From patchwork Sat Mar 25 19:33:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 74979 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp590073vqo; Sat, 25 Mar 2023 13:15:17 -0700 (PDT) X-Google-Smtp-Source: AKy350bJw7T4T+ihsHVNzSVKIwNSe4EPHC7ztCyDvDyDwl9Fz3f9Etb7s+J4YNO82uoso/9gjaLm X-Received: by 2002:a17:906:dfd1:b0:932:9d28:9668 with SMTP id jt17-20020a170906dfd100b009329d289668mr7986040ejc.6.1679775317638; Sat, 25 Mar 2023 13:15:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679775317; cv=none; d=google.com; s=arc-20160816; b=pEAknEgjUSvZ/apCF1L2D//AJuhllAxLnRX+fBzS5BtGif+wjhaYTakpk15g9rl4cY NFQUqypkoH+OQV4dpAcJ69aTScCKGOYbbveMUqw7Yf1BjvgjZDFixJMNjS+htBdpS+hi 3RjNZ/bIWlpVUm6KlnWxWFX4ohWlaWaOAcntIZw8KyGiSaaY2agJ4CYLU5B4iY8xeYSk 3OVwS5oQPczflhP5sZqOPnLK/vH3A7YHn1xAKeV3w335yoVw+LBN4ClKhigAaMs36kwI QuUZviblubADLUUgOD87mbwxu97epzOA+04h9S2EA7k3EcBOL3QFu4W3xY7aP4OzMAzR 92fA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature; bh=Y3wADukBFt+SChdNRMXrO1zZastn/LWU0SETUr/9Igw=; b=u6Y9UOWEewjWwLE3eYkjoBDyIRtRPloFJ+tPj5WA7q99l/4SY1+pPor726ah/Wf3gz lw/iv0HOQuZI32IYyDxeI4dIvY9Z3JdzTch9MMJ7iJuHiY+2w99cuEtec9KxqWMB7NVC w0G5SMgH0AmTNzafsLoCFZggO8pKEaVYknDGCDuj0xyJ1WQpYawJdyLaoptIP/J9owsb oLA6gnSecOazE/H+D5a5+kCCMe+uxVGDPepeZt/HJ9EnuB2wCN+A/mcLr5KreiHskjMc YCNqoK5h+7iKxPQ9xXC8Nt+9BJoKLS8hamtnxpvvR53VnkVaHqbQEToSZgCKUc84wbNo 8E0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="A7CE/q4o"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id re12-20020a170907a2cc00b00938b5232a1dsi15174174ejc.854.2023.03.25.13.14.47; Sat, 25 Mar 2023 13:15:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="A7CE/q4o"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231737AbjCYTeV (ORCPT + 99 others); Sat, 25 Mar 2023 15:34:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48566 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229460AbjCYTeU (ORCPT ); Sat, 25 Mar 2023 15:34:20 -0400 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 45F5DCDED for ; Sat, 25 Mar 2023 12:34:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679772859; x=1711308859; h=from:to:cc:subject:date:message-id; bh=jdQMrjyXEjETIE5OO4zUf/1YC69vzcHfW315iYpfUEE=; b=A7CE/q4o2BQKSKiZLc+55PheDjERaCghhGK33+ISoh5hsx99c3hrGLrr Dd68zcAduJxQDq1wEeHZnlUt88HwcEvtv1gIF42RhPgF9B5QbgrCQPml5 wlOUJBYzX2Xdy0g3dandjho/M/IbfLPsl30Ig9yCY2ryT2Lnaond0QOY2 rX9Jb0mpNyi89bewr2lNPouekS8eaa5duqV3GZwvBxK2+/ytM6ArVGaDH NrAWHtnIInPy6MWd27EO+isc+7+U6r4OY54uxPfTwQEKOh52g99JULZiC 06NS7hqrvTUQLrvKI7NoA/NcaKGAZ+x/32Dn/stuU/mefXy99DvCB+pjU A==; X-IronPort-AV: E=McAfee;i="6600,9927,10660"; a="323891537" X-IronPort-AV: E=Sophos;i="5.98,291,1673942400"; d="scan'208";a="323891537" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Mar 2023 12:34:18 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10660"; a="857237873" X-IronPort-AV: E=Sophos;i="5.98,291,1673942400"; d="scan'208";a="857237873" Received: from rameshp1-mobl.amr.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.209.109.233]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Mar 2023 12:34:18 -0700 From: Rick Edgecombe To: x86@kernel.org, Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Andy Lutomirski , "H . Peter Anvin" , Peter Zijlstra , Dan Carpenter , linux-kernel@vger.kernel.org Cc: rick.p.edgecombe@intel.com Subject: [PATCH] x86: Enforce only whole copies for ssp_set() Date: Sat, 25 Mar 2023 12:33:49 -0700 Message-Id: <20230325193349.31893-1-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1761372083443858221?= X-GMAIL-MSGID: =?utf-8?q?1761372083443858221?= The regset set interface takes pos and count arguments to allow for partial copies. No callers use a non-zero pos, but ptrace allows for the count to be specified. It limits count to be a multiple of regset size, so this still allows for a zero size to be passed to ssp_set(). In ssp_set(), user_regset_copyin() returns success for copying zero bytes, which means user_ssp can later be accessed uninitialized. So add enforcement for this case. The other regset's also enforce pos == 0, so do that as well even though there is no caller today. In the case of partial copies, some regsets return -EINVAL and some return -EFAULT. -EINVAL seems more appropriate, so use that error code. Fixes: d84e6ee122e5 ("x86: Add PTRACE interface for shadow stack") Reported-by: Dan Carpenter Link: https://lore.kernel.org/all/90af27cc-6c9d-4fb9-be3b-fc4ef378766d@kili.mountain/ Signed-off-by: Rick Edgecombe --- Hi x86 maintainers, While debugging this I wrote a shadow stack ptrace selftest that tries a bunch of invalid values. I thought to save it for a future series with selftests enhancements, unless you'd like to see it sooner. Thanks, Rick --- arch/x86/kernel/fpu/regset.c | 3 +++ 1 file changed, 3 insertions(+) base-commit: b642e9e5f0dc797f543b431d4ba910a3da72a074 diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c index f0a8eaf7c52e..6bc1eb2a21bd 100644 --- a/arch/x86/kernel/fpu/regset.c +++ b/arch/x86/kernel/fpu/regset.c @@ -223,6 +223,9 @@ int ssp_set(struct task_struct *target, const struct user_regset *regset, !ssp_active(target, regset)) return -ENODEV; + if (pos != 0 || count != sizeof(user_ssp)) + return -EINVAL; + r = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &user_ssp, 0, -1); if (r) return r;