From: Jiri Olsa <jolsa@kernel.org>
To: Steven Rostedt <rostedt@goodmis.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
linux-api@vger.kernel.org, linux-man@vger.kernel.org,
x86@kernel.org, bpf@vger.kernel.org,
Song Liu <songliubraving@fb.com>, Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
"Borislav Petkov (AMD)" <bp@alien8.de>,
Ingo Molnar <mingo@redhat.com>, Andy Lutomirski <luto@kernel.org>,
"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
Deepak Gupta <debug@rivosinc.com>
Subject: [PATCHv5 bpf-next 6/8] x86/shstk: Add return uprobe support
Date: Tue, 7 May 2024 12:53:19 +0200 [thread overview]
Message-ID: <20240507105321.71524-7-jolsa@kernel.org> (raw)
In-Reply-To: <20240507105321.71524-1-jolsa@kernel.org>
Adding return uprobe support to work with enabled shadow stack.
Currently the application with enabled shadow stack will crash
if it sets up return uprobe. The reason is the uretprobe kernel
code changes the user space task's stack, but does not update
shadow stack accordingly.
Adding new functions to update values on shadow stack and using
them in uprobe code to keep shadow stack in sync with uretprobe
changes to user stack.
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
arch/x86/include/asm/shstk.h | 4 ++++
arch/x86/kernel/shstk.c | 29 +++++++++++++++++++++++++++++
arch/x86/kernel/uprobes.c | 12 +++++++++++-
3 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/shstk.h b/arch/x86/include/asm/shstk.h
index 42fee8959df7..2e1ddcf98242 100644
--- a/arch/x86/include/asm/shstk.h
+++ b/arch/x86/include/asm/shstk.h
@@ -21,6 +21,8 @@ unsigned long shstk_alloc_thread_stack(struct task_struct *p, unsigned long clon
void shstk_free(struct task_struct *p);
int setup_signal_shadow_stack(struct ksignal *ksig);
int restore_signal_shadow_stack(void);
+int shstk_update_last_frame(unsigned long val);
+int shstk_push_frame(unsigned long val);
#else
static inline long shstk_prctl(struct task_struct *task, int option,
unsigned long arg2) { return -EINVAL; }
@@ -31,6 +33,8 @@ static inline unsigned long shstk_alloc_thread_stack(struct task_struct *p,
static inline void shstk_free(struct task_struct *p) {}
static inline int setup_signal_shadow_stack(struct ksignal *ksig) { return 0; }
static inline int restore_signal_shadow_stack(void) { return 0; }
+static inline int shstk_update_last_frame(unsigned long val) { return 0; }
+static inline int shstk_push_frame(unsigned long val) { return 0; }
#endif /* CONFIG_X86_USER_SHADOW_STACK */
#endif /* __ASSEMBLY__ */
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index 59e15dd8d0f8..66434dfde52e 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -577,3 +577,32 @@ long shstk_prctl(struct task_struct *task, int option, unsigned long arg2)
return wrss_control(true);
return -EINVAL;
}
+
+int shstk_update_last_frame(unsigned long val)
+{
+ unsigned long ssp;
+
+ if (!features_enabled(ARCH_SHSTK_SHSTK))
+ return 0;
+
+ ssp = get_user_shstk_addr();
+ return write_user_shstk_64((u64 __user *)ssp, (u64)val);
+}
+
+int shstk_push_frame(unsigned long val)
+{
+ unsigned long ssp;
+
+ if (!features_enabled(ARCH_SHSTK_SHSTK))
+ return 0;
+
+ ssp = get_user_shstk_addr();
