x86/sev-es: Use __put_user()/__get_user() for data accesses
The put_user() and get_user() functions do checks on the address which is passed to them. They check whether the address is actually a user-space address and whether its fine to access it. They also call might_fault() to indicate that they could fault and possibly sleep. All of these checks are neither wanted nor needed in the #VC exception handler, which can be invoked from almost any context and also for MMIO instructions from kernel space on kernel memory. All the #VC handler wants to know is whether a fault happened when the access was tried. This is provided by __put_user()/__get_user(), which just do the access no matter what. Also add comments explaining why __get_user() and __put_user() are the best choice here and why it is safe to use them in this context. Also explain why copy_to/from_user can't be used. In addition, also revert commit 7024f60d6552 ("x86/sev-es: Handle string port IO to kernel memory properly") because using __get_user()/__put_user() fixes the same problem while the above commit introduced several problems: 1) It uses access_ok() which is only allowed in task context. 2) It uses memcpy() which has no fault handling at all and is thus unsafe to use here. [ bp: Fix up commit ID of the reverted commit above. ] Fixes: f980f9c31a92 ("x86/sev-es: Compile early handler code into kernel image") Signed-off-by: Joerg Roedel <jroedel@suse.de> Signed-off-by: Borislav Petkov <bp@suse.de> Cc: stable@vger.kernel.org # v5.10+ Link: https://lkml.kernel.org/r/20210519135251.30093-4-joro@8bytes.org
This commit is contained in:
parent
c25bbdb564
commit
4954f5b8ef
@ -315,31 +315,44 @@ static enum es_result vc_write_mem(struct es_em_ctxt *ctxt,
|
||||
u16 d2;
|
||||
u8 d1;
|
||||
|
||||
/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
|
||||
if (!user_mode(ctxt->regs) && !access_ok(target, size)) {
|
||||
memcpy(dst, buf, size);
|
||||
return ES_OK;
|
||||
}
|
||||
|
||||
/*
|
||||
* This function uses __put_user() independent of whether kernel or user
|
||||
* memory is accessed. This works fine because __put_user() does no
|
||||
* sanity checks of the pointer being accessed. All that it does is
|
||||
* to report when the access failed.
|
||||
*
|
||||
* Also, this function runs in atomic context, so __put_user() is not
|
||||
* allowed to sleep. The page-fault handler detects that it is running
|
||||
* in atomic context and will not try to take mmap_sem and handle the
|
||||
* fault, so additional pagefault_enable()/disable() calls are not
|
||||
* needed.
|
||||
*
|
||||
* The access can't be done via copy_to_user() here because
|
||||
* vc_write_mem() must not use string instructions to access unsafe
|
||||
* memory. The reason is that MOVS is emulated by the #VC handler by
|
||||
* splitting the move up into a read and a write and taking a nested #VC
|
||||
* exception on whatever of them is the MMIO access. Using string
|
||||
* instructions here would cause infinite nesting.
|
||||
*/
|
||||
switch (size) {
|
||||
case 1:
|
||||
memcpy(&d1, buf, 1);
|
||||
if (put_user(d1, target))
|
||||
if (__put_user(d1, target))
|
||||
goto fault;
|
||||
break;
|
||||
case 2:
|
||||
memcpy(&d2, buf, 2);
|
||||
if (put_user(d2, target))
|
||||
if (__put_user(d2, target))
|
||||
goto fault;
|
||||
break;
|
||||
case 4:
|
||||
memcpy(&d4, buf, 4);
|
||||
if (put_user(d4, target))
|
||||
if (__put_user(d4, target))
|
||||
goto fault;
|
||||
break;
|
||||
case 8:
|
||||
memcpy(&d8, buf, 8);
|
||||
if (put_user(d8, target))
|
||||
if (__put_user(d8, target))
|
||||
goto fault;
|
||||
break;
|
||||
default:
|
||||
@ -370,30 +383,43 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt,
|
||||
u16 d2;
|
||||
u8 d1;
|
||||
|
||||
/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
|
||||
if (!user_mode(ctxt->regs) && !access_ok(s, size)) {
|
||||
memcpy(buf, src, size);
|
||||
return ES_OK;
|
||||
}
|
||||
|
||||
/*
|
||||
* This function uses __get_user() independent of whether kernel or user
|
||||
* memory is accessed. This works fine because __get_user() does no
|
||||
* sanity checks of the pointer being accessed. All that it does is
|
||||
* to report when the access failed.
|
||||
*
|
||||
* Also, this function runs in atomic context, so __get_user() is not
|
||||
* allowed to sleep. The page-fault handler detects that it is running
|
||||
* in atomic context and will not try to take mmap_sem and handle the
|
||||
* fault, so additional pagefault_enable()/disable() calls are not
|
||||
* needed.
|
||||
*
|
||||
* The access can't be done via copy_from_user() here because
|
||||
* vc_read_mem() must not use string instructions to access unsafe
|
||||
* memory. The reason is that MOVS is emulated by the #VC handler by
|
||||
* splitting the move up into a read and a write and taking a nested #VC
|
||||
* exception on whatever of them is the MMIO access. Using string
|
||||
* instructions here would cause infinite nesting.
|
||||
*/
|
||||
switch (size) {
|
||||
case 1:
|
||||
if (get_user(d1, s))
|
||||
if (__get_user(d1, s))
|
||||
goto fault;
|
||||
memcpy(buf, &d1, 1);
|
||||
break;
|
||||
case 2:
|
||||
if (get_user(d2, s))
|
||||
if (__get_user(d2, s))
|
||||
goto fault;
|
||||
memcpy(buf, &d2, 2);
|
||||
break;
|
||||
case 4:
|
||||
if (get_user(d4, s))
|
||||
if (__get_user(d4, s))
|
||||
goto fault;
|
||||
memcpy(buf, &d4, 4);
|
||||
break;
|
||||
case 8:
|
||||
if (get_user(d8, s))
|
||||
if (__get_user(d8, s))
|
||||
goto fault;
|
||||
memcpy(buf, &d8, 8);
|
||||
break;
|
||||
|
Loading…
x
Reference in New Issue
Block a user