From: Linus Torvalds <torvalds@linux-foundation.org>
To: Andy Lutomirski <luto@kernel.org>
Cc: "Bae, Chang Seok" <chang.seok.bae@intel.com>,
X86 ML <x86@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Borislav Petkov <bpetkov@suse.de>,
Brian Gerst <brgerst@gmail.com>, Stas Sergeev <stsp@list.ru>
Subject: Re: FSGSBASE ABI considerations
Date: Sun, 30 Jul 2017 21:38:54 -0700 [thread overview]
Message-ID: <CA+55aFzDnDi26qcP67ZwH8VU380VioW1kvpw5ntH-Rgj_T+CJQ@mail.gmail.com> (raw)
In-Reply-To: <CALCETrVSm9tLiHKf-BKaYknEfko1bd_2i+4U7cqELG5iiFDygg@mail.gmail.com>
On Sun, Jul 30, 2017 at 8:05 PM, Andy Lutomirski <luto@kernel.org> wrote:
>
> This means that, when gdb saves away a regset and reloads it using
> PTRACE_SETREGS or similar, the effect is to load gs_base and then load
> gs. If gs != 0, this will blow away gs_base. Without FSGSBASE, this
> doesn't matter so much. With FSGSBASE, it means that using gdb to do,
> say, 'print func()' may corrupt gsbase.
>
> What, if anything, should we do about this? One option would be to
> make gs_base be accurate all the time (it currently isn't) and teach
> PTRACE_SETREGS to restore in the opposite order despite the struct
> layout.
I do not think that ordering should ever matter. If it does, it means
that you've designed something. We already screwed that up with the
msr interface, can we try to not do it again?
Could we perhaps do something like:
- every process starts out with CR4.FSGSBASE cleared
- if we get an #UD due to the process using the {rd|wr}{gs|fs}base
instructions, we enable FSGSBASE and mark the process as using those
instructions.
- once a process is marked as FSGSBASE, the kernel prioritizes
FSGSBASE. We'll still save/restore the selector too, but every time we
restore the selector, we will first do a rd*base, and then do a
wr*base afterwards
IOW, the "selector" ends up being meaningless after people have used
fsgsbase. It is saved and restored as a _value_, but it has no effect
what-so-ever on the actual base pointer.
Yes, it's modal, but at least you don't end up in some situation where
it matters whether you write the selector first or not.
Hmm?
Linus
next prev parent reply other threads:[~2017-07-31 4:38 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-31 3:05 FSGSBASE ABI considerations Andy Lutomirski
2017-07-31 4:38 ` Linus Torvalds [this message]
2017-07-31 14:14 ` Andy Lutomirski
2017-07-31 10:55 ` Kirill A. Shutemov
2017-07-31 14:16 ` Andy Lutomirski
2017-07-31 21:23 ` Bae, Chang Seok
2017-08-07 16:14 ` Andy Lutomirski
2017-08-07 8:06 ` Stas Sergeev
2017-08-07 16:20 ` Andy Lutomirski
2017-08-07 16:49 ` Christopher Lameter
2017-08-07 17:35 ` Linus Torvalds
2017-08-07 19:07 ` Andy Lutomirski
2017-08-07 21:32 ` Stas Sergeev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+55aFzDnDi26qcP67ZwH8VU380VioW1kvpw5ntH-Rgj_T+CJQ@mail.gmail.com \
--to=torvalds@linux-foundation.org \
--cc=bpetkov@suse.de \
--cc=brgerst@gmail.com \
--cc=chang.seok.bae@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=stsp@list.ru \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).