From: Greg KH <gregkh@linuxfoundation.org>
To: Andi Kleen <andi@firstfloor.org>
Cc: x86@kernel.org, keescook@chromium.org,
linux-kernel@vger.kernel.org, sashal@kernel.org,
Andi Kleen <ak@linux.intel.com>,
stable@vger.kernel.org
Subject: Re: [PATCH v1] x86: Pin cr4 FSGSBASE
Date: Tue, 26 May 2020 08:56:18 +0200 [thread overview]
Message-ID: <20200526065618.GC2580410@kroah.com> (raw)
In-Reply-To: <20200526052848.605423-1-andi@firstfloor.org>
On Mon, May 25, 2020 at 10:28:48PM -0700, Andi Kleen wrote:
> From: Andi Kleen <ak@linux.intel.com>
>
> Since there seem to be kernel modules floating around that set
> FSGSBASE incorrectly, prevent this in the CR4 pinning. Currently
> CR4 pinning just checks that bits are set, this also checks
> that the FSGSBASE bit is not set, and if it is clears it again.
So we are trying to "protect" ourselves from broken out-of-tree kernel
modules now? Why stop with this type of check, why not just forbid them
entirely if we don't trust them? :)
> Note this patch will need to be undone when the full FSGSBASE
> patches are merged. But it's a reasonable solution for v5.2+
> stable at least. Sadly the older kernels don't have the necessary
> infrastructure for this (although a simpler version of this
> could be added there too)
>
> Cc: stable@vger.kernel.org # v5.2+
> Signed-off-by: Andi Kleen <ak@linux.intel.com>
> ---
> arch/x86/kernel/cpu/common.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index bed0cb83fe24..1f5b7871ae9a 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -385,6 +385,11 @@ void native_write_cr4(unsigned long val)
> /* Warn after we've set the missing bits. */
> WARN_ONCE(bits_missing, "CR4 bits went missing: %lx!?\n",
> bits_missing);
> + if (val & X86_CR4_FSGSBASE) {
> + WARN_ONCE(1, "CR4 unexpectedly set FSGSBASE!?\n");
Like this will actually be noticed by anyone who calls this? What is a
user supposed to do about this?
What about those systems that panic-on-warn?
> + val &= ~X86_CR4_FSGSBASE;
So you just prevented them from setting this, thereby fixing up their
broken code that will never be fixed because you did this? Why do this?
thanks,
greg k-h
next prev parent reply other threads:[~2020-05-26 6:56 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-26 5:28 [PATCH v1] x86: Pin cr4 FSGSBASE Andi Kleen
2020-05-26 6:56 ` Greg KH [this message]
2020-05-26 7:57 ` Peter Zijlstra
2020-05-26 8:17 ` Greg KH
2020-05-26 9:17 ` Peter Zijlstra
2020-05-26 10:16 ` Greg KH
2020-05-26 15:48 ` Andi Kleen
2020-05-26 16:20 ` Kees Cook
2020-05-26 16:32 ` Greg KH
2020-05-26 17:24 ` Wojtek Porczyk
2020-05-27 7:07 ` Greg KH
2020-05-27 10:58 ` Wojtek Porczyk
2020-05-26 16:15 ` Kees Cook
2020-05-26 21:16 ` Greg KH
2020-05-26 16:38 ` Kees Cook
2020-05-26 23:14 ` Andi Kleen
2020-05-27 10:31 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200526065618.GC2580410@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=ak@linux.intel.com \
--cc=andi@firstfloor.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).