From: Linus Torvalds <torvalds@linuxfoundation.org>
To: Brian Gerst <brgerst@gmail.com>
Cc: Michal Luczaj <mhal@rbox.co>,
x86@kernel.org, tglx@linutronix.de, mingo@redhat.com,
bp@alien8.de, dave.hansen@linux.intel.com, shuah@kernel.org,
luto@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/2] x86: UMIP emulation leaking kernel addresses
Date: Sat, 9 Dec 2023 12:08:30 -0800 [thread overview]
Message-ID: <CAHk-=wiB2FSWb0HxgzHGJKaDRCaJ6tGSc0OVvodAiZ_QU=05NQ@mail.gmail.com> (raw)
In-Reply-To: <CAMzpN2jcEGBcEKbNjwMJ+VCMc-_N1GcpVkGgAhy=XzomJP-Ogw@mail.gmail.com>
On Sat, 9 Dec 2023 at 09:16, Brian Gerst <brgerst@gmail.com> wrote:
>
> A different way to plug this is to harden ptrace (and sigreturn) to
> verify that the segments are code or data type segments instead of
> relying on an IRET fault.
I think that is likely a good idea regardless of this particular issue.
And I don't think you need to even check the segment for any kind of
validity - all you need to check that it's a valid selector.
And we *kind* of do that already, with the x86 ptrace code checking
static inline bool invalid_selector(u16 value)
{
return unlikely(value != 0 && (value & SEGMENT_RPL_MASK) != USER_RPL);
}
but the thing is, I think we could limit that a lot more.
I think the only valid GDT entries are 0-15 (that includes the default
kernel segments, but they don't contain anything interesting), so we
could tighten that selector check to say that it has to be either a
LDT entry or a selector < 15.
So add some kind of requirement for "(value & 4) || (value < 8*16)", perhaps?
Linus
prev parent reply other threads:[~2023-12-09 20:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-06 0:43 [PATCH 0/2] x86: UMIP emulation leaking kernel addresses Michal Luczaj
2023-12-06 0:43 ` [PATCH 1/2] x86/traps: Attempt UMIP fixup only on #GP(0) Michal Luczaj
2023-12-06 0:43 ` [PATCH 2/2] selftests/x86: UMIP DPL=0 segment base address info leak test Michal Luczaj
2023-12-09 15:53 ` [PATCH 0/2] x86: UMIP emulation leaking kernel addresses Borislav Petkov
2023-12-10 17:08 ` Michal Luczaj
2023-12-09 17:16 ` Brian Gerst
2023-12-09 20:08 ` Linus Torvalds [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wiB2FSWb0HxgzHGJKaDRCaJ6tGSc0OVvodAiZ_QU=05NQ@mail.gmail.com' \
--to=torvalds@linuxfoundation.org \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mhal@rbox.co \
--cc=mingo@redhat.com \
--cc=shuah@kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).