Commit 75045f77 authored by Jann Horn's avatar Jann Horn Committed by Thomas Gleixner
Browse files

x86/extable: Introduce _ASM_EXTABLE_UA for uaccess fixups 



Currently, most fixups for attempting to access userspace memory are
handled using _ASM_EXTABLE, which is also used for various other types of
fixups (e.g. safe MSR access, IRET failures, and a bunch of other things).
In order to make it possible to add special safety checks to uaccess fixups
(in particular, checking whether the fault address is actually in
userspace), introduce a new exception table handler ex_handler_uaccess()
and wire it up to all the user access fixups (excluding ones that
already use _ASM_EXTABLE_EX).

Signed-off-by: default avatarJann Horn <jannh@google.com>
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Tested-by: default avatarKees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: kernel-hardening@lists.openwall.com
Cc: dvyukov@google.com
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: Borislav Petkov <bp@alien8.de>
Link: https://lkml.kernel.org/r/20180828201421.157735-5-jannh@google.com
parent e3e4d501

arch/x86/include/asm/asm.h

+8 −2
Original line number Diff line number Diff line
@@ -130,6 +130,9 @@ 
# define _ASM_EXTABLE(from, to)					\

	_ASM_EXTABLE_HANDLE(from, to, ex_handler_default)



# define _ASM_EXTABLE_UA(from, to)				\

	_ASM_EXTABLE_HANDLE(from, to, ex_handler_uaccess)



# define _ASM_EXTABLE_FAULT(from, to)				\

	_ASM_EXTABLE_HANDLE(from, to, ex_handler_fault)
@@ -165,8 +168,8 @@ 
	jmp copy_user_handle_tail

	.previous



	_ASM_EXTABLE(100b,103b)

	_ASM_EXTABLE(101b,103b)

	_ASM_EXTABLE_UA(100b, 103b)

	_ASM_EXTABLE_UA(101b, 103b)

	.endm



#else
@@ -182,6 +185,9 @@ 
# define _ASM_EXTABLE(from, to)					\

	_ASM_EXTABLE_HANDLE(from, to, ex_handler_default)



# define _ASM_EXTABLE_UA(from, to)				\

	_ASM_EXTABLE_HANDLE(from, to, ex_handler_uaccess)



# define _ASM_EXTABLE_FAULT(from, to)				\

	_ASM_EXTABLE_HANDLE(from, to, ex_handler_fault)

arch/x86/include/asm/fpu/internal.h

+1 −1
Original line number Diff line number Diff line
@@ -226,7 +226,7 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu) 
		     "3: movl $-2,%[err]\n\t"				\

		     "jmp 2b\n\t"					\

		     ".popsection\n\t"					\

		     _ASM_EXTABLE(1b, 3b)				\

		     _ASM_EXTABLE_UA(1b, 3b)				\

		     : [err] "=r" (err)					\

		     : "D" (st), "m" (*st), "a" (lmask), "d" (hmask)	\

		     : "memory")

arch/x86/include/asm/futex.h

+3 −3
Original line number Diff line number Diff line
@@ -20,7 +20,7 @@ 
		     "3:\tmov\t%3, %1\n"			\

		     "\tjmp\t2b\n"				\

		     "\t.previous\n"				\

		     _ASM_EXTABLE(1b, 3b)			\

		     _ASM_EXTABLE_UA(1b, 3b)			\

		     : "=r" (oldval), "=r" (ret), "+m" (*uaddr)	\

		     : "i" (-EFAULT), "0" (oparg), "1" (0))
@@ -36,8 +36,8 @@ 
		     "4:\tmov\t%5, %1\n"			\

		     "\tjmp\t3b\n"				\

		     "\t.previous\n"				\

		     _ASM_EXTABLE(1b, 4b)			\

		     _ASM_EXTABLE(2b, 4b)			\

		     _ASM_EXTABLE_UA(1b, 4b)			\

		     _ASM_EXTABLE_UA(2b, 4b)			\

		     : "=&a" (oldval), "=&r" (ret),		\

		       "+m" (*uaddr), "=&r" (tem)		\

		     : "r" (oparg), "i" (-EFAULT), "1" (0))

arch/x86/include/asm/uaccess.h

+11 −11
Original line number Diff line number Diff line
@@ -198,8 +198,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) 
		     "4:	movl %3,%0\n"				\

		     "	jmp 3b\n"					\

		     ".previous\n"					\

		     _ASM_EXTABLE(1b, 4b)				\

		     _ASM_EXTABLE(2b, 4b)				\

		     _ASM_EXTABLE_UA(1b, 4b)				\

		     _ASM_EXTABLE_UA(2b, 4b)				\

		     : "=r" (err)					\

		     : "A" (x), "r" (addr), "i" (errret), "0" (err))
@@ -340,8 +340,8 @@ do { \ 
		     "	xorl %%edx,%%edx\n"				\