+ ssp -= SS_FRAME_SIZE;
+ if (write_user_shstk_64((u64 __user *)ssp, (u64)val))
+ return -EFAULT;
+
+ fpregs_lock_and_load();
+ wrmsrl(MSR_IA32_PL3_SSP, ssp);
+ fpregs_unlock();
+ return 0;
+}
diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
index 81e6ee95784d..ae6c3458a675 100644
--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -406,6 +406,11 @@ SYSCALL_DEFINE0(uretprobe)
* trampoline's ret instruction
*/
r11_cx_ax[2] = regs->ip;
+
+ /* make the shadow stack follow that */
+ if (shstk_push_frame(regs->ip))
+ goto sigill;
+
regs->ip = ip;
err = copy_to_user((void __user *)regs->sp, r11_cx_ax, sizeof(r11_cx_ax));
@@ -1191,8 +1196,13 @@ arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs
return orig_ret_vaddr;
nleft = copy_to_user((void __user *)regs->sp, &trampoline_vaddr, rasize);
- if (likely(!nleft))
+ if (likely(!nleft)) {
+ if (shstk_update_last_frame(trampoline_vaddr)) {
+ force_sig(SIGSEGV);
+ return -1;
+ }
return orig_ret_vaddr;
+ }
if (nleft != rasize) {
pr_err("return address clobbered: pid=%d, %%sp=%#lx, %%ip=%#lx\n",
--
2.44.0
next prev parent reply other threads:[~2024-05-07 10:54 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-07 10:53 [PATCHv5 bpf-next 0/8] uprobe: uretprobe speed up Jiri Olsa
2024-05-07 10:53 ` [PATCHv5 bpf-next 1/8] uprobe: Wire up uretprobe system call Jiri Olsa
2024-05-07 10:53 ` [PATCHv5 bpf-next 2/8] uprobe: Add uretprobe syscall to speed up return probe Jiri Olsa
2024-05-07 10:53 ` [PATCHv5 bpf-next 3/8] selftests/bpf: Add uretprobe syscall test for regs integrity Jiri Olsa
2024-05-07 10:53 ` [PATCHv5 bpf-next 4/8] selftests/bpf: Add uretprobe syscall test for regs changes Jiri Olsa
2024-05-07 10:53 ` [PATCHv5 bpf-next 5/8] selftests/bpf: Add uretprobe syscall call from user space test Jiri Olsa
2024-05-07 16:57 ` Andrii Nakryiko
2024-05-07 10:53 ` Jiri Olsa [this message]
2024-05-07 17:35 ` [PATCHv5 bpf-next 6/8] x86/shstk: Add return uprobe support Edgecombe, Rick P
2024-05-09 8:30 ` Jiri Olsa
2024-05-09 16:24 ` Edgecombe, Rick P
2024-05-11 21:09 ` Jiri Olsa
2024-05-13 9:50 ` Masami Hiramatsu
2024-05-13 17:12 ` Edgecombe, Rick P
2024-05-13 21:23 ` Jiri Olsa
2024-05-15 1:10 ` Edgecombe, Rick P
2024-05-15 1:44 ` Deepak Gupta
2024-05-15 11:19 ` Oleg Nesterov
2024-05-15 14:36 ` Jiri Olsa
2024-05-15 15:18 ` Edgecombe, Rick P
2024-05-15 15:26 ` Oleg Nesterov
2024-05-15 15:31 ` Edgecombe, Rick P
2024-05-15 11:35 ` Oleg Nesterov
2024-05-15 15:13 ` Edgecombe, Rick P
2024-05-15 15:42 ` Oleg Nesterov
2024-05-19 22:18 ` Jiri Olsa
2024-05-21 1:31 ` Edgecombe, Rick P
2024-05-21 10:11 ` Jiri Olsa
2024-05-07 10:53 ` [PATCHv5 bpf-next 7/8] selftests/x86: Add return uprobe shadow stack test Jiri Olsa
2024-05-13 9:45 ` Masami Hiramatsu
2024-05-13 21:28 ` Jiri Olsa
2024-05-07 10:53 ` [PATCHv5 8/8] man2: Add uretprobe syscall page Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240507105321.71524-7-jolsa@kernel.org \
--to=jolsa@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=debug@rivosinc.com \
--cc=john.fastabend@gmail.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=rostedt@goodmis.org \
--cc=songliubraving@fb.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).