linux

leandrof/linux

Fork 0

Commit Graph

Author	SHA1	Message	Date
Andy Lutomirski	8bb2610bc4	x86/entry/64/compat: Preserve r8-r11 in int $0x80 32-bit user code that uses int $80 doesn't care about r8-r11. There is, however, some 64-bit user code that intentionally uses int $0x80 to invoke 32-bit system calls. From what I've seen, basically all such code assumes that r8-r15 are all preserved, but the kernel clobbers r8-r11. Since I doubt that there's any code that depends on int $0x80 zeroing r8-r11, change the kernel to preserve them. I suspect that very little user code is broken by the old clobber, since r8-r11 are only rarely allocated by gcc, and they're clobbered by function calls, so they only way we'd see a problem is if the same function that invokes int $0x80 also spills something important to one of these registers. The current behavior seems to date back to the historical commit "[PATCH] x86-64 merge for 2.6.4". Before that, all regs were preserved. I can't find any explanation of why this change was made. Update the test_syscall_vdso_32 testcase as well to verify the new behavior, and it strengthens the test to make sure that the kernel doesn't accidentally permute r8..r15. Suggested-by: Denys Vlasenko <dvlasenk@redhat.com> Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Borislav Petkov <bp@alien8.de> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Link: https://lkml.kernel.org/r/d4c4d9985fbe64f8c9e19291886453914b48caee.1523975710.git.luto@kernel.org	2018-04-27 17:07:58 +02:00
Denys Vlasenko	c25be94f28	x86/asm/entry/32, selftests: Add 'test_syscall_vdso' test This new test checks that all x86 registers are preserved across 32-bit syscalls. It tests syscalls through VDSO (if available) and through INT 0x80, normally and under ptrace. If kernel is a 64-bit one, high registers (r8..r15) are poisoned before the syscall is called and are checked afterwards. They must be either preserved, or cleared to zero (but r11 is special); r12..15 must be preserved for INT 0x80. EFLAGS is checked for changes too, but change there is not considered to be a bug (paravirt kernels do not preserve arithmetic flags). Run-tested on 64-bit kernel: $ ./test_syscall_vdso_32 [RUN] Executing 6-argument 32-bit syscall via VDSO [OK] Arguments are preserved across syscall [NOTE] R11 has changed:0000000000200ed7 - assuming clobbered by SYSRET insn [OK] R8..R15 did not leak kernel data [RUN] Executing 6-argument 32-bit syscall via INT 80 [OK] Arguments are preserved across syscall [OK] R8..R15 did not leak kernel data [RUN] Running tests under ptrace [RUN] Executing 6-argument 32-bit syscall via VDSO [OK] Arguments are preserved across syscall [OK] R8..R15 did not leak kernel data [RUN] Executing 6-argument 32-bit syscall via INT 80 [OK] Arguments are preserved across syscall [OK] R8..R15 did not leak kernel data On 32-bit paravirt kernel: $ ./test_syscall_vdso_32 [NOTE] Not a 64-bit kernel, won't test R8..R15 leaks [RUN] Executing 6-argument 32-bit syscall via VDSO [WARN] Flags before=0000000000200ed7 id 0 00 o d i s z 0 a 0 p 1 c [WARN] Flags after=0000000000200246 id 0 00 i z 0 0 p 1 [WARN] Flags change=0000000000000c91 0 00 o d s 0 a 0 0 c [OK] Arguments are preserved across syscall [RUN] Executing 6-argument 32-bit syscall via INT 80 [OK] Arguments are preserved across syscall [RUN] Running tests under ptrace [RUN] Executing 6-argument 32-bit syscall via VDSO [OK] Arguments are preserved across syscall [RUN] Executing 6-argument 32-bit syscall via INT 80 [OK] Arguments are preserved across syscall Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com> Acked-by: Andy Lutomirski <luto@amacapital.net> Cc: Alexei Starovoitov <ast@plumgrid.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Kees Cook <keescook@chromium.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Shuah Khan <shuahkh@osg.samsung.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Will Drewry <wad@chromium.org> Cc: linux-kernel@vger.kernel.org Link: http://lkml.kernel.org/r/1442427809-2027-1-git-send-email-dvlasenk@redhat.com Signed-off-by: Ingo Molnar <mingo@kernel.org>	2015-09-18 09:40:48 +02:00

Author

SHA1

Message

Date

Andy Lutomirski

8bb2610bc4

x86/entry/64/compat: Preserve r8-r11 in int $0x80

32-bit user code that uses int $80 doesn't care about r8-r11.  There is,
however, some 64-bit user code that intentionally uses int $0x80 to invoke
32-bit system calls.  From what I've seen, basically all such code assumes
that r8-r15 are all preserved, but the kernel clobbers r8-r11.  Since I
doubt that there's any code that depends on int $0x80 zeroing r8-r11,
change the kernel to preserve them.

