MIME-Version: 1.0
In-Reply-To: <20150423185202.GQ28327@pd.tnic>
References: <CALCETrVH6STDwEuLY3gFaNevtjvtOZ7Ox3e10ZhtmitCJnJUKQ@mail.gmail.com>
 <5538C1C5.7010408@redhat.com> <20150423101840.GC28327@pd.tnic>
 <5538C8E3.60009@redhat.com> <20150423104401.GF28327@pd.tnic>
 <CALCETrW6E9qrVi-Qiri9eSVRDpDB6iFrqJMdu667cYdF-11YMw@mail.gmail.com>
 <CAK1hOcNTmAjVv5YHPSFUsA40y9dAoHPsQkKOTnYqqAf_gSs9Sg@mail.gmail.com>
 <CALCETrUHUJeVWC+qAwvrDF1dvPMY7jZcNNVh2gM77pw3db9JVg@mail.gmail.com>
 <20150423171440.GP28327@pd.tnic> <CALCETrVHupWBHwBeSLyYYMtQj24F5qbvg9dkxxy-75dPY3869Q@mail.gmail.com>
 <20150423185202.GQ28327@pd.tnic>
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Thu, 23 Apr 2015 21:50:26 +0200
Message-ID: <CAK1hOcN3N0OTsZ6hGdECB4arH1TWDsbPtcM8rnCkdA6=aeairQ@mail.gmail.com>
Subject: Re: [tip:x86/vdso] x86/vdso32/syscall.S: Do not load __USER32_DS to %ss
To: Borislav Petkov <bp@alien8.de>
Cc: Andy Lutomirski <luto@amacapital.net>,
        Denys Vlasenko <dvlasenk@redhat.com>, Brian Gerst <brgerst@gmail.com>,
        Steven Rostedt <rostedt@goodmis.org>, Oleg Nesterov <oleg@redhat.com>,
        Ingo Molnar <mingo@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andy Lutomirski <luto@kernel.org>, Will Drewry <wad@chromium.org>,
        =?UTF-8?B?RnLDqWTDqXJpYyBXZWlzYmVja2Vy?= <fweisbec@gmail.com>,
        Alexei Starovoitov <ast@plumgrid.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        "linux-tip-commits@vger.kernel.org" 
	<linux-tip-commits@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1823
Lines: 70

On Thu, Apr 23, 2015 at 8:52 PM, Borislav Petkov <bp@alien8.de> wrote:
> On Thu, Apr 23, 2015 at 11:24:14AM -0700, Andy Lutomirski wrote:
>> That nails it.  We really do leak segment limits to other tasks on AMD
>> chips.  I see at least two questions we should answer before fixing
>> this:
>
> Ok, WTF is going on?! Even this trivial test case causes a Bus Error:
>
> ---
> static unsigned short GDT3(int idx)
> {
>         return (idx << 3) | 3;
> }
>
> static void *threadproc(void *ctx)
> {
>         printf("Hello world\n");
>         return NULL;
> }
>
> int main()
> {
>         pthread_t thread;
>         if (pthread_create(&thread, 0, threadproc, 0) != 0)
>                 err(1, "pthread_create");
>
>         while (1) {
>                 usleep(1);
>         }
>
>         return 0;
> }
> ---
>
> $ make sysret_ss_attrs_32
> gcc -m32 -o sysret_ss_attrs_32 -O2 -g -std=gnu99 -pthread -Wall  sysret_ss_attrs.c -lrt -ldl
> sysret_ss_attrs.c:23:23: warning: ‘GDT3’ defined but not used [-Wunused-function]
>  static unsigned short GDT3(int idx)
>                        ^
> $ taskset -c 0 ./sysret_ss_attrs_32
> Hello world
> Bus error
>
> in dmesg:
>
> [  583.389368] traps: sysret_ss_attrs[2135] trap stack segment ip:f7784b87 sp:ffb640c0 error:0

I reproduced it.

I also confirm that the patch fixes it.

In fact, the simplest reproducer is

int main()
{
        while (1)
                usleep(1);
        return 0;
}

- no threads necessary. You only need to do a lot of sysret32's,
and eventually it happens. If you omit -m32, it doesn't happen.

-- 
vda
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/