[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v8 2/7] x86: Clear AC bit in RFLAGS to protect Xen itself by SMAP



On 09/05/14 06:34, Feng Wu wrote:
> Clear AC bit in RFLAGS at the beginning of exception, interrupt, hypercall,
> so Xen itself can be protected by SMAP mechanism. This patch also sets AC
> bit at the beginning of double_fault and fatal_trap() to reduce the likelihood
> of taking a further fault while trying to dump state.
>
> Signed-off-by: Feng Wu <feng.wu@xxxxxxxxx>

Much nicer with MSR_SYSCALL_MASK!



> ---
>  xen/arch/x86/acpi/suspend.c        |  5 +----
>  xen/arch/x86/boot/x86_64.S         |  2 +-
>  xen/arch/x86/traps.c               |  3 +++
>  xen/arch/x86/x86_64/compat/entry.S |  1 +
>  xen/arch/x86/x86_64/entry.S        | 13 ++++++++-----
>  xen/arch/x86/x86_64/traps.c        |  5 +----
>  xen/include/asm-x86/asm_defns.h    |  7 ++++++-
>  xen/include/asm-x86/processor.h    |  4 ++++
>  8 files changed, 25 insertions(+), 15 deletions(-)
>
> diff --git a/xen/arch/x86/acpi/suspend.c b/xen/arch/x86/acpi/suspend.c
> index a373e9a..1d8344c 100644
> --- a/xen/arch/x86/acpi/suspend.c
> +++ b/xen/arch/x86/acpi/suspend.c
> @@ -56,10 +56,7 @@ void restore_rest_processor_state(void)
>      wrmsrl(MSR_LSTAR, saved_lstar);
>      wrmsrl(MSR_CSTAR, saved_cstar);
>      wrmsr(MSR_STAR, 0, (FLAT_RING3_CS32<<16) | __HYPERVISOR_CS);
> -    wrmsr(MSR_SYSCALL_MASK,
> -          X86_EFLAGS_VM|X86_EFLAGS_RF|X86_EFLAGS_NT|
> -          X86_EFLAGS_DF|X86_EFLAGS_IF|X86_EFLAGS_TF,
> -          0U);
> +    wrmsr(MSR_SYSCALL_MASK, XEN_SYSCALL_MASK, 0U);
>  
>      wrfsbase(saved_fs_base);
>      wrgsbase(saved_gs_base);
> diff --git a/xen/arch/x86/boot/x86_64.S b/xen/arch/x86/boot/x86_64.S
> index 22645d6..67dfef9 100644
> --- a/xen/arch/x86/boot/x86_64.S
> +++ b/xen/arch/x86/boot/x86_64.S
> @@ -60,7 +60,7 @@ start_bsp:
>  
>  /* This is the default interrupt handler. */
>  ignore_int:
> -        SAVE_ALL
> +        SAVE_ALL CLAC
>          movq    %cr2,%rsi
>          leaq    int_msg(%rip),%rdi
>          xorl    %eax,%eax
> diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
> index 5d27581..ac68a85 100644
> --- a/xen/arch/x86/traps.c
> +++ b/xen/arch/x86/traps.c
> @@ -401,6 +401,9 @@ void fatal_trap(int trapnr, struct cpu_user_regs *regs)
>  {
>      static DEFINE_PER_CPU(char, depth);
>  
> +    /* Set AC to reduce chance of further SMAP faults */
> +    stac();
> +
>      /*
>       * In some cases, we can end up in a vicious cycle of fatal_trap()s
>       * within fatal_trap()s. We give the problem a couple of iterations to
> diff --git a/xen/arch/x86/x86_64/compat/entry.S 
> b/xen/arch/x86/x86_64/compat/entry.S
> index 32b3bcc..ac594c9 100644
> --- a/xen/arch/x86/x86_64/compat/entry.S
> +++ b/xen/arch/x86/x86_64/compat/entry.S
> @@ -13,6 +13,7 @@
>  #include <irq_vectors.h>
>  
>  ENTRY(compat_hypercall)
> +        ASM_CLAC
>          pushq $0
>          SAVE_VOLATILE type=TRAP_syscall compat=1
>  
> diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
> index 1c81852..50b1058 100644
> --- a/xen/arch/x86/x86_64/entry.S
> +++ b/xen/arch/x86/x86_64/entry.S
> @@ -273,6 +273,7 @@ ENTRY(sysenter_entry)
>          pushq $0
>          pushfq
>  GLOBAL(sysenter_eflags_saved)
> +        ASM_CLAC
>          pushq $3 /* ring 3 null cs */
>          pushq $0 /* null rip */
>          pushq $0
> @@ -309,6 +310,7 @@ UNLIKELY_END(sysenter_gpf)
>          jmp   .Lbounce_exception
>  
>  ENTRY(int80_direct_trap)
> +        ASM_CLAC
>          pushq $0
>          SAVE_VOLATILE 0x80
>  
> @@ -466,7 +468,7 @@ ENTRY(dom_crash_sync_extable)
>          jmp   asm_domain_crash_synchronous /* Does not return */
>  
>  ENTRY(common_interrupt)
> -        SAVE_ALL
> +        SAVE_ALL CLAC
>          movq %rsp,%rdi
>          callq do_IRQ
>          jmp ret_from_intr
> @@ -485,7 +487,7 @@ ENTRY(page_fault)
>          movl  $TRAP_page_fault,4(%rsp)
>  /* No special register assumptions. */
>  GLOBAL(handle_exception)
> -        SAVE_ALL
> +        SAVE_ALL CLAC
>  handle_exception_saved:
>          testb $X86_EFLAGS_IF>>8,UREGS_eflags+1(%rsp)
>          jz    exception_with_ints_disabled
> @@ -614,7 +616,8 @@ ENTRY(spurious_interrupt_bug)
>  
>  ENTRY(double_fault)
>          movl  $TRAP_double_fault,4(%rsp)
> -        SAVE_ALL
> +        /* Set AC to reduce chance of further SMAP faults */
> +        SAVE_ALL STAC
>          movq  %rsp,%rdi
>          call  do_double_fault
>          ud2
> @@ -631,7 +634,7 @@ ENTRY(nmi)
>          pushq $0
>          movl  $TRAP_nmi,4(%rsp)
>  handle_ist_exception:
> -        SAVE_ALL
> +        SAVE_ALL CLAC
>          testb $3,UREGS_cs(%rsp)
>          jz    1f
>          /* Interrupted guest context. Copy the context to stack bottom. */
> @@ -667,7 +670,7 @@ handle_ist_exception:
>  ENTRY(nmi_crash)
>          pushq $0
>          movl $TRAP_nmi,4(%rsp)
> -        SAVE_ALL
> +        SAVE_ALL CLAC