I suspect that very little user code is broken by the old clobber, since
r8-r11 are only rarely allocated by gcc, and they're clobbered by function
calls, so they only way we'd see a problem is if the same function that
invokes int $0x80 also spills something important to one of these
registers.

The current behavior seems to date back to the historical commit
"[PATCH] x86-64 merge for 2.6.4".  Before that, all regs were
preserved.  I can't find any explanation of why this change was made.

Update the test_syscall_vdso_32 testcase as well to verify the new
behavior, and it strengthens the test to make sure that the kernel doesn't
accidentally permute r8..r15.

Suggested-by: Denys Vlasenko <dvlasenk@redhat.com>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Link: https://lkml.kernel.org/r/d4c4d9985fbe64f8c9e19291886453914b48caee.1523975710.git.luto@kernel.org

2018-04-27 17:07:58 +02:00

Denys Vlasenko

c25be94f28

x86/asm/entry/32, selftests: Add 'test_syscall_vdso' test

This new test checks that all x86 registers are preserved across
32-bit syscalls. It tests syscalls through VDSO (if available)
and through INT 0x80, normally and under ptrace.

If kernel is a 64-bit one, high registers (r8..r15) are poisoned
before the syscall is called and are checked afterwards.

They must be either preserved, or cleared to zero (but r11 is
special); r12..15 must be preserved for INT 0x80.

EFLAGS is checked for changes too, but change there is not
considered to be a bug (paravirt kernels do not preserve
arithmetic flags).

Run-tested on 64-bit kernel:

	$ ./test_syscall_vdso_32
	[RUN]	Executing 6-argument 32-bit syscall via VDSO
	[OK]	Arguments are preserved across syscall
	[NOTE]	R11 has changed:0000000000200ed7 - assuming clobbered by
	SYSRET insn [OK]	R8..R15 did not leak kernel data
	[RUN]	Executing 6-argument 32-bit syscall via INT 80
	[OK]	Arguments are preserved across syscall
	[OK]	R8..R15 did not leak kernel data
	[RUN]	Running tests under ptrace
	[RUN]	Executing 6-argument 32-bit syscall via VDSO
	[OK]	Arguments are preserved across syscall
	[OK]	R8..R15 did not leak kernel data
	[RUN]	Executing 6-argument 32-bit syscall via INT 80
	[OK]	Arguments are preserved across syscall
	[OK]	R8..R15 did not leak kernel data

On 32-bit paravirt kernel:

	$ ./test_syscall_vdso_32
	[NOTE]	Not a 64-bit kernel, won't test R8..R15 leaks
	[RUN]	Executing 6-argument 32-bit syscall via VDSO
	[WARN]	Flags before=0000000000200ed7 id 0 00 o d i s z 0 a 0 p 1 c
	[WARN]	Flags  after=0000000000200246 id 0 00 i z 0 0 p 1
	[WARN]	Flags change=0000000000000c91 0 00 o d s 0 a 0 0 c
	[OK]	Arguments are preserved across syscall
	[RUN]	Executing 6-argument 32-bit syscall via INT 80
	[OK]	Arguments are preserved across syscall
	[RUN]	Running tests under ptrace
	[RUN]	Executing 6-argument 32-bit syscall via VDSO
	[OK]	Arguments are preserved across syscall
	[RUN]	Executing 6-argument 32-bit syscall via INT 80
	[OK]	Arguments are preserved across syscall

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Andy Lutomirski <luto@amacapital.net>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Shuah Khan <shuahkh@osg.samsung.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Drewry <wad@chromium.org>
Cc: linux-kernel@vger.kernel.org
Link: http://lkml.kernel.org/r/1442427809-2027-1-git-send-email-dvlasenk@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>

2015-09-18 09:40:48 +02:00

2 Commits