On Thu, Aug 13, 2015 at 2:49 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > On Thu, Aug 13, 2015 at 2:41 PM, Linus Torvalds > <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: >> On Thu, Aug 13, 2015 at 2:26 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: >>> >>> VERW is no good, because it considers non-present segments to be >>> writable. Test cases for the win! >> >> Seriously? That's crazy. I don't think I've actually ever used VERW, >> but the documentation certainly says that the segment has to be >> writable, and I quote >> >> "The validation performed is the same as is performed when a segment >> selector is loaded into the DS, ES, FS, or GS register, and the >> indicated access (read or write) is performed" >> >> which damn well shouldn't work for non-present segments. Odd. >> > > I can try to come up with a self-contained test case, but I'm > reasonably confident that I did it right and that I sprinkled the > right printks around. The SDM pseudocode, the APM's description: A segment is writable if all of the following apply: - the selector is not a null selector. - the descriptor is within the GDT or LDT limit. - the segment is a writable data segment. - the descriptor DPL is greater than or equal to both the CPL and RPL. and the SDM's bullet points: To set the ZF flag, the following conditions must be met: - The segment selector is not NULL. - The selector must denote a descriptor within the bounds of the descriptor table (GDT or LDT). - The selector must denote the descriptor of a code or data segment (not that of a system segment or gate). - For the VERR instruction, the segment must be readable. - For the VERW instruction, the segment must be a writable data segment. - If the segment is not a conforming code segment, the segment’s DPL must be greater than... all seem to suggest that P isn't checked. If I quote a bit farther than you did: The validation performed is the same as is performed when a segment selector is loaded into the DS, ES, FS, or GS register, and the indicated access (read or write) is performed. The segment selector's value cannot result in a protection exception, enabling the software to anticipate possible segment access problems. I think the idea is that VERW is supposed to check protection but not presence, the idea being that a hypothetical non-paged segmented OS would swap out a segment and mark it not-present, and the resulting failure would be #NP, which isn't a "protection exception". Did anyone ever write an OS that used this stuff? The Internet suggests that OS/2 1.0 on the 286 supported swapping, so I bet it actually used this mechanism, and woe unto any user (ahem, ring 1-3) app that used LAR, checked the present bit, and blew up when a segment was paged out. --Andy -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