		     "	jmp 3b\n"					\

		     ".previous\n"					\

		     _ASM_EXTABLE(1b, 4b)				\

		     _ASM_EXTABLE(2b, 4b)				\

		     _ASM_EXTABLE_UA(1b, 4b)				\

		     _ASM_EXTABLE_UA(2b, 4b)				\

		     : "=r" (retval), "=&A"(x)				\

		     : "m" (__m(__ptr)), "m" __m(((u32 __user *)(__ptr)) + 1),	\

		       "i" (errret), "0" (retval));			\
@@ -386,7 +386,7 @@ do { \ 
		     "	xor"itype" %"rtype"1,%"rtype"1\n"		\

		     "	jmp 2b\n"					\

		     ".previous\n"					\

		     _ASM_EXTABLE(1b, 3b)				\

		     _ASM_EXTABLE_UA(1b, 3b)				\

		     : "=r" (err), ltype(x)				\

		     : "m" (__m(addr)), "i" (errret), "0" (err))
@@ -398,7 +398,7 @@ do { \ 
		     "3:	mov %3,%0\n"				\

		     "	jmp 2b\n"					\

		     ".previous\n"					\

		     _ASM_EXTABLE(1b, 3b)				\

		     _ASM_EXTABLE_UA(1b, 3b)				\

		     : "=r" (err), ltype(x)				\

		     : "m" (__m(addr)), "i" (errret), "0" (err))
@@ -474,7 +474,7 @@ struct __large_struct { unsigned long buf[100]; }; 
		     "3:	mov %3,%0\n"				\

		     "	jmp 2b\n"					\

		     ".previous\n"					\

		     _ASM_EXTABLE(1b, 3b)				\

		     _ASM_EXTABLE_UA(1b, 3b)				\

		     : "=r"(err)					\

		     : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
@@ -602,7 +602,7 @@ extern void __cmpxchg_wrong_size(void) 
			"3:\tmov     %3, %0\n"				\

			"\tjmp     2b\n"				\

			"\t.previous\n"					\

			_ASM_EXTABLE(1b, 3b)				\

			_ASM_EXTABLE_UA(1b, 3b)				\

			: "+r" (__ret), "=a" (__old), "+m" (*(ptr))	\

			: "i" (-EFAULT), "q" (__new), "1" (__old)	\

			: "memory"					\
@@ -618,7 +618,7 @@ extern void __cmpxchg_wrong_size(void) 
			"3:\tmov     %3, %0\n"				\

			"\tjmp     2b\n"				\

			"\t.previous\n"					\

			_ASM_EXTABLE(1b, 3b)				\

			_ASM_EXTABLE_UA(1b, 3b)				\

			: "+r" (__ret), "=a" (__old), "+m" (*(ptr))	\

			: "i" (-EFAULT), "r" (__new), "1" (__old)	\

			: "memory"					\
@@ -634,7 +634,7 @@ extern void __cmpxchg_wrong_size(void) 
			"3:\tmov     %3, %0\n"				\

			"\tjmp     2b\n"				\

			"\t.previous\n"					\

			_ASM_EXTABLE(1b, 3b)				\

			_ASM_EXTABLE_UA(1b, 3b)				\

			: "+r" (__ret), "=a" (__old), "+m" (*(ptr))	\

			: "i" (-EFAULT), "r" (__new), "1" (__old)	\

			: "memory"					\
@@ -653,7 +653,7 @@ extern void __cmpxchg_wrong_size(void) 
			"3:\tmov     %3, %0\n"				\

			"\tjmp     2b\n"				\

			"\t.previous\n"					\

			_ASM_EXTABLE(1b, 3b)				\

			_ASM_EXTABLE_UA(1b, 3b)				\

			: "+r" (__ret), "=a" (__old), "+m" (*(ptr))	\

			: "i" (-EFAULT), "r" (__new), "1" (__old)	\

			: "memory"					\

arch/x86/lib/checksum_32.S

+2 −2
Original line number Diff line number Diff line
@@ -273,11 +273,11 @@ unsigned int csum_partial_copy_generic (const char *src, char *dst, 


#define SRC(y...)			\

	9999: y;			\

	_ASM_EXTABLE(9999b, 6001f)

	_ASM_EXTABLE_UA(9999b, 6001f)



#define DST(y...)			\

	9999: y;			\

	_ASM_EXTABLE(9999b, 6002f)

	_ASM_EXTABLE_UA(9999b, 6002f)



#ifndef CONFIG_X86_USE_PPRO_CHECKSUM

CRA Git | Maintained and supported by SUSTech CRA and CCSE