Skip to content

Commit

Permalink
x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection
Browse files Browse the repository at this point in the history 
We have a tricky bug in the nested NMI code: if we see RSP
pointing to the NMI stack on NMI entry from kernel mode, we
assume that we are executing a nested NMI.

This isn't quite true.  A malicious userspace program can point
RSP at the NMI stack, issue SYSCALL, and arrange for an NMI to
happen while RSP is still pointing at the NMI stack.

Fix it with a sneaky trick.  Set DF in the region of code that
the RSP check is intended to detect.  IRET will clear DF
atomically.

( Note: other than paravirt, there's little need for all this
  complexity. We could check RIP instead of RSP. )

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
  • Loading branch information
@amluto
amluto authored and Ingo Molnar committed Jul 17, 2015
1 parent a27507c commit 810bc07
Showing 1 changed file with 25 additions and 4 deletions.
29 changes: 25 additions & 4 deletions arch/x86/entry/entry_64.S
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1388,7 +1388,14 @@ ENTRY(nmi)
/*
* Now test if the previous stack was an NMI stack. This covers
* the case where we interrupt an outer NMI after it clears
* "NMI executing" but before IRET.
* "NMI executing" but before IRET. We need to be careful, though:
* there is one case in which RSP could point to the NMI stack
* despite there being no NMI active: naughty userspace controls
* RSP at the very beginning of the SYSCALL targets. We can
* pull a fast one on naughty userspace, though: we program
* SYSCALL to mask DF, so userspace cannot cause DF to be set
* if it controls the kernel's RSP. We set DF before we clear
* "NMI executing".
*/
lea 6*8(%rsp), %rdx
/* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
Expand All @@ -1400,7 +1407,13 @@ ENTRY(nmi)
cmpq %rdx, 4*8(%rsp)
/* If it is below the NMI stack, it is a normal NMI */
jb first_nmi
/* Ah, it is within the NMI stack, treat it as nested */

/* Ah, it is within the NMI stack. */

testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
jz first_nmi /* RSP was user controlled. */

/* This is a nested NMI. */

nested_nmi:
/*
Expand Down Expand Up @@ -1506,8 +1519,16 @@ nmi_restore:
/* Point RSP at the "iret" frame. */
REMOVE_PT_GPREGS_FROM_STACK 6*8

/* Clear "NMI executing". */
movq $0, 5*8(%rsp)
/*
* Clear "NMI executing". Set DF first so that we can easily
* distinguish the remaining code between here and IRET from
* the SYSCALL entry and exit paths. On a native kernel, we
* could just inspect RIP, but, on paravirt kernels,
* INTERRUPT_RETURN can translate into a jump into a
* hypercall page.
*/
std
movq $0, 5*8(%rsp) /* clear "NMI executing" */

/*
* INTERRUPT_RETURN reads the "iret" frame and exits the NMI
Expand Down

0 comments on commit 810bc07

Please sign in to comment.