From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
linux-kernel@vger.kernel.org, x86@kernel.org,
Robert Gill <rtgill82@gmail.com>,
"Linux regression tracking (Thorsten Leemhuis)"
<regressions@leemhuis.info>,
antonio.gomez.iglesias@linux.intel.com,
daniel.sneddon@linux.intel.com
Subject: Re: [PATCH] x86/entry_32: Move CLEAR_CPU_BUFFERS before CR3 switch
Date: Thu, 9 May 2024 18:22:38 -0700 [thread overview]
Message-ID: <20240510012149.5mdrr4x6suspaasd@desk> (raw)
In-Reply-To: <5b9a2cef-7b4f-41c3-9f64-4fea4d007cdf@intel.com>
On Thu, May 09, 2024 at 05:20:31PM -0700, Dave Hansen wrote:
> On 4/26/24 16:48, Pawan Gupta wrote:
> > Move the VERW before the CR3 switch for 32-bit kernels as a workaround.
>
> I look at the 32-bit code so rarely, I seem to forget have to re-learn
> this gunk every time I look at it. Take a look at RESTORE_INT_REGS. On
> 32-bit, we actually restore %ds:
>
> popl %ds
>
> So even doing this:
>
> > + CLEAR_CPU_BUFFERS
> > /* Restore user state */
> > RESTORE_REGS pop=4 # skip orig_eax/error_code
> > - CLEAR_CPU_BUFFERS
> > .Lirq_return:
>
> fixes the issue. Moving it above the CR3 switch also works of course,
> but I don't think this has anything to do with CR3. It's just that
> userspace sets a funky %ds value and CLEAR_CPU_BUFFERS uses ds:.
I will test it out, but I think you are right. VERW documentation says:
#GP(0) If a memory operand effective address is outside the CS,
DS, ES, FS, or GS segment limit.
> I don't think any of the segment registers can have secrets in them, can
> they? I mean, it's possible, but in practice I can't imagine.
I don't think so they are secrets. AFAICT, their values are build-time
constants, and can be easily deduced.
> So why not just do the CLEAR_CPU_BUFFERS in RESTORE_REGS but after
> RESTORE_INT_REGS? You might be able to do it universally, or you could
> pass in a macro argument to do it conditionally.
Sounds good. I will try that, possibly tomorrow.
> P.S. Can we remove 32-bit support yet? Please? :)
+1 ... or atleast the mitigations for 32-bit :)
prev parent reply other threads:[~2024-05-10 1:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-26 23:48 [PATCH] x86/entry_32: Move CLEAR_CPU_BUFFERS before CR3 switch Pawan Gupta
2024-05-09 12:19 ` Thorsten Leemhuis
2024-05-09 16:14 ` Dave Hansen
2024-05-09 22:17 ` Pawan Gupta
2024-05-10 0:04 ` Dave Hansen
2024-05-10 0:24 ` Pawan Gupta
2024-05-10 0:20 ` Dave Hansen
2024-05-10 1:22 ` Pawan Gupta [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240510012149.5mdrr4x6suspaasd@desk \
--to=pawan.kumar.gupta@linux.intel.com \
--cc=antonio.gomez.iglesias@linux.intel.com \
--cc=bp@alien8.de \
--cc=daniel.sneddon@linux.intel.com \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=regressions@leemhuis.info \
--cc=rtgill82@gmail.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).