| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Apr 2014 14:03:10 -0400 From: Brian Gerst <brgerst@...il.com> To: Andrew Lutomirski <amluto@...il.com> Cc: "H. Peter Anvin" <hpa@...or.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Borislav Petkov <bp@...en8.de>, "H. Peter Anvin" <hpa@...ux.intel.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Ingo Molnar <mingo@...nel.org>, Alexander van Heukelum <heukelum@...tmail.fm>, Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>, Boris Ostrovsky <boris.ostrovsky@...cle.com>, Arjan van de Ven <arjan.van.de.ven@...el.com>, Alexandre Julliard <julliard@...ehq.com>, Andi Kleen <andi@...stfloor.org>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [PATCH] x86-64: espfix for 64-bit mode *PROTOTYPE* On Tue, Apr 22, 2014 at 1:46 PM, Andrew Lutomirski <amluto@...il.com> wrote: > On Tue, Apr 22, 2014 at 10:29 AM, H. Peter Anvin <hpa@...or.com> wrote: >> On 04/22/2014 10:19 AM, Linus Torvalds wrote: >>> On Tue, Apr 22, 2014 at 10:11 AM, Andrew Lutomirski <amluto@...il.com> wrote: >>>> >>>>> >>>>> Anyway, if done correctly, this whole espfix should be totally free >>>>> for normal processes, since it should only trigger if SS is a LDT >>>>> entry (bit #2 set in the segment descriptor). So the normal fast-path >>>>> should just have a simple test for that. >>>> >>>> How? Doesn't something still need to check whether SS is funny before >>>> doing iret? >>> >>> Just test bit #2. Don't do anything else if it's clear, because you >>> should be done. You don't need to do anything special if it's clear, >>> because I don't *think* we have any 16-bit data segments in the GDT on >>> x86-64. >>> >> >> And we don't (neither do we on i386, and we depend on that invariance.) >> >> Hence: >> >> irq_return: >> + /* >> + * Are we returning to the LDT? Note: in 64-bit mode >> + * SS:RSP on the exception stack is always valid. >> + */ >> + testb $4,(SS-RIP)(%rsp) >> + jnz irq_return_ldt >> + >> +irq_return_iret: >> INTERRUPT_RETURN >> - _ASM_EXTABLE(irq_return, bad_iret) >> + _ASM_EXTABLE(irq_return_iret, bad_iret) >> >> >> That is the whole impact of the IRET path. >> >> If using IST for #GP won't cause trouble (ISTs don't nest, so we need to >> make sure there is absolutely no way we could end up nested) then the >> rest of the fixup code can go away and we kill the common path >> exception-handling overhead; the only new overhead is the IST >> indirection for #GP, which isn't a performance-critical fault (good >> thing, because untangling #GP faults is a major effort.) > > I'd be a bit nervous about read_msr_safe and friends. Also, what > happens if userspace triggers a #GP and the signal stack setup causes > a page fault? > > --Andy Maybe make the #GP handler check what the previous stack was at the start: 1) If we came from userspace, switch to the top of the process stack. 2) If the previous stack was not the espfix stack, switch back to that stack. 3) Switch to the top of the process stack (espfix case) This leaves the IST available for any recursive faults. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists