lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <E8E632D1-7A16-4F42-954B-0ACA3C5F7409@intel.com>
Date:   Sat, 29 Jun 2019 07:21:00 +0000
From:   "Bae, Chang Seok" <chang.seok.bae@...el.com>
To:     Thomas Gleixner <tglx@...utronix.de>
CC:     Andy Lutomirski <luto@...nel.org>,
        Vegard Nossum <vegard.nossum@...cle.com>,
        Ingo Molnar <mingo@...nel.org>,
        "H . Peter Anvin" <hpa@...or.com>, Andi Kleen <ak@...ux.intel.com>,
        "Shankar, Ravi V" <ravi.v.shankar@...el.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>
Subject: Re: [PATCH v7 12/18] x86/fsgsbase/64: GSBASE handling with FSGSBASE
 in the paranoid path


> On May 8, 2019, at 03:02, Chang S. Bae <chang.seok.bae@...el.com> wrote:
> 
> ENTRY(paranoid_exit)
> …
> +
> +	/* On FSGSBASE systems, always restore the stashed GSBASE */
> +	wrgsbase	%rbx
> +	jmp	.Lparanoid_exit_no_swapgs;

It would crash any time getting a paranoid entry with user GS but kernel CR3.
The issue is thankfully uncovered by Vegard N. A relevant test case will be
published by Andy L. The patch fixes the issue. (Rebased on the tip master.)

diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index b5e782a..dfdadc1 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -1288,9 +1288,12 @@ ENTRY(paranoid_exit)
       /* Handle GS depending on FSGSBASE availability */
       ALTERNATIVE "jmp .Lparanoid_exit_checkgs", "nop",X86_FEATURE_FSGSBASE

+       TRACE_IRQS_IRETQ
+       /* Always restore stashed CR3 value (see paranoid_entry) */
+       RESTORE_CR3     scratch_reg=%rax save_reg=%r14
       /* With FSGSBASE enabled, unconditionally restore GSBASE */
       wrgsbase        %rbx
-       jmp     .Lparanoid_exit_no_swapgs;
+       jmp     .Lparanoid_exit_restore;

.Lparanoid_exit_checkgs:
       /* On non-FSGSBASE systems, conditionally do SWAPGS */

>  ...
> .Lparanoid_exit_no_swapgs:
> 	TRACE_IRQS_IRETQ_DEBUG
> 	/* Always restore stashed CR3 value (see paranoid_entry) */
> 	RESTORE_CR3	scratch_reg=%rbx save_reg=%r14
> +
> .Lparanoid_exit_restore:
> -	jmp restore_regs_and_return_to_kernel
> +	jmp	restore_regs_and_return_to_kernel
> END(paranoid_exit)
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