tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

x86/ia32: Leave NULL selector values 0~3 unchanged

The first GDT descriptor is reserved as 'NULL descriptor'. As bits 0
and 1 of a segment selector, i.e., the RPL bits, are NOT used to index
GDT, selector values 0~3 all point to the NULL descriptor, thus values
0, 1, 2 and 3 are all valid NULL selector values.

When a NULL selector value is to be loaded into a segment register,
reload_segments() sets its RPL bits. Later IRET zeros ES, FS, GS, and
DS segment registers if any of them is found to have any nonzero NULL
selector value. The two operations offset each other to actually effect
a nop.

Besides, zeroing of RPL in NULL selector values is an information leak
in pre-FRED systems as userspace can spot any interrupt/exception by
loading a nonzero NULL selector, and waiting for it to become zero.
But there is nothing software can do to prevent it before FRED.

ERETU, the only legit instruction to return to userspace from kernel
under FRED, by design does NOT zero any segment register to avoid this
problem behavior.

As such, leave NULL selector values 0~3 unchanged and close the leak.

Do the same on 32-bit kernel as well.

Signed-off-by: Xin Li (Intel) <xin@zytor.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20241126184529.1607334-1-xin@zytor.com

authored by

Xin Li (Intel) and committed by
Ingo Molnar ad546940 18cdd90a

+43 -19
+43 -19
arch/x86/kernel/signal_32.c
··· 33 33 #include <asm/smap.h> 34 34 #include <asm/gsseg.h> 35 35 36 + /* 37 + * The first GDT descriptor is reserved as 'NULL descriptor'. As bits 0 38 + * and 1 of a segment selector, i.e., the RPL bits, are NOT used to index 39 + * GDT, selector values 0~3 all point to the NULL descriptor, thus values 40 + * 0, 1, 2 and 3 are all valid NULL selector values. 41 + * 42 + * However IRET zeros ES, FS, GS, and DS segment registers if any of them 43 + * is found to have any nonzero NULL selector value, which can be used by 44 + * userspace in pre-FRED systems to spot any interrupt/exception by loading 45 + * a nonzero NULL selector and waiting for it to become zero. Before FRED 46 + * there was nothing software could do to prevent such an information leak. 47 + * 48 + * ERETU, the only legit instruction to return to userspace from kernel 49 + * under FRED, by design does NOT zero any segment register to avoid this 50 + * problem behavior. 51 + * 52 + * As such, leave NULL selector values 0~3 unchanged. 53 + */ 54 + static inline u16 fixup_rpl(u16 sel) 55 + { 56 + return sel <= 3 ? sel : sel | 3; 57 + } 58 + 36 59 #ifdef CONFIG_IA32_EMULATION 37 60 #include <asm/unistd_32_ia32.h> 38 61 39 62 static inline void reload_segments(struct sigcontext_32 *sc) 40 63 { 41 - unsigned int cur; 64 + u16 cur; 42 65 66 + /* 67 + * Reload fs and gs if they have changed in the signal 68 + * handler. This does not handle long fs/gs base changes in 69 + * the handler, but does not clobber them at least in the 70 + * normal case. 71 + */ 43 72 savesegment(gs, cur); 44 - if ((sc->gs | 0x03) != cur) 45 - load_gs_index(sc->gs | 0x03); 73 + if (fixup_rpl(sc->gs) != cur) 74 + load_gs_index(fixup_rpl(sc->gs)); 46 75 savesegment(fs, cur); 47 - if ((sc->fs | 0x03) != cur) 48 - loadsegment(fs, sc->fs | 0x03); 76 + if (fixup_rpl(sc->fs) != cur) 77 + loadsegment(fs, fixup_rpl(sc->fs)); 78 + 49 79 savesegment(ds, cur); 50 - if ((sc->ds | 0x03) != cur) 51 - loadsegment(ds, sc->ds | 0x03); 80 + if (fixup_rpl(sc->ds) != cur) 81 + loadsegment(ds, fixup_rpl(sc->ds)); 52 82 savesegment(es, cur); 53 - if ((sc->es | 0x03) != cur) 54 - loadsegment(es, sc->es | 0x03); 83 + if (fixup_rpl(sc->es) != cur) 84 + loadsegment(es, fixup_rpl(sc->es)); 55 85 } 56 86 57 87 #define sigset32_t compat_sigset_t ··· 135 105 regs->orig_ax = -1; 136 106 137 107 #ifdef CONFIG_IA32_EMULATION 138 - /* 139 - * Reload fs and gs if they have changed in the signal 140 - * handler. This does not handle long fs/gs base changes in 141 - * the handler, but does not clobber them at least in the 142 - * normal case. 143 - */ 144 108 reload_segments(&sc); 145 109 #else 146 - loadsegment(gs, sc.gs); 147 - regs->fs = sc.fs; 148 - regs->es = sc.es; 149 - regs->ds = sc.ds; 110 + loadsegment(gs, fixup_rpl(sc.gs)); 111 + regs->fs = fixup_rpl(sc.fs); 112 + regs->es = fixup_rpl(sc.es); 113 + regs->ds = fixup_rpl(sc.ds); 150 114 #endif 151 115 152 116 return fpu__restore_sig(compat_ptr(sc.fpstate), 1);