summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Zijlstra <peterz@infradead.org>2022-03-26 11:27:28 +0900
committerAlexei Starovoitov <ast@kernel.org>2022-03-28 19:38:51 -0700
commit0ef6f5c09371f17e142814e6996d6dfb8741925b (patch)
tree9a6b91596cc347a1438f4ce1db96200a5f2c1f08
parentf3a112c0c40dd96d53c8bdf3ea8d94d528f3b7b8 (diff)
x86,rethook: Fix arch_rethook_trampoline() to generate a complete pt_regs
Currently arch_rethook_trampoline() generates an almost complete pt_regs on-stack, everything except regs->ss that is, that currently points to the fake return address, which is not a valid segment descriptor. Since interpretation of regs->[sb]p should be done in the context of regs->ss, and we have code actually doing that (see arch/x86/lib/insn-eval.c for instance), complete the job by also pushing ss. This ensures that anybody who does do look at regs->ss doesn't mysteriously malfunction, avoiding much future pain. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org> Link: https://lore.kernel.org/bpf/164826164851.2455864.17272661073069737350.stgit@devnote2
-rw-r--r--arch/x86/kernel/rethook.c24
1 files changed, 13 insertions, 11 deletions
diff --git a/arch/x86/kernel/rethook.c b/arch/x86/kernel/rethook.c
index af7e6713a07a..8a1c0111ae79 100644
--- a/arch/x86/kernel/rethook.c
+++ b/arch/x86/kernel/rethook.c
@@ -29,29 +29,31 @@ asm(
/* Push a fake return address to tell the unwinder it's a rethook. */
" pushq $arch_rethook_trampoline\n"
UNWIND_HINT_FUNC
- /* Save the 'sp - 8', this will be fixed later. */
+ " pushq $" __stringify(__KERNEL_DS) "\n"
+ /* Save the 'sp - 16', this will be fixed later. */
" pushq %rsp\n"
" pushfq\n"
SAVE_REGS_STRING
" movq %rsp, %rdi\n"
" call arch_rethook_trampoline_callback\n"
RESTORE_REGS_STRING
- /* In the callback function, 'regs->flags' is copied to 'regs->sp'. */
- " addq $8, %rsp\n"
+ /* In the callback function, 'regs->flags' is copied to 'regs->ss'. */
+ " addq $16, %rsp\n"
" popfq\n"
#else
/* Push a fake return address to tell the unwinder it's a rethook. */
" pushl $arch_rethook_trampoline\n"
UNWIND_HINT_FUNC
- /* Save the 'sp - 4', this will be fixed later. */
+ " pushl %ss\n"
+ /* Save the 'sp - 8', this will be fixed later. */
" pushl %esp\n"
" pushfl\n"
SAVE_REGS_STRING
" movl %esp, %eax\n"
" call arch_rethook_trampoline_callback\n"
RESTORE_REGS_STRING
- /* In the callback function, 'regs->flags' is copied to 'regs->sp'. */
- " addl $4, %esp\n"
+ /* In the callback function, 'regs->flags' is copied to 'regs->ss'. */
+ " addl $8, %esp\n"
" popfl\n"
#endif
ASM_RET
@@ -73,8 +75,8 @@ __used __visible void arch_rethook_trampoline_callback(struct pt_regs *regs)
#endif
regs->ip = (unsigned long)&arch_rethook_trampoline;
regs->orig_ax = ~0UL;
- regs->sp += sizeof(long);
- frame_pointer = &regs->sp + 1;
+ regs->sp += 2*sizeof(long);
+ frame_pointer = (long *)(regs + 1);
/*
* The return address at 'frame_pointer' is recovered by the
@@ -84,10 +86,10 @@ __used __visible void arch_rethook_trampoline_callback(struct pt_regs *regs)
rethook_trampoline_handler(regs, (unsigned long)frame_pointer);
/*
- * Copy FLAGS to 'pt_regs::sp' so that arch_rethook_trapmoline()
+ * Copy FLAGS to 'pt_regs::ss' so that arch_rethook_trapmoline()
* can do RET right after POPF.
*/
- regs->sp = regs->flags;
+ *(unsigned long *)&regs->ss = regs->flags;
}
NOKPROBE_SYMBOL(arch_rethook_trampoline_callback);
@@ -105,7 +107,7 @@ STACK_FRAME_NON_STANDARD_FP(arch_rethook_trampoline);
void arch_rethook_fixup_return(struct pt_regs *regs,
unsigned long correct_ret_addr)
{
- unsigned long *frame_pointer = &regs->sp + 1;
+ unsigned long *frame_pointer = (void *)(regs + 1);
/* Replace fake return address with real one. */
*frame_pointer = correct_ret_addr;