Re: [PATCH 0/2] x86: UMIP emulation leaking kernel addresses

From: Linus Torvalds
Date: Sat Dec 09 2023 - 15:08:56 EST

Next message: pr-tracker-bot: "Re: [GIT PULL] smb3 client fixes"
Previous message: Masahiro Yamada: "Re: [PATCH] kconfig: Use KCONFIG_CONFIG instead of .config"
In reply to: Brian Gerst: "Re: [PATCH 0/2] x86: UMIP emulation leaking kernel addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 9 Dec 2023 at 09:16, Brian Gerst <brgerst@xxxxxxxxx> wrote:
>
> A different way to plug this is to harden ptrace (and sigreturn) to
> verify that the segments are code or data type segments instead of
> relying on an IRET fault.

I think that is likely a good idea regardless of this particular issue.

And I don't think you need to even check the segment for any kind of
validity - all you need to check that it's a valid selector.

And we *kind* of do that already, with the x86 ptrace code checking

static inline bool invalid_selector(u16 value)
{
return unlikely(value != 0 && (value & SEGMENT_RPL_MASK) != USER_RPL);
}

but the thing is, I think we could limit that a lot more.

I think the only valid GDT entries are 0-15 (that includes the default
kernel segments, but they don't contain anything interesting), so we
could tighten that selector check to say that it has to be either a
LDT entry or a selector < 15.

So add some kind of requirement for "(value & 4) || (value < 8*16)", perhaps?

Linus

Next message: pr-tracker-bot: "Re: [GIT PULL] smb3 client fixes"
Previous message: Masahiro Yamada: "Re: [PATCH] kconfig: Use KCONFIG_CONFIG instead of .config"
In reply to: Brian Gerst: "Re: [PATCH 0/2] x86: UMIP emulation leaking kernel addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]