From patchwork Sat Feb 3 12:25:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Brown X-Patchwork-Id: 196283 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:9bc1:b0:106:209c:c626 with SMTP id op1csp996402dyc; Sat, 3 Feb 2024 04:43:20 -0800 (PST) X-Google-Smtp-Source: AGHT+IE1ggZMBou8daD6pXkx3sY6zE8S7J1moI9FEIzo2HnD3fJzyaCTQr2VImmcZvjWsuq1bS8h X-Received: by 2002:a17:902:b788:b0:1d8:ebdf:182a with SMTP id e8-20020a170902b78800b001d8ebdf182amr4670570pls.44.1706964200420; Sat, 03 Feb 2024 04:43:20 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706964200; cv=pass; d=google.com; s=arc-20160816; b=y7mu/vxvYCyPjDfqR76sWDi/ayxWbj9YucFPHtyvnkjtc6amcuwRP5B4+SomJgrhbO hS4Rpady29G7nC6DvyNwnAHTUb48IvW21C+f0skMsdrQ1Xr5nNEKncVwqEKOCAtMOtWg 653yVkQYxw4828D12SvE23iXhG4LpmdGtkgU9XZ5UUHdOMmV48fdLLoouXcwR33fr3tf TOaYzsaC3YNw/R1ADjn3C20W9XJA/+OqjfCHvU5PHqBBbPr1aDCB8hKN512qAhDi/QOn TfSNotWF+OjZ5gJDrrmg1gSpb7Zm8f8Mv+NLVli+u9sNbLzfbJVCNojGHqudIn6JvpV3 aw7Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :subject:date:from:dkim-signature; bh=kf0+kuhXIdkWdKsqRM/hren6K91s16yFpHJbb+7CawU=; fh=q3la/ZMRtktPE33TzxSOxu1r0sAF28NoIF+bSf23uIM=; b=DS6gZp0WdfQEZK+o8+AZ7rkeii+sJycWYDrk7SgCc/xB8QNg1VfCyo6+Ok+aVuV16O e0iBjO0ja6vIpnQl1g4veNgjWEwloxyunDAvMgRPkkcLEKTs6RTwsYjOAnFeXZD7YzDT rdMrngwd/1ka9zRmKeah+UZDuCjTBYs7fxSSv0KbKxbIfEZkla4X80s65pbWIGgo/TBs JYUkclp/QnzgO5VkULNP5iP/V+2dkOxC8jQw/xsYh9MNSDQVCANFC4/wKSiYUU2jRJYL vPx1kxejM+HcVlAfxphfry/cAFjiedXRzst2DA0dCb7E7wG/U85d6yJM0zIwSkfbvxXS RbHw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jW2gqdbM; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-51065-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-51065-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org X-Forwarded-Encrypted: i=1; AJvYcCX6b9L0n2GmAfehe87UaXnLMXhT3cGuhenMRPc0ZYu3w6p9Wt1iUf2xMIW+H6sOxxPa9+gbqdFaOAjVub9HcnVQWjXpBA== Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id i17-20020a170902c95100b001d750613651si1294013pla.203.2024.02.03.04.43.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Feb 2024 04:43:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-51065-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jW2gqdbM; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-51065-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-51065-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id E125EB21A80 for ; Sat, 3 Feb 2024 12:39:19 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0818D74E05; Sat, 3 Feb 2024 12:32:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="jW2gqdbM" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 328535F561; Sat, 3 Feb 2024 12:32:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706963537; cv=none; b=afmAEmn6VMJajIT3V7GJqrAO27HcFOzX8hCoLYPW2HmbC/yqmc0k83bWp5Y7dJViFLLzFRZ40Xg+p6osFBPNTlNLW2CO9tGH13qn49Vt5nShcgJqZdlEs94cyXbj4be+nDeCnnl7KdQ5zFt6jlGgP1OnFzC7vSKKAci1LHl2w8Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706963537; c=relaxed/simple; bh=Ivqpdle3E1tJpwmrfahier3b/6hrTNZg1uoFbX2zWm4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=WZC9m0pDzKanNP9Z9u5XKNasSrQr3Vj/s+KGmvfRYUmfnzYtHkfkjIS5nynJmvMrUPjHnAa1P139c8xkqPxNJl/PX/1mVuQiL/oWbjPbKKcXC0SEyY4H80mtthaoHf6lUStWOzEcKe8+gbZFr/yVi9cLCHrbcv53+VS+YHgGvs0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=jW2gqdbM; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4D0E7C433B1; Sat, 