| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 May 2020 22:28:48 -0700
From: Andi Kleen <andi@...stfloor.org>
To: x86@...nel.org
Cc: keescook@...omium.org, linux-kernel@...r.kernel.org,
sashal@...nel.org, Andi Kleen <ak@...ux.intel.com>,
stable@...r.kernel.org
Subject: [PATCH v1] x86: Pin cr4 FSGSBASE
From: Andi Kleen <ak@...ux.intel.com>
Since there seem to be kernel modules floating around that set
FSGSBASE incorrectly, prevent this in the CR4 pinning. Currently
CR4 pinning just checks that bits are set, this also checks
that the FSGSBASE bit is not set, and if it is clears it again.
Note this patch will need to be undone when the full FSGSBASE
patches are merged. But it's a reasonable solution for v5.2+
stable at least. Sadly the older kernels don't have the necessary
infrastructure for this (although a simpler version of this
could be added there too)
Cc: stable@...r.kernel.org # v5.2+
Signed-off-by: Andi Kleen <ak@...ux.intel.com>
---
arch/x86/kernel/cpu/common.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index bed0cb83fe24..1f5b7871ae9a 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -385,6 +385,11 @@ void native_write_cr4(unsigned long val)
/* Warn after we've set the missing bits. */
WARN_ONCE(bits_missing, "CR4 bits went missing: %lx!?\n",
bits_missing);
+ if (val & X86_CR4_FSGSBASE) {
+ WARN_ONCE(1, "CR4 unexpectedly set FSGSBASE!?\n");
+ val &= ~X86_CR4_FSGSBASE;
+ goto set_register;
+ }
}
}
EXPORT_SYMBOL(native_write_cr4);
--
2.25.4
Powered by blists - more mailing lists