| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Mar 2018 10:16:36 +0000
From: David Laight <David.Laight@...LAB.COM>
To: "'Chang S. Bae'" <chang.seok.bae@...el.com>,
"x86@...nel.org" <x86@...nel.org>
CC: "luto@...nel.org" <luto@...nel.org>,
"ak@...ux.intel.com" <ak@...ux.intel.com>,
"hpa@...or.com" <hpa@...or.com>,
"markus.t.metzger@...el.com" <markus.t.metzger@...el.com>,
"tony.luck@...el.com" <tony.luck@...el.com>,
"ravi.v.shankar@...el.com" <ravi.v.shankar@...el.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>
Subject: RE: [PATCH 13/15] x86/fsgsbase/64: With FSGSBASE, compare GS bases on
paranoid_entry
From: Chang S. Bae
> Sent: 19 March 2018 17:49
...
> When FSGSBASE is enabled, SWAPGS needs if and only if (current)
> GS base is not the kernel's.
>
> FSGSBASE instructions allow user to write any value on GS base;
> even negative. Sign check on the current GS base is not
> sufficient. Fortunately, reading GS base is fast. Kernel GS
> base is also known from the offset table with the CPU number.
...
Use code might want to put a negative value into GSBASE.
While it is normal to put a valid address into GSBASE there
is no reason why the code can't put an offset into GSBASE,
in which case it might be negative.
Yes, I know you can't put arbitrary 64bit values into GSBASE.
But the difference between 2 user pointers will always be valid.
David
Powered by blists - more mailing lists