lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <cace0bfa-2de7-431b-9b4d-fd8ca5e7873d@zytor.com>
Date: Tue, 18 Feb 2025 23:55:21 -0800
From: Xin Li <xin@...or.com>
To: Andrew Cooper <andrew.cooper3@...rix.com>, linux-kernel@...r.kernel.org
Cc: tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
        dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
        brgerst@...il.com, ebiederm@...ssion.com
Subject: Re: [PATCH v4 1/1] x86/ia32: Leave NULL selector values 0~3 as is

On 2/14/2025 6:01 AM, Andrew Cooper wrote:
> On 14/02/2025 6:56 am, Xin Li wrote:
>> On 12/12/2024 10:44 AM, Xin Li wrote:
>>> On 11/26/2024 10:45 AM, Xin Li (Intel) wrote:
>>>> The first GDT descriptor is reserved as 'NULL descriptor'.  As bits 0
>>>> and 1 of a segment selector, i.e., the RPL bits, are NOT used to index
>>>> GDT, selector values 0~3 all point to the NULL descriptor, thus values
>>>> 0, 1, 2 and 3 are all valid NULL selector values.
>>>>
>>>> When a NULL selector value is to be loaded into a segment register,
>>>> reload_segments() sets its RPL bits.  Later IRET zeros ES, FS, GS, and
>>>> DS segment registers if any of them is found to have any nonzero NULL
>>>> selector value.  The two operations offset each other to actually
>>>> effect
>>>> a nop.
>>>>
>>>> Besides, zeroing of RPL in NULL selector values is an information leak
>>>> in pre-FRED systems as userspace can spot any interrupt/exception by
>>>> loading a nonzero NULL selector, and waiting for it to become zero.
>>>> But there is nothing software can do to prevent it before FRED.
>>>>
>>>> ERETU, the only legit instruction to return to userspace from kernel
>>>> under FRED, by design does NOT zero any segment register to avoid this
>>>> problem behavior.
>>>>
>>>> As such, leave NULL selector values 0~3 as is.
>>>
>>> Hi Andrew,
>>>
>>> Do you have any more comments?
>>
>> Hi Andrew,
>>
>> Are you okay to give a review-by to this patch?
> 
> Apologies.
> 
> Reviewed-by: Andrew Cooper <andrew.cooper3@...rix.com>

Thank you very much!

Thanks!
     Xin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