On Fri, Apr 24, 2015 at 11:59:42AM +0200, Denys Vlasenko wrote:
> I propose a more conservative check:
>
> if (ss_sel != __KERNEL_DS)
> loadsegment(ss, __KERNEL_DS);
>
> I would propose this even if I would see no real case where it matters...
> but I even do see such a case.
...
> As in legacy mode, it is desirable to keep the stack-segment requestor
> privilege-level (SS.RPL)
> equal to the current privilege-level (CPL). When using a call gate to change
> privilege levels, the
> SS.RPL is updated to reflect the new CPL. The SS.RPL is restored from the
> return-target CS.RPL
> on the subsequent privilege-level-changing far return.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ THIS
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> 3. The old values of the SS and RSP registers are pushed onto the stack
> pointed to by the new RSP.
> ...
> ...
> """
>
> Thus, the NULL selector in SS may actually be not all zeros. Its RPL may be
> nonzero,
> if we are not in ring 0.
Yeah, that makes more sense. So I tested Andy's patch but changed it as
above and I get
$ taskset -c 0 ./sysret_ss_attrs_32
[RUN] Syscalls followed by SS validation
[OK] We survived
And this is on an AMD F16h and it used to fail before the patch. So
yeah, I think we can call this misfeature "architectural".
Tested-by: Borislav Petkov <b...@suse.de>
Thanks.
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
