Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

x86/entry/64: Return to userspace from the trampoline stack

By itself, this is useless.  It gives us the ability to run some final code
before exit that cannnot run on the kernel stack.  This could include a CR3
switch a la PAGE_TABLE_ISOLATION or some kernel stack erasing, for
example.  (Or even weird things like *changing* which kernel stack gets
used as an ASLR-strengthening mechanism.)

The SYSRET32 path is not covered yet.  It could be in the future or
we could just ignore it and force the slow path if needed.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bpetkov@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Laight <David.Laight@aculab.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Eduardo Valentin <eduval@amazon.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: aliguori@amazon.com
Cc: daniel.gruss@iaik.tugraz.at
Cc: hughd@google.com
Cc: keescook@google.com
Link: https://lkml.kernel.org/r/20171204150606.306546484@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Andy Lutomirski 7 years ago
parent
7f2590a110
commit
3e3b9293d3
1 changed files with 51 additions and 4 deletions
Split View Show Diff Stats
  1. 51 4
      arch/x86/entry/entry_64.S

+ 51 - 4
arch/x86/entry/entry_64.S
View File 

@@ -326,8 +326,24 @@ syscall_return_via_sysret:
 
 	popq	%rsi	/* skip rcx */
 
 	popq	%rdx
 
 	popq	%rsi
 
+
 
+	/*
 
+	 * Now all regs are restored except RSP and RDI.
 
+	 * Save old stack pointer and switch to trampoline stack.
 
+	 */
 
+	movq	%rsp, %rdi
 
+	movq	PER_CPU_VAR(cpu_tss + TSS_sp0), %rsp
 
+
 
+	pushq	RSP-RDI(%rdi)	/* RSP */
 
+	pushq	(%rdi)		/* RDI */
 
+
 
+	/*
 
+	 * We are on the trampoline stack.  All regs except RDI are live.
 
+	 * We can do future final exit work right here.
 
+	 */
 
+
 
 	popq	%rdi
 
-	movq	RSP-ORIG_RAX(%rsp), %rsp
 
+	popq	%rsp
 
 	USERGS_SYSRET64
 
 END(entry_SYSCALL_64)
 
 
@@ -630,10 +646,41 @@ GLOBAL(swapgs_restore_regs_and_return_to_usermode)
 
 	ud2
 
 1:
 
 #endif
 
-	SWAPGS
 
 	POP_EXTRA_REGS
 
-	POP_C_REGS
 
-	addq	$8, %rsp	/* skip regs->orig_ax */
 
+	popq	%r11
 
+	popq	%r10
 
+	popq	%r9
 
+	popq	%r8
 
+	popq	%rax
 
+	popq	%rcx
 
+	popq	%rdx
 
+	popq	%rsi
 
+
 
+	/*
 
+	 * The stack is now user RDI, orig_ax, RIP, CS, EFLAGS, RSP, SS.
 
+	 * Save old stack pointer and switch to trampoline stack.
 
+	 */
 
+	movq	%rsp, %rdi
 
+	movq	PER_CPU_VAR(cpu_tss + TSS_sp0), %rsp
 
+
 
+	/* Copy the IRET frame to the trampoline stack. */
 
+	pushq	6*8(%rdi)	/* SS */
 
+	pushq	5*8(%rdi)	/* RSP */
 
+	pushq	4*8(%rdi)	/* EFLAGS */
 
+	pushq	3*8(%rdi)	/* CS */
 
+	pushq	2*8(%rdi)	/* RIP */
 
+
 
+	/* Push user RDI on the trampoline stack. */
 
+	pushq	(%rdi)
 
+
 
+	/*
 
+	 * We are on the trampoline stack.  All regs except RDI are live.
 
+	 * We can do future final exit work right here.
 
+	 */
 
+
 
+	/* Restore RDI. */
 
+	popq	%rdi
 
+	SWAPGS
 
 	INTERRUPT_RETURN