On Thu, Jun 21, 2018 at 2:18 PM H. Peter Anvin, Intel
<h.peter.an...@intel.com> wrote:
>
> From: "H. Peter Anvin" <h...@linux.intel.com>
>
> It is not only %ds and %es which contain cached user descriptor
> information, %fs and %gs do as well.
>
> To make sure we don't do something stupid that will affect processes
> which wouldn't want this requalification, be more restrictive about
> which selector numbers will be requalified: they need to be LDT
> selectors (which by definition are never null), have an RPL of 3
> (always the case in user space unless null), and match the updated
> descriptor.
That RPL3 part is false. The following program does:
#include <stdio.h>
int main()
{
unsigned short sel;
asm volatile ("mov %%ss, %0" : "=rm" (sel));
sel &= ~3;
printf("Will write 0x%hx to GS\n", sel);
asm volatile ("mov %0, %%gs" :: "rm" (sel & ~3));
asm volatile ("mov %%gs, %0" : "=rm" (sel));
printf("GS = 0x%hx\n", sel);
return 0;
}
prints:
Will write 0x28 to GS
GS = 0x28
The x86 architecture is *insane*.
Other than that, this patch seems generally sensible. But my
objection that it's incorrect with FSGSBASE enabled for %fs and %gs
still applies.
