case X86_TRAP_OF: return exc_overflow(regs); > > Depending on what you want to do with BP/OF vs fred_intx(), this may need > adjusting. > > If you are cross-checking type and vector, then these should be rejected for > not > being of type HWEXC. > > > + case X86_TRAP_BR: return exc_bounds(regs); > > + case X86_TRAP_UD: return exc_invalid_op(regs); > > + case X86_TRAP_NM: return exc_device_not_available(regs); > > + case X86_TRAP_DF: return exc_double_fault(regs, error_code); > > + case X86_TRAP_TS: return exc_invalid_tss(regs, error_code); > > + case X86_TRAP_NP: return exc_segment_not_present(regs, error_code); > > + case X86_TRAP_SS: return exc_stack_segment(regs, error_code); > > + case X86_TRAP_GP: return exc_general_protection(regs, error_code); > > + case X86_TRAP_MF: return exc_coprocessor_error(regs); > > + case X86_TRAP_AC: return exc_alignment_check(regs, error_code); > > + case X86_TRAP_XF: return exc_simd_coprocessor_error(regs); > > + > > +#ifdef CONFIG_X86_MCE > > + case X86_TRAP_MC: return fred_exc_machine_check(regs); #endif #ifdef > > +CONFIG_INTEL_TDX_GUEST > > + case X86_TRAP_VE: return exc_virtualization_exception(regs); > > +#endif > > +#ifdef CONFIG_X86_KERNEL_IBT > > CONFIG_X86_CET > > Userspace can use CET even if the kernel isn't compiled with IBT, so this > exception needs handling. > > > + case X86_TRAP_CP: return exc_control_protection(regs, error_code); > > +#endif > > + default: return fred_bad_type(regs, error_code); > > + } > > +} > > + > > +__visible noinstr void fred_entry_from_user(struct pt_regs *regs) { > > + unsigned long error_code = regs->orig_ax; > > + > > + /* Invalidate orig_ax so that syscall_get_nr() works correctly */ > > + regs->orig_ax = -1; > > + > > + switch (regs->fred_ss.type) { > > + case EVENT_TYPE_EXTINT: > > + return fred_extint(regs); > > + case EVENT_TYPE_NMI: > > + return fred_exc_nmi(regs); > > + case EVENT_TYPE_SWINT: > > + return fred_intx(regs); > > + case EVENT_TYPE_HWEXC: > > + case EVENT_TYPE_SWEXC: > > + case EVENT_TYPE_PRIV_SWEXC: > > + return fred_exception(regs, error_code); > > PRIV_SWEXC should have it's own function and not fall into fred_exception(). > > It is strictly only the ICEBP (INT1) instruction at the moment, so should > fall into > bad_type() for any vector other than X86_TRAP_DB. > > > + case EVENT_TYPE_OTHER: > > + return fred_other(regs); > > + default: > > + return fred_bad_type(regs, error_code); > > + } > > +} > > ~Andrew Thanks a lot for your quick review, will address soon. Xin
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |