1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
|
From 49f77602373b58b7bbdb40cea2b49d2f88d4003d Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Tue, 27 Feb 2024 14:12:11 +0100
Subject: [PATCH 23/67] x86: account for shadow stack in exception-from-stub
recovery
Dealing with exceptions raised from within emulation stubs involves
discarding return address (replaced by exception related information).
Such discarding of course also requires removing the corresponding entry
from the shadow stack.
Also amend the comment in fixup_exception_return(), to further clarify
why use of ptr[1] can't be an out-of-bounds access.
This is CVE-2023-46841 / XSA-451.
Fixes: 209fb9919b50 ("x86/extable: Adjust extable handling to be shadow stack compatible")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: 91f5f7a9154919a765c3933521760acffeddbf28
master date: 2024-02-27 13:49:22 +0100
---
xen/arch/x86/extable.c | 20 ++++++----
xen/arch/x86/include/asm/uaccess.h | 3 +-
xen/arch/x86/traps.c | 63 +++++++++++++++++++++++++++---
3 files changed, 71 insertions(+), 15 deletions(-)
diff --git a/xen/arch/x86/extable.c b/xen/arch/x86/extable.c
index 6758ba1dca..dd9583f2a5 100644
--- a/xen/arch/x86/extable.c
+++ b/xen/arch/x86/extable.c
@@ -86,26 +86,29 @@ search_one_extable(const struct exception_table_entry *first,
}
unsigned long
-search_exception_table(const struct cpu_user_regs *regs)
+search_exception_table(const struct cpu_user_regs *regs, unsigned long *stub_ra)
{
const struct virtual_region *region = find_text_region(regs->rip);
unsigned long stub = this_cpu(stubs.addr);
if ( region && region->ex )
+ {
+ *stub_ra = 0;
return search_one_extable(region->ex, region->ex_end, regs->rip);
+ }
if ( regs->rip >= stub + STUB_BUF_SIZE / 2 &&
regs->rip < stub + STUB_BUF_SIZE &&
regs->rsp > (unsigned long)regs &&
regs->rsp < (unsigned long)get_cpu_info() )
{
- unsigned long retptr = *(unsigned long *)regs->rsp;
+ unsigned long retaddr = *(unsigned long *)regs->rsp, fixup;
- region = find_text_region(retptr);
- retptr = region && region->ex
- ? search_one_extable(region->ex, region->ex_end, retptr)
- : 0;
- if ( retptr )
+ region = find_text_region(retaddr);
+ fixup = region && region->ex
+ ? search_one_extable(region->ex, region->ex_end, retaddr)
+ : 0;
+ if ( fixup )
{
/*
* Put trap number and error code on the stack (in place of the
@@ -117,7 +120,8 @@ search_exception_table(const struct cpu_user_regs *regs)
};
*(unsigned long *)regs->rsp = token.raw;
- return retptr;
+ *stub_ra = retaddr;
+ return fixup;
}
}
diff --git a/xen/arch/x86/include/asm/uaccess.h b/xen/arch/x86/include/asm/uaccess.h
index 684fccd95c..74bb222c03 100644
--- a/xen/arch/x86/include/asm/uaccess.h
+++ b/xen/arch/x86/include/asm/uaccess.h
@@ -421,7 +421,8 @@ union stub_exception_token {
unsigned long raw;
};
-extern unsigned long search_exception_table(const struct cpu_user_regs *regs);
+extern unsigned long search_exception_table(const struct cpu_user_regs *regs,
+ unsigned long *stub_ra);
extern void sort_exception_tables(void);
extern void sort_exception_table(struct exception_table_entry *start,
const struct exception_table_entry *stop);
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 06c4f3868b..7599bee361 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -856,7 +856,7 @@ void do_unhandled_trap(struct cpu_user_regs *regs)
}
static void fixup_exception_return(struct cpu_user_regs *regs,
