From: Rudolf Marek <r.marek@assembler.cz>
To: Andrew Cooper <andrew.cooper3@citrix.com>, Jann Horn <jannh@google.com>
Cc: jmill@asu.edu, joao@overdrivepizza.com, luto@kernel.org,
samitolvanen@google.com,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
linux-hardening@vger.kernel.org,
lkml <linux-kernel@vger.kernel.org>,
x86 maintainers <x86@kernel.org>
Subject: Re: [RFC] Circumventing FineIBT Via Entrypoints
Date: Sat, 22 Feb 2025 21:43:42 +0100 [thread overview]
Message-ID: <e46ca730-8858-4f57-bdd0-2fd0db086500@assembler.cz> (raw)
In-Reply-To: <1cf8d5a5-bf3e-4667-bc6a-d1b1d662d822@citrix.com>
Hi,
Dne 13. 02. 25 v 3:42 Andrew Cooper napsal(a):
> The SYSCALL behaviour TLDR is:
>
> %rcx = %rip
> %r11 = %eflags
> %cs = fixed attr
> %ss = fixed attr
> %rip = MSR_LSTAR
>
> which means that %rcx (old rip) is the only piece of state which
> userspace can't feasibly forge (and therefore could distinguish a
> SYSCALL from user vs kernel mode), yet if we're talking about a JOP
> chain to get here, then %rcx is under attacker control too.
The SYSCALL instruction also provides means to create "incoherent" state of the processor selectors
where the value of selector do not match pre-loaded values in the descriptor caches.
Would it work to have KERNEL_CS as last entry in the GDT table? Therefore executing SYSCALL would set the CS as usual,
but the numeric value of SS selector would be larger than GDT limit?
That would mean that "impossible" selector is loaded into SS if we came from usermode,
but operation with stack would still work as the descriptor caches will be sane.
The "impossible" selector value can be fixed by loading SS with NULL which is cheap.
The check in hotpath could maybe use VERR %SS which would fail because of GDT limit is reached. The VERR with mem operand
does not use any GPR!
Or simply check for "impossible" selector would work if we misuse zeros in high32 of R11 (usermode rflags) maybe like:
entry:
endbr64
rol $32, %r11
movw %ss, %r11w
cmpw $IMPOSSIBLE_SEL, %r11w
jnz panic
; load null to SS, fix R11 and pretend above never happened
If attacker would execute SYSCALL in the kernel, likely we could check the %RCX if it is OK or not?
Bit variation to this "theme" would be to have SYSCALL SS GDT entry still in the GDT but set as "not present".
Another brainstorm idea would be to misuse RFLAGS.ID and clear it in MSR FMASK but run kernel or most of it with RFLAGS.ID set.
I don't know what is the threat model you are trying to fix.
Lets fight x86 insanity with yet another x86 insanity - I think it is fair.
I hope above helps or at least I will learn why not if I overseen something obvious!
I tried to CC all the lists. I'm not subscribed.
Thanks,
Rudolf
PS: I'm leaving as an exercise to a reader NMI and #MC handling!
next prev parent reply other threads:[~2025-02-22 20:50 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <Z60NwR4w/28Z7XUa@ubun>
2025-02-12 22:29 ` [RFC] Circumventing FineIBT Via Entrypoints Jann Horn
2025-02-13 1:31 ` Andrew Cooper
2025-02-13 2:09 ` Jann Horn
2025-02-13 2:42 ` Andrew Cooper
2025-02-22 20:43 ` Rudolf Marek [this message]
2025-02-25 18:10 ` Andrew Cooper
2025-02-25 20:06 ` Rudolf Marek
2025-02-25 21:14 ` Andrew Cooper
2025-02-26 2:55 ` Kees Cook
2025-02-26 22:48 ` Rudolf Marek
2025-02-27 0:41 ` Andrew Cooper
2025-03-01 22:48 ` Rudolf Marek
2025-03-02 19:16 ` Rudolf Marek
2025-03-02 22:31 ` Andrew Cooper
2025-02-28 12:13 ` Florian Weimer
2025-02-13 20:28 ` Kees Cook
2025-02-13 20:41 ` Andrew Cooper
2025-02-13 20:53 ` Kees Cook
2025-02-13 20:57 ` Jann Horn
2025-02-16 23:42 ` Kees Cook
2025-02-14 9:57 ` Peter Zijlstra
2025-02-15 21:07 ` Peter Zijlstra
2025-02-16 23:51 ` Kees Cook
2025-02-17 10:39 ` Peter Zijlstra
2025-02-17 13:06 ` David Laight
2025-02-17 13:13 ` Peter Zijlstra
2025-02-17 18:38 ` David Laight
2025-02-17 18:54 ` Peter Zijlstra
2025-02-14 10:05 ` Peter Zijlstra
2025-02-14 9:54 ` Peter Zijlstra
2025-02-13 6:15 ` Jennifer Miller
2025-02-13 19:23 ` Jann Horn
2025-02-13 21:24 ` Andrew Cooper
2025-02-13 23:24 ` Jennifer Miller
2025-02-13 23:43 ` Jann Horn
2025-02-14 23:06 ` Andrew Cooper
2025-02-15 0:07 ` Jennifer Miller
2025-02-15 0:11 ` Andrew Cooper
2025-02-15 0:19 ` Jennifer Miller
2025-02-14 22:25 ` Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e46ca730-8858-4f57-bdd0-2fd0db086500@assembler.cz \
--to=r.marek@assembler.cz \
--cc=andrew.cooper3@citrix.com \
--cc=jannh@google.com \
--cc=jmill@asu.edu \
--cc=joao@overdrivepizza.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=samitolvanen@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox