From: Borislav Petkov <bp@alien8.de>
To: LKML <linux-kernel@vger.kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [RFC PATCH] x86/cpu: Fix MSR value truncation issue
Date: Wed, 11 Nov 2015 13:31:58 +0100 [thread overview]
Message-ID: <20151111123158.GF22512@pd.tnic> (raw)
In-Reply-To: <1446226105-13384-1-git-send-email-bp@alien8.de>
On Fri, Oct 30, 2015 at 06:28:25PM +0100, Borislav Petkov wrote:
> More specifically, MSR_STAR[31:0] is being set to 0. That field is
> reserved on Intel and on AMD it is 32-bit SYSCALL Target EIP.
>
> I'd strongly guess because Intel doesn't have SYSCALL in compat/legacy
> mode and we're using SYSENTER and INT80 there. And for compat syscalls
> in long mode we use CSTAR.
So I was wondering what would happen if I used SYSCALL on 32-bit AMD.
This is what happens on a normal system:
$ strace -f ./syscall
execve("./syscall", ["./syscall"], [/* 24 vars */]) = 0
--- SIGILL {si_signo=SIGILL, si_code=ILL_ILLOPN, si_addr=0x80480e8} ---
+++ killed by SIGILL +++
Illegal instruction
Wondering who causes the SIGILL and after some code staring, it is MSR
EFER.SCE which we don't enable on 32-bit.
And, because I like to cause fire (woahahahah... /me rubs hands and
laughs ominously), I went and toggled that bit.
Oh well, we bomb out, as expected:
BUG: sleeping function called from invalid context at /mnt/kernel/kernel/linux-2.6/arch/x86/mm/fault.c:1191
in_atomic(): 0, irqs_disabled(): 1, pid: 2567, name: syscall
1 lock held by syscall/2567:
#0: (&mm->mmap_sem){++++++}, at: [<c10447f7>] __do_page_fault+0xf7/0x3f0
irq event stamp: 1812
hardirqs last enabled at (1811): [<c165f29a>] restore_all_notrace+0x0/0xe
hardirqs last disabled at (1812): [<c1660145>] error_code+0x31/0x3c
softirqs last enabled at (988): [<c1059e5b>] __do_softirq+0x37b/0x440
softirqs last disabled at (965): [<c1005749>] do_softirq_own_stack+0x39/0x50
CPU: 1 PID: 2567 Comm: syscall Not tainted 4.3.0+ #1
Hardware name: LENOVO 30515QG/30515QG, BIOS 8RET30WW (1.12 ) 09/15/2011
00000000 00000000 bff53b20 c12fdfa2 00000000 bff53b48 c107a9bc c181aca4
00000000 00000001 00000a07 f2cb3830 f2cb3500 00000000 00000000 bff53b7c
c107aae6 f453f70c 00000001 bff53bd0 00000000 bff53b7c c109ee4d 00000001
Call Trace:
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [< (null)>] (null)
*pdpt = 0000000032e0b001 *pde = 0000000000000000
Oops: 0010 [#1] PREEMPT SMP
Modules linked in: ipv6 usbhid kvm_amd rtsx_pci_sdmmc kvm mmc_core snd_hda_codec_conexant snd_hda_codec_generic snd_hda_codec_hdmi pcspkr snd_hda_intel k10temp ohci_pci snd_hda_codec snd_hwdep snd_hda_core snd_pcm rtsx_pci mfd_core ohci_hcd battery snd_timer radeon thinkpad_acpi nvram ehci_pci ehci_hcd snd soundcore video ac button thermal
CPU: 1 PID: 2567 Comm: syscall Not tainted 4.3.0+ #1
Hardware name: LENOVO 30515QG/30515QG, BIOS 8RET30WW (1.12 ) 09/15/2011
task: f2cb3500 ti: f2d74000 task.ti: f2d74000
EIP: 0000:[<00000000>] EFLAGS: 00010086 CPU: 1
EIP is at 0x0
EAX: 00000000 EBX: 00000000 ECX: 080480ea EDX: 00000000
ESI: 00000000 EDI: 00000000 EBP: bff53c1c ESP: bff53c0c
DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0008
CR0: 8005003b CR2: 00000000 CR3: 33af5900 CR4: 000006f0
Stack:
00000000 00000000 00000000 00000000 00000000 00000001 bff54df4 00000000
bff54dfe bff54e0c bff54e18 bff54e31 bff54e3c bff54e4c bff54e6e bff54e81
bff54e94 bff54e9e bff54eb2 bff54efe bff54f07 bff54f18 bff54f20 bff54f2b
Call Trace:
Code: Bad EIP value.
EIP: [<00000000>] 0x0 SS:ESP 0008:bff53c0c
CR2: 0000000000000000
---[ end trace fa036c454007a131 ]---
PANIC: double fault, gdt at f7bb7000 [255 bytes]
double fault, tss at f7bbe9c0
eip = c104afc3, esp = bff539dc
eax = 00000000, ebx = f453f680, ecx = ffffffff, edx = f453f680
esi = ffffffff, edi = f453f680
Nice.
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
next prev parent reply other threads:[~2015-11-11 12:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-30 17:28 [RFC PATCH] x86/cpu: Fix MSR value truncation issue Borislav Petkov
2015-10-30 18:59 ` Andy Lutomirski
2015-10-30 19:23 ` Borislav Petkov
2015-10-30 19:26 ` Andy Lutomirski
2015-10-30 19:32 ` Borislav Petkov
2015-10-30 19:34 ` Andy Lutomirski
2015-10-31 11:46 ` [PATCH] x86/MSR: Chop off lower 32-bit value Borislav Petkov
2015-11-11 12:31 ` Borislav Petkov [this message]
2015-11-11 15:50 ` [RFC PATCH] x86/cpu: Fix MSR value truncation issue Andy Lutomirski
2015-11-11 16:05 ` Borislav Petkov
2015-11-11 18:07 ` Brian Gerst
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151111123158.GF22512@pd.tnic \
--to=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox