Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754608AbbGVEWy (ORCPT <rfc822;w@1wt.eu>);
	Wed, 22 Jul 2015 00:22:54 -0400
Received: from mail-lb0-f180.google.com ([209.85.217.180]:33663 "EHLO
	mail-lb0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752271AbbGVEWv (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 22 Jul 2015 00:22:51 -0400
MIME-Version: 1.0
In-Reply-To: <CAMzpN2ga7M4PFuc4W7bTdvzeFp+8Th3Uh-+OBPMjc=E6ucym8Q@mail.gmail.com>
References: <cover.1437508485.git.luto@kernel.org> <a000512a2baa2c4753971a7550747ca7cb5c62fa.1437508486.git.luto@kernel.org>
 <CAMzpN2g5BHZaEeW0SVuny_ReHKj=+s6BZW6-RGQRe6FeU8_3Ew@mail.gmail.com>
 <CALCETrW4o3Gq=yh54nD5d+n=HVS02c+WdcZ17yCUPhZfjtfSfA@mail.gmail.com> <CAMzpN2ga7M4PFuc4W7bTdvzeFp+8Th3Uh-+OBPMjc=E6ucym8Q@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Tue, 21 Jul 2015 21:22:30 -0700
Message-ID: <CALCETrVGZ0fN6uDHjjyuUDrx+rG8HgYaE4qEvVNww4QhhmOieQ@mail.gmail.com>
Subject: Re: [PATCH v2 1/3] x86/ldt: Make modify_ldt synchronous
To: Brian Gerst <brgerst@gmail.com>
Cc: Andy Lutomirski <luto@kernel.org>, Peter Zijlstra <peterz@infradead.org>,
        Steven Rostedt <rostedt@goodmis.org>,
        "security@kernel.org" <security@kernel.org>, X86 ML <x86@kernel.org>,
        Borislav Petkov <bp@alien8.de>, Sasha Levin <sasha.levin@oracle.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        stable <stable@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2211
Lines: 47

On Tue, Jul 21, 2015 at 7:53 PM, Brian Gerst <brgerst@gmail.com> wrote:
> On Tue, Jul 21, 2015 at 10:12 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>> On Tue, Jul 21, 2015 at 7:01 PM, Brian Gerst <brgerst@gmail.com> wrote:
>>> On Tue, Jul 21, 2015 at 3:59 PM, Andy Lutomirski <luto@kernel.org> wrote:
>>>> modify_ldt has questionable locking and does not synchronize
>>>> threads.  Improve it: redesign the locking and synchronize all
>>>> threads' LDTs using an IPI on all modifications.
>>>
>>> What does this fix?  I can see sending an IPI if the LDT is
>>> reallocated, but on every update seems unnecessary.
>>>
>>
>> It prevents nastiness in which you're in user mode with an impossible
>> CS or SS, resulting in potentially interesting artifacts in
>> interrupts, NMIs, etc.
>
> By impossible, do you mean a partially updated descriptor when the
> interrupt occurs?  Would making sure that the descriptor is atomically
> updated (using set_64bit()) fix that?
>

I tried to exploit that once and didn't get very far.  If I could
cause the LDT to be populated one bit at a time, I think I could
materialize a call gate out of thin air.  The docs are unclear on
what, if anything, the memory ordering rules are.

I'm more concerned about the case where a segment register caches a
value that is no longer in the LDT.  If it's DS, ES, FS, or GS, it
results in nondeterministic behavior but is otherwise not a big deal.
If it's CS or SS, then an interrupt or exception will write a stack
frame with the selectors but IRET can fault.

If the interrupt is an NMI and certain other conditions are met and
your kernel is older than 4.2-rc3, then you should read the
CVE-2015-5157 advisory I'll send tomorrow :)  Even on 4.2-rc3, the NMI
code still struggles a bit if this happens.

With this patch, you can never be in user mode with CS or SS selectors
that point at the LDT but don't match the LDT.  That makes me a lot
more comfortable with modify_ldt.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/