Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp4577429ybg; Mon, 8 Jun 2020 11:19:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJycOdM2JWeSg2kA21Ji5Iqc63xVM7AVz0d6hiKpa5y0+1FGy15rsXbbws0dMpuO8l43Ayu9 X-Received: by 2002:a17:906:6c98:: with SMTP id s24mr23016448ejr.438.1591640369675; Mon, 08 Jun 2020 11:19:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591640369; cv=none; d=google.com; s=arc-20160816; b=z6UrjMN5kEC6Wv6SOtTjxh3v8tLqL7nuw8vsn0M9ykgeD2OvrYfNOt0gmO41ZH1Flw 6WEc3kogFKGeDXoSdbKNw50UZor0nEVkQei0N+eE1Wy4jxaAQXz4zM4te45rYHinqBuy sGUKHH0+GTXkokEon4K/68o+OgNz7Kfgahgk48u69oyzzeMbcKJzlt8yVg3Sa3AuhVhp LgeZjzjaKGHer2P4i5hb428Q/uGz8mdL83daMxYBX6UZ9LwZG0HU0fOGI5qABUi7iP4x ijYfde0ymQq48qAbEZi6zyEKU4dnbkLrr9LKtNkgXzPIsgB2RXbeqcxy8LalrO0qdj+G TJxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=fIpP7gLteBD475nc1hFkkH/GDrIhfTqrr/+tJZRRidU=; b=xW1bgLZqZsrp2QZhCIajaVy27spOo5zwEabDENwrrAUhBOXVfnzeCf6xO1t8HJf538 fLdsM7XxUlJY1WHPdvn6f20VqouodRujsMU+WacAPiNlEZT4rJeTg9DvhT2ZqCw0lhs3 e/ptBUkg5PJJJohfC4cvtVdbIUH/9Up5KjX/41/YRWEHoR0K90DKX4OM99qoLISvA2DO x6cKb8qaGpqqVfOOPEeb6FLPIM/zOrCIq7BGWZXZPQZF076JM+8YsBCwoTm3lTRF4843 uNOH5a8qn+wiuNP57bpL5iAMG9Icc8lr1l7Xa5CFPT6gvjaQQx4SUcQATk297cyUx7JN ASbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail (test mode) header.i=@codeweavers.com header.s=6377696661 header.b=MosJ9qJx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codeweavers.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g23si9419830eds.168.2020.06.08.11.19.05; Mon, 08 Jun 2020 11:19:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail (test mode) header.i=@codeweavers.com header.s=6377696661 header.b=MosJ9qJx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codeweavers.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726030AbgFHSNz (ORCPT + 99 others); Mon, 8 Jun 2020 14:13:55 -0400 Received: from mail.codeweavers.com ([50.203.203.244]:36476 "EHLO mail.codeweavers.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725283AbgFHSNx (ORCPT ); Mon, 8 Jun 2020 14:13:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codeweavers.com; s=6377696661; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=fIpP7gLteBD475nc1hFkkH/GDrIhfTqrr/+tJZRRidU=; b=MosJ9qJx93qJn0vlYUyPHcDcb sgFEJO/6dThadfP/Jmgt/L3OTZBSlGgu64pAWLcFOAdoI+7J3b/W2Flzqua5XwjpDsEspBxr+/uzQ RHw2G2MQVfblxNt2LuP+Tg+o1TBcQe+49ewifJHZxY7pzQnAGavjj9CJJFiW0qWEM3MnE=; Received: from cpe-107-184-2-226.socal.res.rr.com ([107.184.2.226] helo=[192.168.2.117]) by mail.codeweavers.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jiMHL-0008Ep-25; Mon, 08 Jun 2020 13:13:49 -0500 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\)) Subject: Re: [PATCH] x86/umip: Add emulation/spoofing for SLDT and STR instructions From: Brendan Shanks In-Reply-To: <20200605224231.GA7466@ranerica-svr.sc.intel.com> Date: Mon, 8 Jun 2020 11:13:44 -0700 Cc: Andy Lutomirski , LKML , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , X86 ML , "Eric W. Biederman" , Andreas Rammhold , "Moger, Babu" Content-Transfer-Encoding: quoted-printable Message-Id: <44E6353E-FFC1-4414-A5D7-2EF249A090BE@codeweavers.com> References: <20200602184212.10813-1-bshanks@codeweavers.com> <20200604001243.GA24742@ranerica-svr.sc.intel.com> <20200605224231.GA7466@ranerica-svr.sc.intel.com> To: Ricardo Neri X-Mailer: Apple Mail (2.3445.104.14) X-Spam-Score: -25.8 X-Spam-Report: Spam detection software, running on the system "mail.codeweavers.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: > On Jun 5, 2020, at 3:42 PM, Ricardo Neri wrote: > > On Fri, Jun 05, 2020 at 11:58:13AM -0700, Brendan Shanks wrote: >> >>> On Jun 3, 2020, at 9:39 PM, Andy Lu [...] Content analysis details: (-25.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -20 USER_IN_WHITELIST From: address is in the user's white-list -6.