On Tue, Dec 12, 2017 at 10:09 AM, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote: > On Tue, Dec 12, 2017 at 10:03:02AM -0800, Andy Lutomirski wrote: >> On Tue, Dec 12, 2017 at 9:32 AM, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > >> > @@ -171,6 +172,9 @@ static void exit_to_usermode_loop(struct >> > /* Disable IRQs and retry */ >> > local_irq_disable(); >> > >> > + if (cached_flags & _TIF_LDT) >> > + ldt_exit_user(regs); >> >> Nope. To the extent that this code actually does anything (which it >> shouldn't since you already forced the access bit), > > Without this; even with the access bit set; IRET will go wobbly and > we'll #GP on the user-space side. Try it ;-) Maybe later. But that means that we need Intel and AMD to confirm WTF is going on before this blows up even with LAR on some other CPU. > >> it's racy against >> flush_ldt() from another thread, and that race will be exploitable for >> privilege escalation. It needs to be outside the loopy part. > > The flush_ldt (__ldt_install after these patches) would re-set the TIF > flag. But sure, we can move this outside the loop I suppose. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
