Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754431AbbDXK7U (ORCPT <rfc822;w@1wt.eu>);
	Fri, 24 Apr 2015 06:59:20 -0400
Received: from mail.skyhub.de ([78.46.96.112]:53396 "EHLO mail.skyhub.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754370AbbDXK7S (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 24 Apr 2015 06:59:18 -0400
Date: Fri, 24 Apr 2015 12:59:06 +0200
From: Borislav Petkov <bp@alien8.de>
To: Denys Vlasenko <dvlasenk@redhat.com>, Andy Lutomirski <luto@kernel.org>
Cc: x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Denys Vlasenko <vda.linux@googlemail.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Brian Gerst <brgerst@gmail.com>, Ingo Molnar <mingo@kernel.org>,
        Steven Rostedt <rostedt@goodmis.org>, Oleg Nesterov <oleg@redhat.com>,
        Frederic Weisbecker <fweisbec@gmail.com>,
        Alexei Starovoitov <ast@plumgrid.com>, Will Drewry <wad@chromium.org>,
        Kees Cook <keescook@chromium.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] x86_64, asm: Work around AMD SYSRET SS descriptor
 attribute issue
Message-ID: <20150424105906.GB24894@pd.tnic>
References: <5d120f358612d73fc909f5bfa47e7bd082db0af0.1429841474.git.luto@kernel.org>
 <553A140E.9090409@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <553A140E.9090409@redhat.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1674
Lines: 50

On Fri, Apr 24, 2015 at 11:59:42AM +0200, Denys Vlasenko wrote:
> I propose a more conservative check:
> 
> 		if (ss_sel != __KERNEL_DS)
> 			loadsegment(ss, __KERNEL_DS);
> 
> I would propose this even if I would see no real case where it matters...
> but I even do see such a case.

...

> As in legacy mode, it is desirable to keep the stack-segment requestor privilege-level (SS.RPL)
> equal to the current privilege-level (CPL). When using a call gate to change privilege levels, the
> SS.RPL is updated to reflect the new CPL. The SS.RPL is restored from the return-target CS.RPL
> on the subsequent privilege-level-changing far return.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ THIS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> 3. The old values of the SS and RSP registers are pushed onto the stack pointed to by the new RSP.
> ...
> ...
> """
> 
> Thus, the NULL selector in SS may actually be not all zeros. Its RPL may be nonzero,
> if we are not in ring 0.

Yeah, that makes more sense. So I tested Andy's patch but changed it as
above and I get

$ taskset -c 0 ./sysret_ss_attrs_32
[RUN]   Syscalls followed by SS validation
[OK]    We survived

And this is on an AMD F16h and it used to fail before the patch. So
yeah, I think we can call this misfeature "architectural".

Tested-by: Borislav Petkov <bp@suse.de>

Thanks.

-- 
Regards/Gruss,
    Boris.

ECO tip #101: Trim your mails when you reply.
--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/