3 Feb 2024 12:32:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1706963536; bh=Ivqpdle3E1tJpwmrfahier3b/6hrTNZg1uoFbX2zWm4=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=jW2gqdbMO2ahiVdWdt/i6mRHmQ8bP6VU1lTH0YqY/DTN41GYwBD12b+jOBHvcIb4O 5Vl6n+cING38vSq9IKL7J/KwAfiv5B+tV1EaH4p6ZtX3QkIrURzQvex77X96n8cDfN TgQ6RC/TTmAH/Sos0BqT0XSsm8OfzRtJlPDBqyaDPZkwS8Kgwr96OAr9nLdZPVbn0B TIzhlm84cWxyqEl+Je+BCVcMuNzGOae/02tx5Ji+/+gr8mREURcatSODBsODQQKAm5 VfPBtxBcAqzLaLkDR3Dg2K4+rAWJOlGLefXZXJkbqXTbN3JqIQ/Sgc+tAAmMYbAD6t kroZE4OTZlvcQ== From: Mark Brown Date: Sat, 03 Feb 2024 12:25:49 +0000 Subject: [PATCH v8 23/38] arm64/signal: Set up and restore the GCS context for signal handlers Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240203-arm64-gcs-v8-23-c9fec77673ef@kernel.org> References: <20240203-arm64-gcs-v8-0-c9fec77673ef@kernel.org> In-Reply-To: <20240203-arm64-gcs-v8-0-c9fec77673ef@kernel.org> To: Catalin Marinas , Will Deacon , Jonathan Corbet , Andrew Morton , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Arnd Bergmann , Oleg Nesterov , Eric Biederman , Kees Cook , Shuah Khan , "Rick P. Edgecombe" , Deepak Gupta , Ard Biesheuvel , Szabolcs Nagy Cc: "H.J. Lu" , Paul Walmsley , Palmer Dabbelt , Albert Ou , Florian Weimer , Christian Brauner , Thiago Jung Bauermann , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Mark Brown X-Mailer: b4 0.13-dev-a684c X-Developer-Signature: v=1; a=openpgp-sha256; l=7344; i=broonie@kernel.org; h=from:subject:message-id; bh=Ivqpdle3E1tJpwmrfahier3b/6hrTNZg1uoFbX2zWm4=; b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBlvjDjVeSPBEplvRBeGrair4X3hxmDqtqW7Drq6QFa pzDgz8qJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCZb4w4wAKCRAk1otyXVSH0Ca4B/ 0dEhD/qVtQvI6SQR6Gz+ZgErKI/4Fudbf7sAR3pfFJlJgNgma9ODEJcuMwSNDpnj9BSzbXCm80sG2o eVs6tInzlBFuE6xNi4JF3qn7hDJetgYDOQmK+A63bJYQyTsupMCsWkj1li3egnbzKnOwSnGmSbV15i O/vyn+ZiL9zRRXqwI5reWQjFKnonsBIaMiVKM8fAOgJuz+pZVeWigGvg72S29yhPxJbw2I1ln4fwnS rEjv+F3SZ8qRUgBiYfaJyiduRKaw78mAGj0kBnsTjhgyuKdrhOeVUyFZU0lHuYsdhpwjXMGHZYBd4g ZIh8MgGcZ/SYqxtPbC3Y0oa5lBStlO X-Developer-Key: i=broonie@kernel.org; a=openpgp; fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789881693231320628 X-GMAIL-MSGID: 1789881693231320628 When invoking a signal handler we use the GCS configuration and stack for the current thread. Since we implement signal return by calling the signal handler with a return address set up pointing to a trampoline in the vDSO we need to also configure any active GCS for this by pushing a frame for the trampoline onto the GCS. If we do not do this then signal return will generate a GCS protection fault. In order to guard against attempts to bypass GCS protections via signal return