[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHk-=wiB2FSWb0HxgzHGJKaDRCaJ6tGSc0OVvodAiZ_QU=05NQ@mail.gmail.com>
Date: Sat, 9 Dec 2023 12:08:30 -0800
From: Linus Torvalds <torvalds@...uxfoundation.org>
To: Brian Gerst <brgerst@...il.com>
Cc: Michal Luczaj <mhal@...x.co>, x86@...nel.org, tglx@...utronix.de,
mingo@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com,
shuah@...nel.org, luto@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 0/2] x86: UMIP emulation leaking kernel addresses
On Sat, 9 Dec 2023 at 09:16, Brian Gerst <brgerst@...il.com> wrote:
>
> A different way to plug this is to harden ptrace (and sigreturn) to
> verify that the segments are code or data type segments instead of
> relying on an IRET fault.
I think that is likely a good idea regardless of this particular issue.
And I don't think you need to even check the segment for any kind of
validity - all you need to check that it's a valid selector.
And we *kind* of do that already, with the x86 ptrace code checking
static inline bool invalid_selector(u16 value)
{
return unlikely(value != 0 && (value & SEGMENT_RPL_MASK) != USER_RPL);
}
but the thing is, I think we could limit that a lot more.
I think the only valid GDT entries are 0-15 (that includes the default
kernel segments, but they don't contain anything interesting), so we
could tighten that selector check to say that it has to be either a
LDT entry or a selector < 15.
So add some kind of requirement for "(value & 4) || (value < 8*16)", perhaps?
Linus
Powered by blists - more mailing lists