On Fri, Feb 05, 2021 at 10:00:21AM -0800, Yu, Yu-cheng wrote:
> On 2/5/2021 5:59 AM, Borislav Petkov wrote:
> > On Wed, Feb 03, 2021 at 02:55:28PM -0800, Yu-cheng Yu wrote:
> > > +DEFINE_IDTENTRY_ERRORCODE(exc_control_protection)
> > > +{
> > > + static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL,
> > > + DEFAULT_RATELIMIT_BURST);
> > > + struct task_struct *tsk;
> > > +
> > > + if (!user_mode(regs)) {
> > > + pr_emerg("PANIC: unexpected kernel control protection fault\n");
> > > + die("kernel control protection fault", regs, error_code);
> > > + panic("Machine halted.");
> > > + }
> > > +
> > > + cond_local_irq_enable(regs);
> > > +
> > > + if (!boot_cpu_has(X86_FEATURE_CET))
> > > + WARN_ONCE(1, "Control protection fault with CET support disabled\n");
> > > +
> > > + tsk = current;
> > > + tsk->thread.error_code = error_code;
> > > + tsk->thread.trap_nr = X86_TRAP_CP;
> > > +
> > > + if (show_unhandled_signals && unhandled_signal(tsk, SIGSEGV) &&
> > > + __ratelimit(&rs)) {
> >
> > I can't find it written down anywhere why the ratelimiting is needed at
> > all?
> >
>
> The ratelimit here is only for #CP, and its rate is not counted together
> with other types of faults. If a task gets here, it will exit. The only
> condition the ratelimit will trigger is when multiple tasks hit #CP at once,
> which is unlikely. Are you suggesting that we do not need the ratelimit
> here?
Since this is a potentially unprivileged-userspace-triggerable
condition, I tend to prefer having a ratelimit. I don't feel _strongly_
about it, but I find it better to be defensive against log spamming
(whether malicious or accidental).
--
Kees Cook
