Received: by 10.213.65.68 with SMTP id h4csp484515imn; Tue, 20 Mar 2018 08:00:21 -0700 (PDT) X-Google-Smtp-Source: AG47ELssUhX1AB996ZWE4EWkfNvkMq1wyXqYKd1WZetuz6/Uq2ijv1fRv0F9cUivduAIT7D/Hxhp X-Received: by 10.101.89.65 with SMTP id g1mr12318309pgu.185.1521558021376; Tue, 20 Mar 2018 08:00:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521558021; cv=none; d=google.com; s=arc-20160816; b=t3B+mEGCZW3sU5N5GVjF5NZOthBKoC7GUuVxvqYDoifK2u3g5l9bP7ofQrXU+gLScR vuxMAdQuv6mcIw3v6B/88qsq8e+RtaUGS/SK15moRYd/IGTRxPguTs0bX4KNNIOotT7d TNqv/ov3BKclyvKCuXTyWOk36rUvSVQpuH2dZySadvMFIzpdZ3LAC0GCNC6SQr5zcxJ9 R93Kak9mDafbbf2Vh/kxeaekSNrw6XNItONpLV4l23IXMppOg4JP1qEfPUq9pj4YMSE6 lAhTxxr/GokWZiBobCF6gHBiqJdOHhfikks17npEHZDDutQsGeKidlC+aF/9A5tz7yOV vs+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dmarc-filter:arc-authentication-results; bh=qCnDKlFK8HSF3TzCplAeKgBXOBTZ1N4ZiNaIWVu4QY4=; b=qlD/IDENOcnvasEEQiPWSVW9Etmuoq2o3Kue56KPK189Z54rwJXsjSzWbQpUS25y2L baIihxKFgwgJDFN/ITP/nUJsbdwe90b2YvZ+D+STEU4ScUE8gE1pm4iOlkcZniyLO5O7 VLFr8w1E++pXR6I4JlH59y+n9KypgXwo9yhwX+59V20aE4RlXkLQ5TBNl5Z4c+NmsAMb zln0y2ArYdXhaZREuSL5yiEh9wXkMwS5Lrr/3eutdwrDE++7KFU7jTKuaY54N3eEs/6J 8/p8evIq/XhPytvXBNb0NtF7cWTY7aUWPynRKeHxqdBsNQ+z+KYVYOpYV42p0zMrzlk6 rbZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h185si1428882pfe.168.2018.03.20.08.00.06; Tue, 20 Mar 2018 08:00:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751583AbeCTO6d convert rfc822-to-8bit (ORCPT + 99 others); Tue, 20 Mar 2018 10:58:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:59414 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750888AbeCTO6a (ORCPT ); Tue, 20 Mar 2018 10:58:30 -0400 Received: from mail-it0-f49.google.com (mail-it0-f49.google.com [209.85.214.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3CDE421838 for ; Tue, 20 Mar 2018 14:58:30 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3CDE421838 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-it0-f49.google.com with SMTP id e98-v6so2763253itd.4 for ; Tue, 20 Mar 2018 07:58:30 -0700 (PDT) X-Gm-Message-State: AElRT7GNeCh9JqeRHgqJSrgHXZ7oQlcW3BCFnJ3aZtfOisXvogURUK4M 5dC/Oofx+S1Iw2nDVMgBuBxgsljv8N3JYN2tkJHUKw== X-Received: by 2002:a24:4e0e:: with SMTP id r14-v6mr20671ita.146.1521557909678; Tue, 20 Mar 2018 07:58:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.137.70 with HTTP; Tue, 20 Mar 2018 07:58:08 -0700 (PDT) In-Reply-To: <1521481767-22113-14-git-send-email-chang.seok.bae@intel.com> References: <1521481767-22113-1-git-send-email-chang.seok.bae@intel.com> <1521481767-22113-14-git-send-email-chang.seok.bae@intel.com> From: Andy Lutomirski Date: Tue, 20 Mar 2018 14:58:08 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 13/15] x86/fsgsbase/64: With FSGSBASE, compare GS bases on paranoid_entry To: "Chang S. Bae" Cc: X86 ML , Andrew Lutomirski , Andi Kleen , "H. Peter Anvin" , "Metzger, Markus T" , Tony Luck , "Ravi V. Shankar" , LKML , Dave Hansen Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Mar 19, 2018, at 10:49 AM, Chang S. Bae wrote: > > When FSGSBASE is enabled, SWAPGS needs if and only if (current) > GS base is not the kernel's. > > FSGSBASE instructions allow user to write any value on GS base; > even negative. Sign check on the current GS base is not > sufficient. Fortunately, reading GS base is fast. Kernel GS > base is also known from the offset table with the CPU number. The original version of these patches (mine and Andi’s) didn’t have this comparison, didn’t need RDMSR, and didn’t allow malicious user programs to cause the kernel to run decently large chunks of code with the reverse of the expected GS convention. Why did you change it? I really really don't like having a corner case like this that can and will be triggered by malicious user code but that is hard to write a self-test for because it involves guessing a 64-bit magic number. Untestable corner cases in the x86 entry code are bad.