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.7 AWL AWL: Adjusted score from AWL reputation of From: address Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Jun 5, 2020, at 3:42 PM, Ricardo Neri = wrote: >=20 > On Fri, Jun 05, 2020 at 11:58:13AM -0700, Brendan Shanks wrote: >>=20 >>> On Jun 3, 2020, at 9:39 PM, Andy Lutomirski = wrote: >>>=20 >>> On Wed, Jun 3, 2020 at 5:12 PM Ricardo Neri >>> > wrote: >>>>=20 >>>> On Tue, Jun 02, 2020 at 11:42:12AM -0700, Brendan Shanks wrote: >>>>> Add emulation/spoofing of SLDT and STR for both 32- and 64-bit >>>>> processes. >>>>>=20 >>>>> Wine users have found a small number of Windows apps using SLDT = that >>>>> were crashing when run on UMIP-enabled systems. >>>>>=20 >>>>> Reported-by: Andreas Rammhold >>>>> Originally-by: Ricardo Neri = >>>>> Signed-off-by: Brendan Shanks >>>>> --- >>>>> arch/x86/kernel/umip.c | 23 ++++++++++++++--------- >>>>> 1 file changed, 14 insertions(+), 9 deletions(-) >>>>>=20 >>>>> diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c >>>>> index 8d5cbe1bbb3b..59dfceac5cc0 100644 >>>>> --- a/arch/x86/kernel/umip.c >>>>> +++ b/arch/x86/kernel/umip.c >>>>> @@ -64,6 +64,8 @@ >>>>> #define UMIP_DUMMY_GDT_BASE 0xfffffffffffe0000ULL >>>>> #define UMIP_DUMMY_IDT_BASE 0xffffffffffff0000ULL >>>>>=20 >>>>> +#define UMIP_DUMMY_TASK_REGISTER_SELECTOR 0x40 >>>>> + >>>>> /* >>>>> * The SGDT and SIDT instructions store the contents of the global = descriptor >>>>> * table and interrupt table registers, respectively. The = destination is a >>>>> @@ -244,16 +246,24 @@ static int emulate_umip_insn(struct insn = *insn, int umip_inst, >>>>> *data_size +=3D UMIP_GDT_IDT_LIMIT_SIZE; >>>>> memcpy(data, &dummy_limit, UMIP_GDT_IDT_LIMIT_SIZE); >>>>>=20 >>>>> - } else if (umip_inst =3D=3D UMIP_INST_SMSW) { >>>>> - unsigned long dummy_value =3D CR0_STATE; >>>>> + } else if (umip_inst =3D=3D UMIP_INST_SMSW || umip_inst =3D=3D= UMIP_INST_SLDT || >>>>> + umip_inst =3D=3D UMIP_INST_STR) { >>>>> + unsigned long dummy_value; >>>>> + >>>>> + if (umip_inst =3D=3D UMIP_INST_SMSW) >>>>> + dummy_value =3D CR0_STATE; >>>>> + else if (umip_inst =3D=3D UMIP_INST_STR) >>>>> + dummy_value =3D = UMIP_DUMMY_TASK_REGISTER_SELECTOR; >>>>> + else >>>>> + dummy_value =3D 0; >>>>=20 >>>> Perhaps you can return a non-zero value for SLDT if it has an LDT, = as >>>> Andy had suggested. Maybe this can be implemented by looking at >>>> current->mm->context.ldt >>>>=20 >>>> I guess the non-zero value can be (GDT_ENTRY_LDT*8). >>>=20 >>> You could probably even get away with always returning a nonzero >>> value. After all, an empty LDT is quite similar to no LDT. >>=20 >>=20 >> Is something like this what you both had in mind? >=20 >> I don=E2=80=99t have any software handy to test the LDT-present case = though. >=20 > Perhaps you can insert a test in the kernel selftest. Something like > this (based on Andreas' test program): >=20 > --- a/tools/testing/selftests/x86/ldt_gdt.c > +++ b/tools/testing/selftests/x86/ldt_gdt.c > @@ -220,12 +220,23 @@ static void install_invalid(const struct = user_desc *desc, bool oldmode) > } > } >=20 > +unsigned long test(void) > +{ > + unsigned char ldtr[5] =3D "\xef\xbe\xad\xde"; > + unsigned long ldt =3D 0; > + asm("sldt %0\n" : "=3Dm" (ldtr)); > + ldt =3D *((unsigned long *)&ldtr[0]); > + printf ("LDT base: 0x%lx\n", ldt); > + return (ldt); > +} > + > static int safe_modify_ldt(int func, struct user_desc *ptr, > unsigned long bytecount) > { > int ret =3D syscall(SYS_modify_ldt, 0x11, ptr, bytecount); > if (ret < -1) > errno =3D -ret; > + test(); > return ret; > } Thanks for the tip, I gave that a try and got the same results under = UMIP and a non-UMIP system. I=E2=80=99ll send this next version of the = patch out. Brendan Shanks CodeWeavers