* Peter Zijlstra <pet...@infradead.org> wrote:
> Since we can't do CALL/RET until GS is restored and CR[04] pinning is
> of dubious value in this code path, simply write the stored values.
>
> Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org>
> ---
> arch/x86/power/cpu.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> --- a/arch/x86/power/cpu.c
> +++ b/arch/x86/power/cpu.c
> @@ -208,11 +208,11 @@ static void notrace __restore_processor_
> #else
> /* CONFIG X86_64 */
> native_wrmsrl(MSR_EFER, ctxt->efer);
> - native_write_cr4(ctxt->cr4);
> + asm volatile("mov %0,%%cr4": "+r" (ctxt->cr4) : : "memory");
> #endif
> native_write_cr3(ctxt->cr3);
> native_write_cr2(ctxt->cr2);
> - native_write_cr0(ctxt->cr0);
> + asm volatile("mov %0,%%cr0": "+r" (ctxt->cr0) : : "memory");
Yeah, so CR pinning protects against are easily accessible 'gadget'
functions that exploits can call to disable HW protection features in the
CR register.
__restore_processor_state() might be such a gadget if an exploit can pass
in a well-prepared 'struct saved_context' on the stack.
Can we set up cr0/cr4 after we have a proper GS, or is that a
chicken-and-egg scenario?
Thanks,
Ingo
