From: Borislav Petkov <bp@alien8.de>
To: LKML <linux-kernel@vger.kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [RFC PATCH] x86/cpu: Fix MSR value truncation issue
Date: Wed, 11 Nov 2015 13:31:58 +0100 [thread overview]
Message-ID: <20151111123158.GF22512@pd.tnic> (raw)
In-Reply-To: <1446226105-13384-1-git-send-email-bp@alien8.de>
On Fri, Oct 30, 2015 at 06:28:25PM +0100, Borislav Petkov wrote:
> More specifically, MSR_STAR[31:0] is being set to 0. That field is
> reserved on Intel and on AMD it is 32-bit SYSCALL Target EIP.
>
> I'd strongly guess because Intel doesn't have SYSCALL in compat/legacy
> mode and we're using SYSENTER and INT80 there. And for compat syscalls
> in long mode we use CSTAR.
So I was wondering what would happen if I used SYSCALL on 32-bit AMD.
This is what happens on a normal system:
$ strace -f ./syscall
execve("./syscall", ["./syscall"], [/* 24 vars */]) = 0
--- SIGILL {si_signo=SIGILL, si_code=ILL_ILLOPN, si_addr=0x80480e8} ---
+++ killed by SIGILL +++
Illegal instruction
Wondering who causes the SIGILL and after some code staring, it is MSR
EFER.SCE which we don't enable on 32-bit.
And, because I like to cause fire (woahahahah... /me rubs hands and
laughs ominously), I went and toggled that bit.
Oh well, we bomb out, as expected:
BUG: sleeping function called from invalid context at /mnt/kernel/kernel/linux-2.6/arch/x86/mm/fault.c:1191
in_atomic(): 0, irqs_disabled(): 1, pid: 2567, name: syscall
1 lock held by syscall/2567:
#0: (&mm->mmap_sem){++++++}, at: [<c10447f7>] __do_page_fault+0xf7/0x3f0
irq event stamp: 1812
hardirqs last enabled at (1811): [<c165f29a>] restore_all_notrace+0x0/0xe
hardirqs last disabled at (1812): [<c1660145>] error_code+0x31/0x3c
softirqs last enabled at (988): [<c1059e5b>] __do_softirq+0x37b/0x440
softirqs last disabled at (965): [<c1005749>] do_softirq_own_stack+0x39/0x50
CPU: 1 PID: 2567 Comm: syscall Not tainted 4.3.0+ #1
Hardware name: LENOVO 30515QG/30515QG, BIOS 8RET30WW (1.12 ) 09/15/2011
00000000 00000000 bff53b20 c12fdfa2 00000000 bff53b48 c107a9bc c181aca4
00000000 00000001 00000a07 f2cb3830 f2cb3500 00000000 00000000 bff53b7c
c107aae6 f453f70c 00000001 bff53bd0 00000000 bff53b7c c109ee4d 00000001
Call Trace:
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [< (null)>] (null)
*pdpt = 0000000032e0b001 *pde = 0000000000000000
Oops: 0010 [#1] PREEMPT SMP
Modules linked in: ipv6 usbhid kvm_amd rtsx_pci_sdmmc kvm mmc_core snd_hda_codec_conexant snd_hda_codec_generic snd_hda_codec_hdmi pcspkr snd_hda_intel k10temp ohci_pci snd_hda_codec snd_hwdep snd_hda_core snd_pcm rtsx_pci mfd_core ohci_hcd battery snd_timer radeon thinkpad_acpi nvram ehci_pci ehci_hcd snd soundcore video ac button thermal
CPU: 1 PID: 2567 Comm: syscall Not tainted 4.3.0+ #1
Hardware name: LENOVO 30515QG/30515QG, BIOS 8RET30WW (1.12 ) 09/15/2011
task: f2cb3500 ti: f2d74000 task.ti: f2d74000
EIP: 0000:[<00000000>] EFLAGS: 00010086 CPU: 1
EIP is at 0x0
EAX: 00000000 EBX: 00000000 ECX: 080480ea EDX: 00000000
ESI: 00000000 EDI: 00000000 EBP: bff53c1c ESP: bff53c0c
DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0008
CR0: 8005003b CR2: 00000000 CR3: 33af5900 CR4: 000006f0
Stack:
00000000 00000000 00000000 00000000 00000000 00000001 bff54df4 00000000
bff54dfe bff54e0c bff54e18 bff54e31 bff54e3c bff54e4c bff54e6e bff54e81
bff54e94 bff54e9e bff54eb2 bff54efe bff54f07 bff54f18 bff54f20 bff54f2b
Call Trace:
Code: Bad EIP value.
EIP: [<00000000>] 0x0 SS:ESP 0008:bff53c0c
CR2: 0000000000000000
---[ end trace fa036c454007a131 ]---
PANIC: double fault, gdt at f7bb7000 [255 bytes]
double fault, tss at f7bbe9c0
eip = c104afc3, esp = bff539dc
eax = 00000000, ebx = f453f680, ecx = ffffffff, edx = f453f680
esi = ffffffff, edi = f453f680
Nice.
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
next prev parent reply other threads:[~2015-11-11 12:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-30 17:28 [RFC PATCH] x86/cpu: Fix MSR value truncation issue Borislav Petkov
2015-10-30 18:59 ` Andy Lutomirski
2015-10-30 19:23 ` Borislav Petkov
2015-10-30 19:26 ` Andy Lutomirski
2015-10-30 19:32 ` Borislav Petkov
2015-10-30 19:34 ` Andy Lutomirski
2015-10-31 11:46 ` [PATCH] x86/MSR: Chop off lower 32-bit value Borislav Petkov
2015-11-11 12:31 ` Borislav Petkov [this message]
2015-11-11 15:50 ` [RFC PATCH] x86/cpu: Fix MSR value truncation issue Andy Lutomirski
2015-11-11 16:05 ` Borislav Petkov
2015-11-11 18:07 ` Brian Gerst
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151111123158.GF22512@pd.tnic \
--to=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.