* [PATCH] x86-64: don't leak kernel register values to 32-bit processes
@ 2009-09-30 10:22 Jan Beulich
2009-10-01 9:59 ` [tip:x86/urgent] x86: Don't leak 64-bit " tip-bot for Jan Beulich
2009-10-07 9:44 ` [PATCH] x86-64: don't leak " Pavel Machek
0 siblings, 2 replies; 6+ messages in thread
From: Jan Beulich @ 2009-09-30 10:22 UTC (permalink / raw
To: mingo, tglx, hpa; +Cc: linux-kernel
While 32-bit processes can't directly access R8...R15, they can gain
access to these registers by temporarily switching themselves into
64-bit mode. Therefore, registers not preserved anyway by called C
functions (i.e. R8...R11) must be cleared prior to returning to user
mode.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
---
arch/x86/ia32/ia32entry.S | 36 +++++++++++++++++++++++-------------
1 file changed, 23 insertions(+), 13 deletions(-)
--- linux-2.6.32-rc1/arch/x86/ia32/ia32entry.S 2009-09-30 11:48:25.000000000 +0200
+++ 2.6.32-rc1-x86_64-ia32-syscall-reg-leak/arch/x86/ia32/ia32entry.S 2009-09-28 16:16:44.000000000 +0200
@@ -21,8 +21,8 @@
#define __AUDIT_ARCH_LE 0x40000000
#ifndef CONFIG_AUDITSYSCALL
-#define sysexit_audit int_ret_from_sys_call
-#define sysretl_audit int_ret_from_sys_call
+#define sysexit_audit ia32_ret_from_sys_call
+#define sysretl_audit ia32_ret_from_sys_call
#endif
#define IA32_NR_syscalls ((ia32_syscall_end - ia32_sys_call_table)/8)
@@ -39,12 +39,12 @@
.endm
/* clobbers %eax */
- .macro CLEAR_RREGS _r9=rax
+ .macro CLEAR_RREGS offset=0, _r9=rax
xorl %eax,%eax
- movq %rax,R11(%rsp)
- movq %rax,R10(%rsp)
- movq %\_r9,R9(%rsp)
- movq %rax,R8(%rsp)
+ movq %rax,\offset+R11(%rsp)
+ movq %rax,\offset+R10(%rsp)
+ movq %\_r9,\offset+R9(%rsp)
+ movq %rax,\offset+R8(%rsp)
.endm
/*
@@ -172,6 +172,10 @@ sysexit_from_sys_call:
movl RIP-R11(%rsp),%edx /* User %eip */
CFI_REGISTER rip,rdx
RESTORE_ARGS 1,24,1,1,1,1
+ xorq %r8,%r8
+ xorq %r9,%r9
+ xorq %r10,%r10
+ xorq %r11,%r11
popfq
CFI_ADJUST_CFA_OFFSET -8
/*CFI_RESTORE rflags*/
@@ -202,7 +206,7 @@ sysexit_from_sys_call:
.macro auditsys_exit exit,ebpsave=RBP
testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
- jnz int_ret_from_sys_call
+ jnz ia32_ret_from_sys_call
TRACE_IRQS_ON
sti
movl %eax,%esi /* second arg, syscall return value */
@@ -218,8 +222,9 @@ sysexit_from_sys_call:
cli
TRACE_IRQS_OFF
testl %edi,TI_flags(%r10)
- jnz int_with_check
- jmp \exit
+ jz \exit
+ CLEAR_RREGS -ARGOFFSET
+ jmp int_with_check
.endm
sysenter_auditsys:
@@ -329,6 +334,9 @@ sysretl_from_sys_call:
CFI_REGISTER rip,rcx
movl EFLAGS-ARGOFFSET(%rsp),%r11d
/*CFI_REGISTER rflags,r11*/
+ xorq %r10,%r10
+ xorq %r9,%r9
+ xorq %r8,%r8
TRACE_IRQS_ON
movl RSP-ARGOFFSET(%rsp),%esp
CFI_RESTORE rsp
@@ -353,7 +361,7 @@ cstar_tracesys:
#endif
xchgl %r9d,%ebp
SAVE_REST
- CLEAR_RREGS r9
+ CLEAR_RREGS 0, r9
movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
@@ -425,6 +433,8 @@ ia32_do_call:
call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
