On Thu, Nov 29, 2018 at 05:37:39AM -0800, Andy Lutomirski wrote:
>
>
> > On Nov 29, 2018, at 1:42 AM, Peter Zijlstra <pet...@infradead.org> wrote:
> >
> > On Wed, Nov 28, 2018 at 10:05:54PM -0800, Andy Lutomirski wrote:
> >
> >>>> +static void static_call_bp_handler(struct pt_regs *regs, void *_data)
> >>>> +{
> >>>> + struct static_call_bp_data *data = _data;
> >>>> +
> >>>> + /*
> >>>> + * For inline static calls, push the return address on the stack so
> >>>> the
> >>>> + * "called" function will return to the location immediately after
> >>>> the
> >>>> + * call site.
> >>>> + *
> >>>> + * NOTE: This code will need to be revisited when kernel CET gets
> >>>> + * implemented.
> >>>> + */
> >>>> + if (data->ret) {
> >>>> + regs->sp -= sizeof(long);
> >>>> + *(unsigned long *)regs->sp = data->ret;
> >>>> + }
> >>
> >> You can’t do this. Depending on the alignment of the old RSP, which
> >> is not guaranteed, this overwrites regs->cs. IRET goes boom.
> >
> > I don't get it; can you spell that out?
> >
> > The way I understand it is that we're at a location where a "E8 - Near
> > CALL" instruction should be, and thus RSP should be the regular kernel
> > stack, and the above simply does "PUSH ret", which is what that CALL
> > would've done too.
> >
>
> int3 isn’t IST anymore, so the int3 instruction conditionally
> subtracts 8 from RSP and then pushes SS, etc. So my email was
> obviously wrong wrt “cs”, but you’re still potentially overwriting the
> int3 IRET frame.
ARGH!..
can't we 'fix' that again? The alternative is moving that IRET-frame and
fixing everything up, which is going to be fragile, ugly and such
things more.
Commit d8ba61ba58c8 ("x86/entry/64: Don't use IST entry for #BP stack")
doesn't list any strong reasons for why it should NOT be an IST.
