On Mon, Jan 29, 2018 at 1:13 AM, H. Peter Anvin <hpa@xxxxxxxxx> wrote:
> On 01/28/18 11:21, Andy Lutomirski wrote:
>>>
>>> I think the bug is here. I think that, when writing a NULL selector
>>> to DS, ES, FS, or GS, Intel CPUs incorrectly set DPL == RPL, whereas
>>> they should set DPL to 3.
>>
>> As an experiment, I did this:
>>
>> DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
>> + [0] = { .dpl = 3, },
>> +
>>
>> This had no apparent effect. I was hoping that maybe loading NULL
>> into a selector would copy DPL from from gdt[0], but it seems like it
>> doesn't.
>>
>
> GDT[0] doesn't actually exist.
That's what I thought, too, and the SDM does say that, but the SDM
says all kinds of not-quite-correct things about segmentation.
> It is pretty much scratch space (I have
> suggested using it for the gsbase once all those issues get sorted out,
> because it lets the paranoid code do something like:
>
> rdgsbase %rax
> push %rax /* Save old gsbase */
> push %rax /* Reserve space on stack */
> sgdt -2(%rsp) /* We don't care about the limit */
> pop %rax /* %rax <- gdtbase */
> mov (%rax),%rax /* GDT[0] holds the gsbase for this cpu */
> wrgsbase %rax
That will utterly suck on non-UMIP machines that have
hypervisor-provided UMIP emulation.
--
To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