ia32_sysret:
movq %rax,RAX-ARGOFFSET(%rsp)
+ia32_ret_from_sys_call:
+ CLEAR_RREGS -ARGOFFSET
jmp int_ret_from_sys_call
ia32_tracesys:
@@ -442,8 +452,8 @@ END(ia32_syscall)
ia32_badsys:
movq $0,ORIG_RAX-ARGOFFSET(%rsp)
- movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
- jmp int_ret_from_sys_call
+ movq $-ENOSYS,%rax
+ jmp ia32_sysret
quiet_ni_syscall:
movq $-ENOSYS,%rax
^ permalink raw reply [flat|nested] 6+ messages in thread
* [tip:x86/urgent] x86: Don't leak 64-bit kernel register values to 32-bit processes
2009-09-30 10:22 [PATCH] x86-64: don't leak kernel register values to 32-bit processes Jan Beulich
@ 2009-10-01 9:59 ` tip-bot for Jan Beulich
2009-10-07 9:44 ` [PATCH] x86-64: don't leak " Pavel Machek
1 sibling, 0 replies; 6+ messages in thread
From: tip-bot for Jan Beulich @ 2009-10-01 9:59 UTC (permalink / raw
To: linux-tip-commits
Cc: linux-kernel, hpa, mingo, jbeulich, stable, JBeulich, tglx, mingo
Commit-ID: 24e35800cdc4350fc34e2bed37b608a9e13ab3b6
Gitweb: http://git.kernel.org/tip/24e35800cdc4350fc34e2bed37b608a9e13ab3b6
Author: Jan Beulich <JBeulich@novell.com>
AuthorDate: Wed, 30 Sep 2009 11:22:11 +0100
Committer: Ingo Molnar <mingo@elte.hu>
CommitDate: Thu, 1 Oct 2009 11:24:26 +0200
x86: Don't leak 64-bit kernel register values to 32-bit processes
While 32-bit processes can't directly access R8...R15, they can
gain access to these registers by temporarily switching themselves
into 64-bit mode.
Therefore, registers not preserved anyway by called C functions
(i.e. R8...R11) must be cleared prior to returning to user mode.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
Cc: <stable@kernel.org>
LKML-Reference: <4AC34D73020000780001744A@vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
arch/x86/ia32/ia32entry.S | 36 +++++++++++++++++++++++-------------
1 files changed, 23 insertions(+), 13 deletions(-)
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 74619c4..1733f9f 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -21,8 +21,8 @@
#define __AUDIT_ARCH_LE 0x40000000
#ifndef CONFIG_AUDITSYSCALL
-#define sysexit_audit int_ret_from_sys_call
-#define sysretl_audit int_ret_from_sys_call
+#define sysexit_audit ia32_ret_from_sys_call
+#define sysretl_audit ia32_ret_from_sys_call
#endif
#define IA32_NR_syscalls ((ia32_syscall_end - ia32_sys_call_table)/8)
@@ -39,12 +39,12 @@
.endm
/* clobbers %eax */
- .macro CLEAR_RREGS _r9=rax
+ .macro CLEAR_RREGS offset=0, _r9=rax
xorl %eax,%eax
- movq %rax,R11(%rsp)
- movq %rax,R10(%rsp)
- movq %\_r9,R9(%rsp)
- movq %rax,R8(%rsp)
+ movq %rax,\offset+R11(%rsp)
+ movq %rax,\offset+R10(%rsp)
+ movq %\_r9,\offset+R9(%rsp)
+ movq %rax,\offset+R8(%rsp)
.endm
/*
@@ -172,6 +172,10 @@ sysexit_from_sys_call:
movl RIP-R11(%rsp),%edx /* User %eip */
CFI_REGISTER rip,rdx
RESTORE_ARGS 1,24,1,1,1,1
+ xorq %r8,%r8
+ xorq %r9,%r9
+ xorq %r10,%r10
+ xorq %r11,%r11
popfq
CFI_ADJUST_CFA_OFFSET -8
/*CFI_RESTORE rflags*/
@@ -202,7 +206,7 @@ sysexit_from_sys_call:
.macro auditsys_exit exit,ebpsave=RBP
testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
- jnz int_ret_from_sys_call
+ jnz ia32_ret_from_sys_call
TRACE_IRQS_ON
sti
movl %eax,%esi /* second arg, syscall return value */
@@ -218,8 +222,9 @@ sysexit_from_sys_call:
cli
TRACE_IRQS_OFF
testl %edi,TI_flags(%r10)
- jnz int_with_check
- jmp \exit
+ jz \exit
+ CLEAR_RREGS -ARGOFFSET
+ jmp int_with_check
.endm
sysenter_auditsys:
@@ -329,6 +334,9 @@ sysretl_from_sys_call:
CFI_REGISTER rip,rcx
movl EFLAGS-ARGOFFSET(%rsp),%r11d
/*CFI_REGISTER rflags,r11*/
+ xorq %r10,%r10
+ xorq %r9,%r9
+ xorq %r8,%r8
TRACE_IRQS_ON
movl RSP-ARGOFFSET(%rsp),%esp
CFI_RESTORE rsp
@@ -353,7 +361,7 @@ cstar_tracesys:
#endif
xchgl %r9d,%ebp
SAVE_REST
- CLEAR_RREGS r9
+ CLEAR_RREGS 0, r9
movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
@@ -425,6 +433,8 @@ ia32_do_call:
call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
ia32_sysret:
movq %rax,RAX-ARGOFFSET(%rsp)
+ia32_ret_from_sys_call:
+ CLEAR_RREGS -ARGOFFSET
jmp int_ret_from_sys_call
ia32_tracesys:
@@ -442,8 +452,8 @@ END(ia32_syscall)
ia32_badsys:
movq $0,ORIG_RAX-ARGOFFSET(%rsp)
- movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
- jmp int_ret_from_sys_call
+ movq $-ENOSYS,%rax
+ jmp ia32_sysret
quiet_ni_syscall:
movq $-ENOSYS,%rax
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] x86-64: don't leak kernel register values to 32-bit processes
2009-09-30 10:22 [PATCH] x86-64: don't leak kernel register values to 32-bit processes Jan Beulich
2009-10-01 9:59 ` [tip:x86/urgent] x86: Don't leak 64-bit " tip-bot for Jan Beulich
@ 2009-10-07 9:44 ` Pavel Machek
2009-10-08 11:41 ` Jan Beulich
2009-10-08 18:58 ` H. Peter Anvin
1 sibling, 2 replies; 6+ messages in thread
From: Pavel Machek @ 2009-10-07 9:44 UTC (permalink / raw
To: Jan Beulich; +Cc: mingo, tglx, hpa, linux-kernel
Hi!
> While 32-bit processes can't directly access R8...R15, they can gain
> access to these registers by temporarily switching themselves into
> 64-bit mode. Therefore, registers not preserved anyway by called C
> functions (i.e. R8...R11) must be cleared prior to returning to user
> mode.
How can userspace "temporarily switch itself" to 64bit mode?
Such ability would lead to very interesting behaviour on 32-bit
kernel, I'd say...
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] x86-64: don't leak kernel register values to 32-bit processes
2009-10-07 9:44 ` [PATCH] x86-64: don't leak " Pavel Machek
@ 2009-10-08 11:41 ` Jan Beulich
2009-10-10 13:27 ` Pavel Machek
2009-10-08 18:58 ` H. Peter Anvin
1 sibling, 1 reply; 6+ messages in thread
From: Jan Beulich @ 2009-10-08 11:41 UTC (permalink / raw
To: Pavel Machek; +Cc: mingo, tglx, linux-kernel, hpa
>>> Pavel Machek <pavel@ucw.cz> 07.10.09 11:44 >>>
>How can userspace "temporarily switch itself" to 64bit mode?