- unsigned long fixup)
+ unsigned long fixup, unsigned long stub_ra)
{
if ( IS_ENABLED(CONFIG_XEN_SHSTK) )
{
@@ -873,7 +873,8 @@ static void fixup_exception_return(struct cpu_user_regs *regs,
/*
* Search for %rip. The shstk currently looks like this:
*
- * ... [Likely pointed to by SSP]
+ * tok [Supervisor token, == &tok | BUSY, only with FRED inactive]
+ * ... [Pointed to by SSP for most exceptions, empty in IST cases]
* %cs [== regs->cs]
* %rip [== regs->rip]
* SSP [Likely points to 3 slots higher, above %cs]
@@ -891,7 +892,56 @@ static void fixup_exception_return(struct cpu_user_regs *regs,
*/
if ( ptr[0] == regs->rip && ptr[1] == regs->cs )
{
+ unsigned long primary_shstk =
+ (ssp & ~(STACK_SIZE - 1)) +
+ (PRIMARY_SHSTK_SLOT + 1) * PAGE_SIZE - 8;
+
wrss(fixup, ptr);
+
+ if ( !stub_ra )
+ goto shstk_done;
+
+ /*
+ * Stub recovery ought to happen only when the outer context
+ * was on the main shadow stack. We need to also "pop" the
+ * stub's return address from the interrupted context's shadow
+ * stack. That is,
+ * - if we're still on the main stack, we need to move the
+ * entire stack (up to and including the exception frame)
+ * up by one slot, incrementing the original SSP in the
+ * exception frame,
+ * - if we're on an IST stack, we need to increment the
+ * original SSP.
+ */
+ BUG_ON((ptr[-1] ^ primary_shstk) >> PAGE_SHIFT);
+
+ if ( (ssp ^ primary_shstk) >> PAGE_SHIFT )
+ {
+ /*
+ * We're on an IST stack. First make sure the two return
+ * addresses actually match. Then increment the interrupted
+ * context's SSP.
+ */
+ BUG_ON(stub_ra != *(unsigned long*)ptr[-1]);
+ wrss(ptr[-1] + 8, &ptr[-1]);
+ goto shstk_done;
+ }
+
+ /* Make sure the two return addresses actually match. */
+ BUG_ON(stub_ra != ptr[2]);
+
+ /* Move exception frame, updating SSP there. */
+ wrss(ptr[1], &ptr[2]); /* %cs */
+ wrss(ptr[0], &ptr[1]); /* %rip */
+ wrss(ptr[-1] + 8, &ptr[0]); /* SSP */
+
+ /* Move all newer entries. */
+ while ( --ptr != _p(ssp) )
+ wrss(ptr[-1], &ptr[0]);
+
+ /* Finally account for our own stack having shifted up. */
+ asm volatile ( "incsspd %0" :: "r" (2) );
+
goto shstk_done;
}
}
@@ -912,7 +962,8 @@ static void fixup_exception_return(struct cpu_user_regs *regs,
static bool extable_fixup(struct cpu_user_regs *regs, bool print)
{
- unsigned long fixup = search_exception_table(regs);
+ unsigned long stub_ra = 0;
+ unsigned long fixup = search_exception_table(regs, &stub_ra);
if ( unlikely(fixup == 0) )
return false;
@@ -926,7 +977,7 @@ static bool extable_fixup(struct cpu_user_regs *regs, bool print)
vector_name(regs->entry_vector), regs->error_code,
_p(regs->rip), _p(regs->rip), _p(fixup));
- fixup_exception_return(regs, fixup);
+ fixup_exception_return(regs, fixup, stub_ra);
this_cpu(last_extable_addr) = regs->rip;
return true;
@@ -1214,7 +1265,7 @@ void do_invalid_op(struct cpu_user_regs *regs)
void (*fn)(struct cpu_user_regs *) = bug_ptr(bug);
fn(regs);
- fixup_exception_return(regs, (unsigned long)eip);
+ fixup_exception_return(regs, (unsigned long)eip, 0);
return;
}
@@ -1235,7 +1286,7 @@ void do_invalid_op(struct cpu_user_regs *regs)
case BUGFRAME_warn:
printk("Xen WARN at %s%s:%d\n", prefix, filename, lineno);
show_execution_state(regs);
- fixup_exception_return(regs, (unsigned long)eip);
+ fixup_exception_return(regs, (unsigned long)eip, 0);
return;
case BUGFRAME_bug:
--
2.44.0
|
GitWeb