From: Paolo Bonzini <pbonzini@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>, Willy Tarreau <w@1wt.eu>
Cc: Peter Zijlstra <peterz@infradead.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Steven Rostedt <rostedt@goodmis.org>, X86 ML <x86@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Borislav Petkov <bp@alien8.de>,
Thomas Gleixner <tglx@linutronix.de>,
Brian Gerst <brgerst@gmail.com>
Subject: Re: Dealing with the NMI mess
Date: Thu, 30 Jul 2015 17:54:31 +0200 [thread overview]
Message-ID: <55BA48B7.9020500@redhat.com> (raw)
In-Reply-To: <CALCETrWq0KoBerS5OjoYZvfGNfwHYCtzzNUDuCH=84XQvEoRug@mail.gmail.com>
On 24/07/2015 19:20, Andy Lutomirski wrote:
> > Andy, section 5.8 of the SDM makes me think we could possibly abuse SYSRET
> > to emulate IRET, and then possibly simplify the flags processing. It says
> > that it takes the CPL3 code segment but nowhere it says that the target is
> > validated for effectively being userland, and further it suggests that it
> > doesn't validate anything :
> >
> > "It is the responsibility of the OS to ensure the descriptors in
> > the GDT/LDT correspond to the selectors loaded by SYSCALL/SYSRET
> > (consistent with the base, limit, and attribute values forced by
> > the instructions)."
> You are an evil bastard. I seriously doubt that this will work.
> SYSRET goes to CPL3 no matter what. Also, I don't think you want to
> start poking at MSRs to return.
On Intel the bottom two bits of the selector are forced to 11. The
pseudocode of SYSRET in the SDM has an explicit
CS.Selector ← (IA32_STAR[63:48]+ either 0 or 16) OR 3;
...
SS.Selector ← (IA32_STAR[63:48]+8) OR 3;
On AMD it's even worse, because you get a weird state with
CS.DPL=CS.RPL=SS.DPL=SS.RPL=0 but still the CPL is 3. This is seriously
messed up because the CPL is always SS.DPL except in this case. AMD
even had to add a separate field for the CPL to their VM control block,
just to account for this case. Intel more sanely uses SS.DPL.
Paolo
next prev parent reply other threads:[~2015-07-30 15:54 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-23 20:21 Dealing with the NMI mess Andy Lutomirski
2015-07-23 20:38 ` Linus Torvalds
2015-07-23 20:49 ` Andy Lutomirski
2015-07-23 21:08 ` Linus Torvalds
2015-07-23 21:31 ` Steven Rostedt
2015-07-23 21:46 ` Willy Tarreau
2015-07-23 21:46 ` Andy Lutomirski
2015-07-23 21:50 ` Willy Tarreau
2015-07-23 21:48 ` Linus Torvalds
2015-07-23 21:50 ` Andy Lutomirski
2015-07-23 21:59 ` Linus Torvalds
2015-07-24 8:13 ` Peter Zijlstra
2015-07-24 9:02 ` Willy Tarreau
2015-07-24 11:58 ` Steven Rostedt
2015-07-24 12:43 ` Peter Zijlstra
2015-07-24 13:03 ` Steven Rostedt
2015-07-24 13:21 ` Willy Tarreau
2015-07-24 13:30 ` Peter Zijlstra
2015-07-24 13:33 ` Peter Zijlstra
2015-07-24 14:31 ` Steven Rostedt
2015-07-24 14:59 ` Willy Tarreau
2015-07-24 15:16 ` Steven Rostedt
2015-07-24 15:26 ` Willy Tarreau
2015-07-24 15:30 ` Peter Zijlstra
2015-07-24 15:33 ` Willy Tarreau
2015-07-24 18:29 ` Linus Torvalds
2015-07-24 18:41 ` Linus Torvalds
2015-07-24 19:05 ` Steven Rostedt
2015-07-24 19:55 ` Peter Zijlstra
2015-07-24 20:22 ` Linus Torvalds
2015-07-24 20:51 ` Peter Zijlstra
2015-07-24 21:07 ` Steven Rostedt
2015-07-24 21:08 ` Andy Lutomirski
2015-07-30 15:41 ` Paolo Bonzini
2015-07-30 21:22 ` Andy Lutomirski
2015-07-30 21:58 ` Brian Gerst
2015-07-30 22:59 ` Thomas Gleixner
2015-07-31 4:22 ` Borislav Petkov
2015-07-31 5:11 ` Andy Lutomirski
2015-07-31 7:51 ` Paolo Bonzini
2015-07-31 8:03 ` Borislav Petkov
2015-07-31 9:27 ` Paolo Bonzini
2015-07-31 10:25 ` Borislav Petkov
2015-07-31 10:26 ` Paolo Bonzini
2015-07-31 10:32 ` Borislav Petkov
2015-09-07 5:39 ` Maciej W. Rozycki
2015-09-07 7:42 ` Ingo Molnar
2015-09-07 8:19 ` Maciej W. Rozycki
2015-09-07 10:19 ` Paolo Bonzini
2015-09-07 17:01 ` Maciej W. Rozycki
2015-09-07 17:22 ` Andy Lutomirski
2015-09-07 19:30 ` Maciej W. Rozycki
2015-09-07 21:56 ` Andy Lutomirski
2015-09-08 16:21 ` Maciej W. Rozycki
2015-07-24 23:53 ` Linus Torvalds
2015-07-24 15:34 ` Steven Rostedt
2015-07-24 15:49 ` Willy Tarreau
2015-07-24 15:48 ` Andy Lutomirski
2015-07-24 16:02 ` Steven Rostedt
2015-07-24 16:08 ` Willy Tarreau
2015-07-24 16:31 ` Steven Rostedt
2015-07-24 16:06 ` Steven Rostedt
2015-07-24 16:25 ` Willy Tarreau
2015-07-24 17:21 ` Andy Lutomirski
2015-07-24 17:10 ` Willy Tarreau
2015-07-24 17:20 ` Andy Lutomirski
2015-07-30 15:54 ` Paolo Bonzini [this message]
2015-07-24 17:21 ` Willy Tarreau
2015-07-23 20:52 ` Willy Tarreau
2015-07-23 20:53 ` Andy Lutomirski
2015-07-23 21:07 ` Willy Tarreau
2015-07-23 21:13 ` Linus Torvalds
2015-07-23 21:18 ` Willy Tarreau
2015-07-23 21:20 ` Peter Zijlstra
2015-07-23 21:35 ` Linus Torvalds
2015-07-23 21:45 ` Andy Lutomirski
2015-07-23 21:54 ` Linus Torvalds
2015-07-23 21:59 ` Andy Lutomirski
2015-07-23 22:03 ` Linus Torvalds
2015-07-24 10:28 ` Peter Zijlstra
2015-07-24 11:06 ` Peter Zijlstra
2015-07-23 21:17 ` Peter Zijlstra
2015-07-23 21:20 ` Steven Rostedt
2015-07-23 21:46 ` Andy Lutomirski
2015-07-24 16:33 ` Raymond Jennings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55BA48B7.9020500@redhat.com \
--to=pbonzini@redhat.com \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=w@1wt.eu \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.