By just determining (or guessing) the 64-bit user mode CS value, and far-
jumping/calling to an address with this CS as the selector.
>Such ability would lead to very interesting behaviour on 32-bit
>kernel, I'd say...
That won't work - you have to have a 64-bit kernel: EFER.LME and the L
bit of some user mode code segment descriptor must be set (or settable).
Consequently a 64-bit kernel could, if it wanted to, make it impossible for
user mode code to do such switching (and an example of this, where
security requires it, is 64-bit Xen disallowing 32-bit para-virtual guests
[kernel or user mode] to switch themselves into 64-bit mode).
Jan
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] x86-64: don't leak kernel register values to 32-bit processes
2009-10-07 9:44 ` [PATCH] x86-64: don't leak " Pavel Machek
2009-10-08 11:41 ` Jan Beulich
@ 2009-10-08 18:58 ` H. Peter Anvin
1 sibling, 0 replies; 6+ messages in thread
From: H. Peter Anvin @ 2009-10-08 18:58 UTC (permalink / raw
To: Pavel Machek; +Cc: Jan Beulich, mingo, tglx, linux-kernel
On 10/07/2009 02:44 AM, Pavel Machek wrote:
> Hi!
>
>> While 32-bit processes can't directly access R8...R15, they can gain
>> access to these registers by temporarily switching themselves into
>> 64-bit mode. Therefore, registers not preserved anyway by called C
>> functions (i.e. R8...R11) must be cleared prior to returning to user
>> mode.
>
> How can userspace "temporarily switch itself" to 64bit mode?
>
> Such ability would lead to very interesting behaviour on 32-bit
> kernel, I'd say...
You can only do so with a 64-bit kernel, but on a 64-bit kernel you can
do it by executing a far jump to segment USER_CS (0x33).
-hpa
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] x86-64: don't leak kernel register values to 32-bit processes
2009-10-08 11:41 ` Jan Beulich
@ 2009-10-10 13:27 ` Pavel Machek
0 siblings, 0 replies; 6+ messages in thread
From: Pavel Machek @ 2009-10-10 13:27 UTC (permalink / raw
To: Jan Beulich; +Cc: mingo, tglx, linux-kernel, hpa
On Thu 2009-10-08 12:41:27, Jan Beulich wrote:
> >>> Pavel Machek <pavel@ucw.cz> 07.10.09 11:44 >>>
> >How can userspace "temporarily switch itself" to 64bit mode?
>
> By just determining (or guessing) the 64-bit user mode CS value, and far-
> jumping/calling to an address with this CS as the selector.
>
> >Such ability would lead to very interesting behaviour on 32-bit
> >kernel, I'd say...
>
> That won't work - you have to have a 64-bit kernel: EFER.LME and the L
> bit of some user mode code segment descriptor must be set (or settable).
>
> Consequently a 64-bit kernel could, if it wanted to, make it impossible for
> user mode code to do such switching (and an example of this, where
> security requires it, is 64-bit Xen disallowing 32-bit para-virtual guests
> [kernel or user mode] to switch themselves into 64-bit mode).
I guess we should do just that -- 32-bit application temporary going
64-bit is asking for trouble. How will attached gdb behave? What if I
try the same code on 32-bit machine?
It seems only useful for malware...
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2009-10-10 13:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-09-30 10:22 [PATCH] x86-64: don't leak kernel register values to 32-bit processes Jan Beulich
2009-10-01 9:59 ` [tip:x86/urgent] x86: Don't leak 64-bit " tip-bot for Jan Beulich
2009-10-07 9:44 ` [PATCH] x86-64: don't leak " Pavel Machek
2009-10-08 11:41 ` Jan Beulich
2009-10-10 13:27 ` Pavel Machek
2009-10-08 18:58 ` H. Peter Anvin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).