[PATCH] arm64: efi: Make runtime service wrapper more robust
Ard Biesheuvel
ardb at kernel.org
Thu Dec 1 15:52:24 PST 2022
On Fri, 2 Dec 2022 at 00:47, Ard Biesheuvel <ardb at kernel.org> wrote:
>
> On Fri, 2 Dec 2022 at 00:45, Kees Cook <keescook at chromium.org> wrote:
> >
> > On Mon, Nov 28, 2022 at 10:49:39AM +0100, Ard Biesheuvel wrote:
> > > Prevent abuse of the runtime service wrapper code by avoiding restoring
> > > the shadow call stack pointer from the ordinary stack, or the stack
> > > pointer itself from a GPR. Also, given that the exception recovery
> > > routine is never called in an ordinary way, it doesn't need BTI landing
> > > pads so it can be SYM_CODE rather than SYM_FUNC.
> >
> > Does this mean x18 is now being spilled to the stack? (Do we already
> > spill it in other places?)
> >
>
> I've found a better way of addressing this, by moving this code out of
> the kernel .text mapping entirely, and only mapping it executable in
> the EFI page tables (which are only active while a runtime service
> call is in progress, and only on a single CPU running with preemption
> disabled)
>
> https://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git/commit/?id=47f68266d6ad94860c6cd9d2145cb91350b47e43
And to answer your question: yes, x18 is currently spllled to the
stack in both of those routines. I've reverted the patch that added
the second one (which was only added this cycle). The other one needs
a fix going to -stable, so I'll backport the patch I quoted above once
it hits linus's tree.
More information about the linux-arm-kernel
mailing list