Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750949AbdGaEi4 (ORCPT ); Mon, 31 Jul 2017 00:38:56 -0400 Received: from mail-oi0-f42.google.com ([209.85.218.42]:35343 "EHLO mail-oi0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750739AbdGaEiz (ORCPT ); Mon, 31 Jul 2017 00:38:55 -0400 MIME-Version: 1.0 In-Reply-To: References: From: Linus Torvalds Date: Sun, 30 Jul 2017 21:38:54 -0700 X-Google-Sender-Auth: 7muoE3QqQPsuWQMiCkIq_DVAUfU Message-ID: Subject: Re: FSGSBASE ABI considerations To: Andy Lutomirski Cc: "Bae, Chang Seok" , X86 ML , "linux-kernel@vger.kernel.org" , Borislav Petkov , Brian Gerst , Stas Sergeev Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1615 Lines: 40 On Sun, Jul 30, 2017 at 8:05 PM, Andy Lutomirski wrote: > > This means that, when gdb saves away a regset and reloads it using > PTRACE_SETREGS or similar, the effect is to load gs_base and then load > gs. If gs != 0, this will blow away gs_base. Without FSGSBASE, this > doesn't matter so much. With FSGSBASE, it means that using gdb to do, > say, 'print func()' may corrupt gsbase. > > What, if anything, should we do about this? One option would be to > make gs_base be accurate all the time (it currently isn't) and teach > PTRACE_SETREGS to restore in the opposite order despite the struct > layout. I do not think that ordering should ever matter. If it does, it means that you've designed something. We already screwed that up with the msr interface, can we try to not do it again? Could we perhaps do something like: - every process starts out with CR4.FSGSBASE cleared - if we get an #UD due to the process using the {rd|wr}{gs|fs}base instructions, we enable FSGSBASE and mark the process as using those instructions. - once a process is marked as FSGSBASE, the kernel prioritizes FSGSBASE. We'll still save/restore the selector too, but every time we restore the selector, we will first do a rd*base, and then do a wr*base afterwards IOW, the "selector" ends up being meaningless after people have used fsgsbase. It is saved and restored as a _value_, but it has no effect what-so-ever on the actual base pointer. Yes, it's modal, but at least you don't end up in some situation where it matters whether you write the selector first or not. Hmm? Linus