Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752540AbbKKMcE (ORCPT <rfc822;w@1wt.eu>);
	Wed, 11 Nov 2015 07:32:04 -0500
Received: from mail.skyhub.de ([78.46.96.112]:35781 "EHLO mail.skyhub.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752264AbbKKMcB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 11 Nov 2015 07:32:01 -0500
Date: Wed, 11 Nov 2015 13:31:58 +0100
From: Borislav Petkov <bp@alien8.de>
To: LKML <linux-kernel@vger.kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
        Ingo Molnar <mingo@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [RFC PATCH] x86/cpu: Fix MSR value truncation issue
Message-ID: <20151111123158.GF22512@pd.tnic>
References: <1446226105-13384-1-git-send-email-bp@alien8.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <1446226105-13384-1-git-send-email-bp@alien8.de>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3864
Lines: 83

On Fri, Oct 30, 2015 at 06:28:25PM +0100, Borislav Petkov wrote:
> More specifically, MSR_STAR[31:0] is being set to 0. That field is
> reserved on Intel and on AMD it is 32-bit SYSCALL Target EIP.
> 
> I'd strongly guess because Intel doesn't have SYSCALL in compat/legacy
> mode and we're using SYSENTER and INT80 there. And for compat syscalls
> in long mode we use CSTAR.

So I was wondering what would happen if I used SYSCALL on 32-bit AMD.

This is what happens on a normal system:

$ strace -f ./syscall
execve("./syscall", ["./syscall"], [/* 24 vars */]) = 0
--- SIGILL {si_signo=SIGILL, si_code=ILL_ILLOPN, si_addr=0x80480e8} ---
+++ killed by SIGILL +++
Illegal instruction

Wondering who causes the SIGILL and after some code staring, it is MSR
EFER.SCE which we don't enable on 32-bit.

And, because I like to cause fire (woahahahah... /me rubs hands and
laughs ominously), I went and toggled that bit.

Oh well, we bomb out, as expected:

 BUG: sleeping function called from invalid context at /mnt/kernel/kernel/linux-2.6/arch/x86/mm/fault.c:1191
 in_atomic(): 0, irqs_disabled(): 1, pid: 2567, name: syscall
 1 lock held by syscall/2567:
  #0:  (&mm->mmap_sem){++++++}, at: [<c10447f7>] __do_page_fault+0xf7/0x3f0
 irq event stamp: 1812
 hardirqs last  enabled at (1811): [<c165f29a>] restore_all_notrace+0x0/0xe
 hardirqs last disabled at (1812): [<c1660145>] error_code+0x31/0x3c
 softirqs last  enabled at (988): [<c1059e5b>] __do_softirq+0x37b/0x440
 softirqs last disabled at (965): [<c1005749>] do_softirq_own_stack+0x39/0x50
 CPU: 1 PID: 2567 Comm: syscall Not tainted 4.3.0+ #1
 Hardware name: LENOVO 30515QG/30515QG, BIOS 8RET30WW (1.12 ) 09/15/2011
  00000000 00000000 bff53b20 c12fdfa2 00000000 bff53b48 c107a9bc c181aca4
  00000000 00000001 00000a07 f2cb3830 f2cb3500 00000000 00000000 bff53b7c
  c107aae6 f453f70c 00000001 bff53bd0 00000000 bff53b7c c109ee4d 00000001
 Call Trace:
 kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
 BUG: unable to handle kernel NULL pointer dereference at   (null)
 IP: [<  (null)>]   (null)
 *pdpt = 0000000032e0b001 *pde = 0000000000000000 
 Oops: 0010 [#1] PREEMPT SMP 
 Modules linked in: ipv6 usbhid kvm_amd rtsx_pci_sdmmc kvm mmc_core snd_hda_codec_conexant snd_hda_codec_generic snd_hda_codec_hdmi pcspkr snd_hda_intel k10temp ohci_pci snd_hda_codec snd_hwdep snd_hda_core snd_pcm rtsx_pci mfd_core ohci_hcd battery snd_timer radeon thinkpad_acpi nvram ehci_pci ehci_hcd snd soundcore video ac button thermal
 CPU: 1 PID: 2567 Comm: syscall Not tainted 4.3.0+ #1
 Hardware name: LENOVO 30515QG/30515QG, BIOS 8RET30WW (1.12 ) 09/15/2011
 task: f2cb3500 ti: f2d74000 task.ti: f2d74000
 EIP: 0000:[<00000000>] EFLAGS: 00010086 CPU: 1
 EIP is at 0x0
 EAX: 00000000 EBX: 00000000 ECX: 080480ea EDX: 00000000
 ESI: 00000000 EDI: 00000000 EBP: bff53c1c ESP: bff53c0c
  DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0008
 CR0: 8005003b CR2: 00000000 CR3: 33af5900 CR4: 000006f0
 Stack:
  00000000 00000000 00000000 00000000 00000000 00000001 bff54df4 00000000
  bff54dfe bff54e0c bff54e18 bff54e31 bff54e3c bff54e4c bff54e6e bff54e81
  bff54e94 bff54e9e bff54eb2 bff54efe bff54f07 bff54f18 bff54f20 bff54f2b
 Call Trace:
 Code:  Bad EIP value.
 EIP: [<00000000>] 0x0 SS:ESP 0008:bff53c0c
 CR2: 0000000000000000
 ---[ end trace fa036c454007a131 ]---
 PANIC: double fault, gdt at f7bb7000 [255 bytes]
 double fault, tss at f7bbe9c0
 eip = c104afc3, esp = bff539dc
 eax = 00000000, ebx = f453f680, ecx = ffffffff, edx = f453f680
 esi = ffffffff, edi = f453f680

Nice.

-- 
Regards/Gruss,
    Boris.

ECO tip #101: Trim your mails when you reply.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/