This is also a terminal error path.  STAC instead please.

~Andrew

>          movq %rsp,%rdi
>          callq do_nmi_crash /* Does not return */
>          ud2
> diff --git a/xen/arch/x86/x86_64/traps.c b/xen/arch/x86/x86_64/traps.c
> index 90072c1..3a48478 100644
> --- a/xen/arch/x86/x86_64/traps.c
> +++ b/xen/arch/x86/x86_64/traps.c
> @@ -436,10 +436,7 @@ void __devinit subarch_percpu_traps_init(void)
>  
>      /* Common SYSCALL parameters. */
>      wrmsr(MSR_STAR, 0, (FLAT_RING3_CS32<<16) | __HYPERVISOR_CS);
> -    wrmsr(MSR_SYSCALL_MASK,
> -          X86_EFLAGS_VM|X86_EFLAGS_RF|X86_EFLAGS_NT|
> -          X86_EFLAGS_DF|X86_EFLAGS_IF|X86_EFLAGS_TF,
> -          0U);
> +    wrmsr(MSR_SYSCALL_MASK, XEN_SYSCALL_MASK, 0U);
>  }
>  
>  void init_int80_direct_trap(struct vcpu *v)
> diff --git a/xen/include/asm-x86/asm_defns.h b/xen/include/asm-x86/asm_defns.h
> index b75905a..db5d8f6 100644
> --- a/xen/include/asm-x86/asm_defns.h
> +++ b/xen/include/asm-x86/asm_defns.h
> @@ -190,7 +190,12 @@ static inline void stac(void)
>  #endif
>  
>  #ifdef __ASSEMBLY__
> -.macro SAVE_ALL
> +.macro SAVE_ALL op=0
> +.if \op == CLAC
> +        ASM_CLAC
> +.elseif \op == STAC
> +        ASM_STAC
> +.endif
>          addq  $-(UREGS_error_code-UREGS_r15), %rsp
>          cld
>          movq  %rdi,UREGS_rdi(%rsp)
> diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h
> index 604f5b3..35b2433 100644
> --- a/xen/include/asm-x86/processor.h
> +++ b/xen/include/asm-x86/processor.h
> @@ -141,6 +141,10 @@
>  #define PFEC_page_paged     (1U<<5)
>  #define PFEC_page_shared    (1U<<6)
>  
> +#define XEN_SYSCALL_MASK (X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF|    \
> +                          X86_EFLAGS_NT|X86_EFLAGS_DF|X86_EFLAGS_IF|    \
> +                          X86_EFLAGS_TF)
> +
>  #ifndef __ASSEMBLY__
>  
>  struct domain;


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.