| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Jun 2020 21:39:59 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
Cc: Brendan Shanks <bshanks@...eweavers.com>,
LKML <linux-kernel@...r.kernel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
"H. Peter Anvin" <hpa@...or.com>, X86 ML <x86@...nel.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Andreas Rammhold <andi@...much.email>,
"Moger, Babu" <Babu.Moger@....com>
Subject: Re: [PATCH] x86/umip: Add emulation/spoofing for SLDT and STR instructions
On Wed, Jun 3, 2020 at 5:12 PM Ricardo Neri
<ricardo.neri-calderon@...ux.intel.com> wrote:
>
> On Tue, Jun 02, 2020 at 11:42:12AM -0700, Brendan Shanks wrote:
> > Add emulation/spoofing of SLDT and STR for both 32- and 64-bit
> > processes.
> >
> > Wine users have found a small number of Windows apps using SLDT that
> > were crashing when run on UMIP-enabled systems.
> >
> > Reported-by: Andreas Rammhold <andi@...much.email>
> > Originally-by: Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
> > Signed-off-by: Brendan Shanks <bshanks@...eweavers.com>
> > ---
> > arch/x86/kernel/umip.c | 23 ++++++++++++++---------
> > 1 file changed, 14 insertions(+), 9 deletions(-)
> >
> > diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c
> > index 8d5cbe1bbb3b..59dfceac5cc0 100644
> > --- a/arch/x86/kernel/umip.c
> > +++ b/arch/x86/kernel/umip.c
> > @@ -64,6 +64,8 @@
> > #define UMIP_DUMMY_GDT_BASE 0xfffffffffffe0000ULL
> > #define UMIP_DUMMY_IDT_BASE 0xffffffffffff0000ULL
> >
> > +#define UMIP_DUMMY_TASK_REGISTER_SELECTOR 0x40
> > +
> > /*
> > * The SGDT and SIDT instructions store the contents of the global descriptor
> > * table and interrupt table registers, respectively. The destination is a
> > @@ -244,16 +246,24 @@ static int emulate_umip_insn(struct insn *insn, int umip_inst,
> > *data_size += UMIP_GDT_IDT_LIMIT_SIZE;
> > memcpy(data, &dummy_limit, UMIP_GDT_IDT_LIMIT_SIZE);
> >
> > - } else if (umip_inst == UMIP_INST_SMSW) {
> > - unsigned long dummy_value = CR0_STATE;
> > + } else if (umip_inst == UMIP_INST_SMSW || umip_inst == UMIP_INST_SLDT ||
> > + umip_inst == UMIP_INST_STR) {
> > + unsigned long dummy_value;
> > +
> > + if (umip_inst == UMIP_INST_SMSW)
> > + dummy_value = CR0_STATE;
> > + else if (umip_inst == UMIP_INST_STR)
> > + dummy_value = UMIP_DUMMY_TASK_REGISTER_SELECTOR;
> > + else
> > + dummy_value = 0;
>
> Perhaps you can return a non-zero value for SLDT if it has an LDT, as
> Andy had suggested. Maybe this can be implemented by looking at
> current->mm->context.ldt
>
> I guess the non-zero value can be (GDT_ENTRY_LDT*8).
You could probably even get away with always returning a nonzero
value. After all, an empty LDT is quite similar to no LDT.
--Andy
Powered by blists - more mailing lists