I can't see any reason that we need the __KERNEL_DS segment at all --
I think that everything that uses __KERNEL_DS could use __USER_DS
instead. Am I missing anything? This has been bugging me for a
while.
I mulled over this a bit when trying to understand the sysret_ss_attrs
bug and then forgot about it.
--Andy
On 08/04/2016 01:24, Andy Lutomirski wrote:
> I can't see any reason that we need the __KERNEL_DS segment at all --
> I think that everything that uses __KERNEL_DS could use __USER_DS
> instead. Am I missing anything? This has been bugging me for a
> while.
>
> I mulled over this a bit when trying to understand the sysret_ss_attrs
> bug and then forgot about it.
Linux doesn't have a separate __KERNEL_SS. For the plain data segments,
the dpl is not interesting.
However, %ss is also loaded with __KERNEL_DS, and %ss.dpl is somewhat
important.
~Andrew
On Fri, Apr 8, 2016 at 1:01 AM, Andrew Cooper <[email protected]> wrote:
> On 08/04/2016 01:24, Andy Lutomirski wrote:
>> I can't see any reason that we need the __KERNEL_DS segment at all --
>> I think that everything that uses __KERNEL_DS could use __USER_DS
>> instead. Am I missing anything? This has been bugging me for a
>> while.
>>
>> I mulled over this a bit when trying to understand the sysret_ss_attrs
>> bug and then forgot about it.
>
> Linux doesn't have a separate __KERNEL_SS. For the plain data segments,
> the dpl is not interesting.
>
> However, %ss is also loaded with __KERNEL_DS, and %ss.dpl is somewhat
> important.
But %ss can be loaded with 0 on 64-bit kernels. (I assume that
loading 0 into %ss sets SS.DPL to 0 if done at CPL0, but I'm vague on
this, since it only really matters to hypervisor code AFAIK.)
32-bit kernels need __KERNEL_DS, I think.
--Andy
On 08/04/2016 18:00, Andy Lutomirski wrote:
> But %ss can be loaded with 0 on 64-bit kernels. (I assume that
> loading 0 into %ss sets SS.DPL to 0 if done at CPL0, but I'm vague on
> this, since it only really matters to hypervisor code AFAIK.)
It's even simpler, unless CPL=0 SS cannot be loaded with 0 while in a
64-bit code segment (SS can never be loaded with 0 if you're not in a
64-bit code segment).
Thus indeed SS=0 implies SS.DPL=0 on 64-bit kernels.
Paolo
> 32-bit kernels need __KERNEL_DS, I think.
On Fri, Apr 8, 2016 at 10:12 AM, Paolo Bonzini <[email protected]> wrote:
>
>
> On 08/04/2016 18:00, Andy Lutomirski wrote:
>> But %ss can be loaded with 0 on 64-bit kernels. (I assume that
>> loading 0 into %ss sets SS.DPL to 0 if done at CPL0, but I'm vague on
>> this, since it only really matters to hypervisor code AFAIK.)
>
> It's even simpler, unless CPL=0 SS cannot be loaded with 0 while in a
> 64-bit code segment (SS can never be loaded with 0 if you're not in a
> 64-bit code segment).
>
> Thus indeed SS=0 implies SS.DPL=0 on 64-bit kernels.
I think we are stuck with __KERNEL_DS: SYSCALL uses it. Unless we
start fiddling with conforming code segments (ugh), I don't think
there's a valid GDT layout that doesn't have two flat data segments.
Oh well, chalk it up to historical accident.
On 08/04/16 23:06, Andy Lutomirski wrote:
> On Fri, Apr 8, 2016 at 10:12 AM, Paolo Bonzini <[email protected]> wrote:
>>
>> On 08/04/2016 18:00, Andy Lutomirski wrote:
>>> But %ss can be loaded with 0 on 64-bit kernels. (I assume that
>>> loading 0 into %ss sets SS.DPL to 0 if done at CPL0, but I'm vague on
>>> this, since it only really matters to hypervisor code AFAIK.)
>> It's even simpler, unless CPL=0 SS cannot be loaded with 0 while in a
>> 64-bit code segment (SS can never be loaded with 0 if you're not in a
>> 64-bit code segment).
>>
>> Thus indeed SS=0 implies SS.DPL=0 on 64-bit kernels.
> I think we are stuck with __KERNEL_DS: SYSCALL uses it.
SYSCALL expects the OS to keep the programmed selector in sync with its
descriptor entry. It specifically loads fixed attributes, and doesn't
re-read the GDT.
> Unless we start fiddling with conforming code segments (ugh)
I don't see how this would help.
> , I don't think
> there's a valid GDT layout that doesn't have two flat data segments.
My gut feeling is that nothing good can possibly come of having the GDT
entry out of sync with the fixed attributes SYSCALL loads. It would
break code which manually reloaded %ss, such as constructed an IRET
frame using PUSH %ss.
> Oh well, chalk it up to historical accident.
Feel very glad that SYSCALL and SYSENTER (appear to) behave identically
in their expectations of GDT layout and fixed attributes...
I for one wouldn't bet on it, knowing the x86 architecture.
~Andrew