Received: by 10.213.65.68 with SMTP id h4csp160403imn; Wed, 21 Mar 2018 15:07:47 -0700 (PDT) X-Google-Smtp-Source: AG47ELtV2BbqHEtewd08vM63JRHEFTFJJDBfFJHwwVljglGS27b8P3smdb/3HRzImI2I91jtOTcu X-Received: by 10.98.72.10 with SMTP id v10mr18275138pfa.148.1521670067335; Wed, 21 Mar 2018 15:07:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521670067; cv=none; d=google.com; s=arc-20160816; b=XwNv38lyPy9Oc73SXM3hH7CWrJr3Y4yBtaS66BdqVCbwwF19s8S0/YueeADMW/4Hy7 U5AD1q2k7a0cFjG6ss1H2kSlffWhpuIomW61EFlDyTnDdJFtVzuYLtU16YpigppXUFi9 fjyfPL+Ng+z3XiNzyaveyDddjLaX/DNhi5pNgM9EIYzmCCE8gap33Ug8phuKNabjG31E lqbgpZaRT1q+r+pJo7Kqt+OqP1x25I793tVy7qiqB0VvdHkavuJKenKV3aHU5gZYEdsn uqDusvAxXhBBuk6k4btfgk6hcaLPt53Cf5KT3AJueVWxqB8vK77C81WX8g1Cry1m6aMT Q++w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=Uc/fvxsAzifcp0ekTGTgE2h6J9JZMydAlSSgqlAblAE=; b=fLsFnmPVFnDceASZsyoJeobcw+0XouxHaNwMG8tqBzVcqTlGZRw4ri1XVw+ucECVlp sTGEytCqReZF8WlRDxEeHzW2bW0xXaKn86N1+JjKSQ9uEhHiflsNCaWrGvDZZZX4XINy rEbKTRe/HpOmJ1aAX8Ez6BaDmauPX6gzi1uZr0h4EoJV7iODFmM3CH0O8QIyoHUZnoMg LR5cASWK+iKhdKCqbdoiZ1/TdTuJYqnXVz3dTfYegLLnyRIASHbPqOpW6lJ8pOJzqvmR 2uwaaDjDu2cXHwpxoQG4VhOg3QuFemHmF89zVVpRhYQJpxKIdFfFugoy9YmU/CtRz+gO 5z4g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e9-v6si4677984pln.439.2018.03.21.15.07.24; Wed, 21 Mar 2018 15:07:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753865AbeCUWFr (ORCPT + 99 others); Wed, 21 Mar 2018 18:05:47 -0400 Received: from terminus.zytor.com ([198.137.202.136]:54435 "EHLO mail.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753715AbeCUWFq (ORCPT ); Wed, 21 Mar 2018 18:05:46 -0400 Received: from hanvin-mobl2.amr.corp.intel.com (jfdmzpr05-ext.jf.intel.com [134.134.139.74]) (authenticated bits=0) by mail.zytor.com (8.15.2/8.15.2) with ESMTPSA id w2LM3S5x021277 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 21 Mar 2018 15:03:29 -0700 Subject: Re: [PATCH 13/15] x86/fsgsbase/64: With FSGSBASE, compare GS bases on paranoid_entry To: Andy Lutomirski , "Chang S. Bae" Cc: X86 ML , Andi Kleen , "Metzger, Markus T" , Tony Luck , "Ravi V. Shankar" , LKML , Dave Hansen References: <1521481767-22113-1-git-send-email-chang.seok.bae@intel.com> <1521481767-22113-14-git-send-email-chang.seok.bae@intel.com> From: "H. Peter Anvin" Message-ID: Date: Wed, 21 Mar 2018 15:03:28 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/20/18 07:58, Andy Lutomirski wrote: >> On Mar 19, 2018, at 10:49 AM, Chang S. Bae wrote: >> >> When FSGSBASE is enabled, SWAPGS needs if and only if (current) >> GS base is not the kernel's. >> >> FSGSBASE instructions allow user to write any value on GS base; >> even negative. Sign check on the current GS base is not >> sufficient. Fortunately, reading GS base is fast. Kernel GS >> base is also known from the offset table with the CPU number. > > The original version of these patches (mine and Andi’s) didn’t have > this comparison, didn’t need RDMSR, and didn’t allow malicious user > programs to cause the kernel to run decently large chunks of code with > the reverse of the expected GS convention. Why did you change it? > > I really really don't like having a corner case like this that can and > will be triggered by malicious user code but that is hard to write a > self-test for because it involves guessing a 64-bit magic number. > Untestable corner cases in the x86 entry code are bad. > What corner case are you talking about? If user GS_BASE and kernel GS_BASE happen to be identical, then SWAPGS is a nop and it does not matter one iota which is is user space and which is kernel space. They are just numbers, and swapping one number with itself doesn't do anything (in fact, opcode 0x90 was used for NOP because it aliased to xchg [e]ax,[e]ax on pre-64-bit hardware.) As far as running "decently large chunks" this is *exactly* the same amount of code that is run on non-FSGSBASE hardware, so it Has To Work[TM] anyway. If anything this may help catch problems sooner. This minimizes the difference between the FSGSBASE and non-FSGSBASE flows, which I would consider a significant win. -hpa