On Wed, Jun 14, 2023 at 05:38:54PM +0100, Lee Jones wrote: > set_pgd() expects to be passed whole pages to operate on, whereas > trampoline_pgd_entry is, as the name suggests, an entry. The > ramifications for using set_pgd() here are that the following thread of > execution will not only place the suggested value into the > trampoline_pgd_entry (8-Byte globally stored [.bss]) variable, PTI will > also attempt to replicate that value into the non-existent neighboring > user page (located +4k away), leading to the corruption of other global > [.bss] stored variables. > > Suggested-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> > Signed-off-by: Lee Jones <lee@xxxxxxxxxx> Nice work tracking this one down! Fixes: 0925dda5962e ("x86/mm/KASLR: Use only one PUD entry for real mode trampoline") Cc: <stable@xxxxxxxxxxxxxxx> > --- > arch/x86/mm/kaslr.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/arch/x86/mm/kaslr.c b/arch/x86/mm/kaslr.c > index 557f0fe25dff4..37db264866b64 100644 > --- a/arch/x86/mm/kaslr.c > +++ b/arch/x86/mm/kaslr.c > @@ -172,10 +172,10 @@ void __meminit init_trampoline_kaslr(void) > set_p4d(p4d_tramp, > __p4d(_KERNPG_TABLE | __pa(pud_page_tramp))); > > - set_pgd(&trampoline_pgd_entry, > - __pgd(_KERNPG_TABLE | __pa(p4d_page_tramp))); > + trampoline_pgd_entry = > + __pgd(_KERNPG_TABLE | __pa(p4d_page_tramp)); > } else { > - set_pgd(&trampoline_pgd_entry, > - __pgd(_KERNPG_TABLE | __pa(pud_page_tramp))); > + trampoline_pgd_entry = > + __pgd(_KERNPG_TABLE | __pa(pud_page_tramp)); > } > } > -- > 2.41.0.162.gfafddb0af9-goog >