[PATCH v8 11/14] x86/vsyscall/64: Fixup shadow stack and branch tracking for vsyscall

[PATCH v8 00/14] Control-flow Enforcement: Branch Tracking, PTRACE · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 01/14] x86/cet/ibt: Add Kconfig option for user-mode Indirect Branch Tracking · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 02/14] x86/cet/ibt: User-mode indirect branch tracking support · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 10/14] x86/vsyscall/64: Add ENDBR64 to vsyscall entry points · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 09/14] x86/vdso/32: Add ENDBR32 to __kernel_vsyscall entry point · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 14/14] Introduce arch_prctl(ARCH_X86_CET_MARK_LEGACY_CODE) · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 08/14] x86/vdso: Insert endbr32/endbr64 to vDSO · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 04/14] mm/mmap: Add IBT bitmap size to address space limit check · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 12/14] x86/cet: Add PTRACE interface for CET · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 11/14] x86/vsyscall/64: Fixup shadow stack and branch tracking for vsyscall · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 13/14] x86: Discard .note.gnu.property sections · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 07/14] x86/cet/ibt: Add ENDBR to op-code-map · Yu-cheng Yu <hidden> · 2019-08-13
Re: [PATCH v8 07/14] x86/cet/ibt: Add ENDBR to op-code-map · Adrian Hunter <adrian.hunter@intel.com> · 2019-11-08
[PATCH v8 06/14] x86/cet/ibt: Add arch_prctl functions for IBT · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 05/14] x86/cet/ibt: ELF header parsing for IBT · Yu-cheng Yu <hidden> · 2019-08-13
[PATCH v8 03/14] x86/cet/ibt: Handle signals for end branch · Yu-cheng Yu <hidden> · 2019-08-13

From: Yu-cheng Yu <hidden>
Date: 2019-08-13 21:04:19
Also in: linux-arch, linux-doc, linux-mm, lkml
Subsystem: the rest, x86 architecture (32-bit and 64-bit), x86 entry code · Maintainers: Linus Torvalds, Thomas Gleixner, Ingo Molnar, Borislav Petkov, Dave Hansen, Andy Lutomirski

When emulating a RET, also unwind the task's shadow stack and cancel
the current branch tracking status.

Signed-off-by: Yu-cheng Yu <redacted>
---
 arch/x86/entry/vsyscall/vsyscall_64.c    | 29 ++++++++++++++++++++++++
 arch/x86/entry/vsyscall/vsyscall_trace.h |  1 +
 2 files changed, 30 insertions(+)

diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
index e7c596dea947..27ff81f75c82 100644
--- a/arch/x86/entry/vsyscall/vsyscall_64.c
+++ b/arch/x86/entry/vsyscall/vsyscall_64.c

@@ -38,6 +38,9 @@
 #include <asm/fixmap.h>
 #include <asm/traps.h>
 #include <asm/paravirt.h>
+#include <asm/fpu/xstate.h>
+#include <asm/fpu/types.h>
+#include <asm/fpu/internal.h>
 
 #define CREATE_TRACE_POINTS
 #include "vsyscall_trace.h"

@@ -286,6 +289,32 @@ bool emulate_vsyscall(unsigned long error_code,
 	/* Emulate a ret instruction. */
 	regs->ip = caller;
 	regs->sp += 8;
+
+	/* Unwind shadow stack. */
+
+#ifdef CONFIG_X86_INTEL_SHADOW_STACK_USER
+	if (current->thread.cet.shstk_enabled) {
+		u64 r;
+
+		modify_fpu_regs_begin();
+		rdmsrl(MSR_IA32_PL3_SSP, r);
+		wrmsrl(MSR_IA32_PL3_SSP, r + 8);
+		modify_fpu_regs_end();
+	}
+#endif
+
+	/* Fixup branch tracking */
+#ifdef CONFIG_X86_INTEL_BRANCH_TRACKING_USER
+	if (current->thread.cet.ibt_enabled) {
+		u64 r;
+
+		modify_fpu_regs_begin();
+		rdmsrl(MSR_IA32_U_CET, r);
+		wrmsrl(MSR_IA32_U_CET, r & ~MSR_IA32_CET_WAIT_ENDBR);
+		modify_fpu_regs_end();
+	}
+#endif
+
 	return true;
 
 sigsegv:

diff --git a/arch/x86/entry/vsyscall/vsyscall_trace.h b/arch/x86/entry/vsyscall/vsyscall_trace.h
index 3c3f9765a85c..7aa2101ada44 100644
--- a/arch/x86/entry/vsyscall/vsyscall_trace.h
+++ b/arch/x86/entry/vsyscall/vsyscall_trace.h

@@ -25,6 +25,7 @@ TRACE_EVENT(emulate_vsyscall,
 #endif
 
 #undef TRACE_INCLUDE_PATH
+#undef TRACE_INCLUDE_FILE
 #define TRACE_INCLUDE_PATH ../../arch/x86/entry/vsyscall/
 #define TRACE_INCLUDE_FILE vsyscall_trace
 #include <trace/define_trace.h>

-- 
2.17.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help