we only allow returning with GCSPR_EL0 pointing to an address where it was previously preempted by a signal. We do this by pushing a cap onto the GCS, this takes the form of an architectural GCS cap token with the top bit set and token type of 0 which we add on signal entry and validate and pop off on signal return. The combination of the top bit being set and the token type mean that this can't be interpreted as a valid token or address. Signed-off-by: Mark Brown --- arch/arm64/include/asm/gcs.h | 1 + arch/arm64/kernel/signal.c | 134 +++++++++++++++++++++++++++++++++++++++++-- arch/arm64/mm/gcs.c | 1 + 3 files changed, 131 insertions(+), 5 deletions(-) diff --git a/arch/arm64/include/asm/gcs.h b/arch/arm64/include/asm/gcs.h index 48c97e63e56a..f50660603ecf 100644 --- a/arch/arm64/include/asm/gcs.h +++ b/arch/arm64/include/asm/gcs.h @@ -9,6 +9,7 @@ #include struct kernel_clone_args; +struct ksignal; static inline void gcsb_dsync(void) { diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 0e8beb3349ea..1cca646a7479 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include @@ -34,6 +35,37 @@ #include #include +#ifdef CONFIG_ARM64_GCS +/* Extra bit set in the address distinguishing a signal cap token. */ +#define GCS_SIGNAL_CAP_FLAG BIT(63) + +#define GCS_SIGNAL_CAP(addr) ((((unsigned long)addr) & GCS_CAP_ADDR_MASK) | \ + GCS_SIGNAL_CAP_FLAG) + +static bool gcs_signal_cap_valid(u64 addr, u64 val) +{ + /* + * The top bit should be set, this is an invalid address for + * EL0 and will only be set for caps created by signals. + */ + if (!(val & GCS_SIGNAL_CAP_FLAG)) + return false; + + /* The rest should be a standard architectural cap token. */ + val &= ~GCS_SIGNAL_CAP_FLAG; + + /* The cap must not have a token set */ + if (GCS_CAP_TOKEN(val) != 0) + return false; + + /* The cap must store the VA the cap was stored at */ + if (GCS_CAP_ADDR(addr) != GCS_CAP_ADDR(val)) + return false; + + return true; +} +#endif + /* * Do a signal return; undo the signal stack. These are aligned to 128-bit. */ @@ -815,6 +847,50 @@ static int restore_sigframe(struct pt_regs *regs, return err; } +#ifdef CONFIG_ARM64_GCS +static int gcs_restore_signal(void) +{ + u64 gcspr_el0, cap; + int ret; + + if (!system_supports_gcs()) + return 0; + + if (!(current->thread.gcs_el0_mode & PR_SHADOW_STACK_ENABLE)) + return 0; + + gcspr_el0 = read_sysreg_s(SYS_GCSPR_EL0); + + /* + * GCSPR_EL0 should be pointing at a capped GCS, read the cap... + */ + gcsb_dsync(); + ret = copy_from_user(&cap, (__user void*)gcspr_el0, sizeof(cap)); + if (ret) + return -EFAULT; + + /* + * ...then check that the cap is the actual GCS before + * restoring it. + */ + if (!gcs_signal_cap_valid(gcspr_el0, cap)) + return -EINVAL; + + /* Invalidate the token to prevent reuse */ + put_user_gcs(0, (__user void*)gcspr_el0, &ret); + if (ret != 0) + return -EFAULT; + + current->thread.gcspr_el0 = gcspr_el0 + sizeof(cap); + write_sysreg_s(current->thread.gcspr_el0, SYS_GCSPR_EL0); + + return 0; +} + +#else +static int gcs_restore_signal(void) { return 