| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3680972b-1871-4c92-9f61-c28ef7c10a4c@citrix.com> Date: Wed, 20 Nov 2024 09:33:41 +0000 From: Andrew Cooper <andrew.cooper3@...rix.com> To: xin@...or.com Cc: bp@...en8.de, brgerst@...il.com, dave.hansen@...ux.intel.com, ebiederm@...ssion.com, hpa@...or.com, linux-kernel@...r.kernel.org, mingo@...hat.com, tglx@...utronix.de, x86@...nel.org, Andy Lutomirski <luto@...nel.org> Subject: Re: [PATCH v2 1/1] x86/ia32: Normalize any null selector value to 0 > The first GDT descriptor is reserved as 'null descriptor'. As bits 0 > and 1 of a segment selector, i.e., the DPL bits, are NOT used to index That's RPL in segment selector, not DPL. Same correction is needed in the code comments. > GDT, selector values 0~3 all point to the null descriptor, thus values > 0, 1, 2 and 3 are all valid null selector values. > > Furthermore IRET zeros ES, FS, GS, and DS segment registers if any of > them is found to have any null selector value, essentially making 0 a > preferred null selector value. Zeroing of RPL in null selectors is an information leak in pre-FRED systems. Userspace can spot any interrupt/exception by loading a nonzero NULL selector, and waiting for it to drop to zero. Userspace should not be able to do this; Andy and I lobbied for this during the design of FRED, and Intel agreed. Right now, this change is codifying the problem behaviour we were trying to fix out under FRED. Under FRED, if userspace loads e.g. 2 into a selector, it should remain 2 until userspace changes it to something else. ~Andrew
Powered by blists - more mailing lists