On Tue, Dec 12, 2017 at 10:03:02AM -0800, Andy Lutomirski wrote: > On Tue, Dec 12, 2017 at 9:32 AM, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > > @@ -171,6 +172,9 @@ static void exit_to_usermode_loop(struct > > /* Disable IRQs and retry */ > > local_irq_disable(); > > > > + if (cached_flags & _TIF_LDT) > > + ldt_exit_user(regs); > > Nope. To the extent that this code actually does anything (which it > shouldn't since you already forced the access bit), Without this; even with the access bit set; IRET will go wobbly and we'll #GP on the user-space side. Try it ;-) > it's racy against > flush_ldt() from another thread, and that race will be exploitable for > privilege escalation. It needs to be outside the loopy part. The flush_ldt (__ldt_install after these patches) would re-set the TIF flag. But sure, we can move this outside the loop I suppose. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