0; } +#endif + SYSCALL_DEFINE0(rt_sigreturn) { struct pt_regs *regs = current_pt_regs(); @@ -841,6 +917,9 @@ SYSCALL_DEFINE0(rt_sigreturn) if (restore_altstack(&frame->uc.uc_stack)) goto badframe; + if (gcs_restore_signal()) + goto badframe; + return regs->regs[0]; badframe: @@ -1071,7 +1150,50 @@ static int get_sigframe(struct rt_sigframe_user_layout *user, return 0; } -static void setup_return(struct pt_regs *regs, struct k_sigaction *ka, +#ifdef CONFIG_ARM64_GCS + +static int gcs_signal_entry(__sigrestore_t sigtramp, struct ksignal *ksig) +{ + unsigned long __user *gcspr_el0; + int ret = 0; + + if (!system_supports_gcs()) + return 0; + + if (!task_gcs_el0_enabled(current)) + return 0; + + /* + * We are entering a signal handler, current register state is + * active. + */ + gcspr_el0 = (unsigned long __user *)read_sysreg_s(SYS_GCSPR_EL0); + + /* + * Push a cap and the GCS entry for the trampoline onto the GCS. + */ + put_user_gcs((unsigned long)sigtramp, gcspr_el0 - 2, &ret); + put_user_gcs(GCS_SIGNAL_CAP(gcspr_el0 - 1), gcspr_el0 - 1, &ret); + if (ret != 0) + return ret; + + gcsb_dsync(); + + gcspr_el0 -= 2; + write_sysreg_s((unsigned long)gcspr_el0, SYS_GCSPR_EL0); + + return 0; +} +#else + +static int gcs_signal_entry(__sigrestore_t sigtramp, struct ksignal *ksig) +{ + return 0; +} + +#endif + +static int setup_return(struct pt_regs *regs, struct ksignal *ksig, struct rt_sigframe_user_layout *user, int usig) { __sigrestore_t sigtramp; @@ -1079,7 +1201,7 @@ static void setup_return(struct pt_regs *regs, struct k_sigaction *ka, regs->regs[0] = usig; regs->sp = (unsigned long)user->sigframe; regs->regs[29] = (unsigned long)&user->next_frame->fp; - regs->pc = (unsigned long)ka->sa.sa_handler; + regs->pc = (unsigned long)ksig->ka.sa.sa_handler; /* * Signal delivery is a (wacky) indirect function call in @@ -1119,12 +1241,14 @@ static void setup_return(struct pt_regs *regs, struct k_sigaction *ka, sme_smstop(); } - if (ka->sa.sa_flags & SA_RESTORER) - sigtramp = ka->sa.sa_restorer; + if (ksig->ka.sa.sa_flags & SA_RESTORER) + sigtramp = ksig->ka.sa.sa_restorer; else sigtramp = VDSO_SYMBOL(current->mm->context.vdso, sigtramp); regs->regs[30] = (unsigned long)sigtramp; + + return gcs_signal_entry(sigtramp, ksig); } static int setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set, @@ -1147,7 +1271,7 @@ static int setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set, err |= __save_altstack(&frame->uc.uc_stack, regs->sp); err |= setup_sigframe(&user, regs, set); if (err == 0) { - setup_return(regs, &ksig->ka, &user, usig); + err = setup_return(regs, ksig, &user, usig); if (ksig->ka.sa.sa_flags & SA_SIGINFO) { err |= copy_siginfo_to_user(&frame->info, &ksig->info); regs->regs[1] = (unsigned long)&frame->info; diff --git a/arch/arm64/mm/gcs.c b/arch/arm64/mm/gcs.c index f34821d98d85..2d8e54316fe2 100644 --- a/arch/arm64/mm/gcs.c +++ b/arch/arm64/mm/gcs.c @@ -6,6 +6,7 @@ #include #include +#include #include static unsigned long alloc_gcs(unsigned long addr, unsigned long size,