Re: [RFC PATCH] x86/cpu: Fix MSR value truncation issue
From: Borislav Petkov
Date: Wed Nov 11 2015 - 07:32:08 EST
On Fri, Oct 30, 2015 at 06:28:25PM +0100, Borislav Petkov wrote:
> More specifically, MSR_STAR[31:0] is being set to 0. That field is
> reserved on Intel and on AMD it is 32-bit SYSCALL Target EIP.
>
> I'd strongly guess because Intel doesn't have SYSCALL in compat/legacy
> mode and we're using SYSENTER and INT80 there. And for compat syscalls
> in long mode we use CSTAR.
So I was wondering what would happen if I used SYSCALL on 32-bit AMD.
This is what happens on a normal system:
$ strace -f ./syscall
execve("./syscall", ["./syscall"], [/* 24 vars */]) = 0
--- SIGILL {si_signo=SIGILL, si_code=ILL_ILLOPN, si_addr=0x80480e8} ---
+++ killed by SIGILL +++
Illegal instruction
Wondering who causes the SIGILL and after some code staring, it is MSR
EFER.SCE which we don't enable on 32-bit.
And, because I like to cause fire (woahahahah... /me rubs hands and
laughs ominously), I went and toggled that bit.
Oh well, we bomb out, as expected:
BUG: sleeping function called from invalid context at /mnt/kernel/kernel/linux-2.6/arch/x86/mm/fault.c:1191
in_atomic(): 0, irqs_disabled(): 1, pid: 2567, name: syscall
1 lock held by syscall/2567:
#0: (&mm->mmap_sem){++++++}, at: [<c10447f7>] __do_page_fault+0xf7/0x3f0
irq event stamp: 1812
hardirqs last enabled at (1811): [<c165f29a>] restore_all_notrace+0x0/0xe
hardirqs last disabled at (1812): [<c1660145>] error_code+0x31/0x3c
softirqs last enabled at (988): [<c1059e5b>] __do_softirq+0x37b/0x440
softirqs last disabled at (965): [<c1005749>] do_softirq_own_stack+0x39/0x50
CPU: 1 PID: 2567 Comm: syscall Not tainted 4.3.0+ #1
Hardware name: LENOVO 30515QG/30515QG, BIOS 8RET30WW (1.12 ) 09/15/2011
00000000 00000000 bff53b20 c12fdfa2 00000000 bff53b48 c107a9bc c181aca4
00000000 00000001 00000a07 f2cb3830 f2cb3500 00000000 00000000 bff53b7c
c107aae6 f453f70c 00000001 bff53bd0 00000000 bff53b7c c109ee4d 00000001
Call Trace:
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [< (null)>] (null)
*pdpt = 0000000032e0b001 *pde = 0000000000000000
Oops: 0010 [#1] PREEMPT SMP
Modules linked in: ipv6 usbhid kvm_amd rtsx_pci_sdmmc kvm mmc_core snd_hda_codec_conexant snd_hda_codec_generic snd_hda_codec_hdmi pcspkr snd_hda_intel k10temp ohci_pci snd_hda_codec snd_hwdep snd_hda_core snd_pcm rtsx_pci mfd_core ohci_hcd battery snd_timer radeon thinkpad_acpi nvram ehci_pci ehci_hcd snd soundcore video ac button thermal
CPU: 1 PID: 2567 Comm: syscall Not tainted 4.3.0+ #1
Hardware name: LENOVO 30515QG/30515QG, BIOS 8RET30WW (1.12 ) 09/15/2011
task: f2cb3500 ti: f2d74000 task.ti: f2d74000
EIP: 0000:[<00000000>] EFLAGS: 00010086 CPU: 1
EIP is at 0x0
EAX: 00000000 EBX: 00000000 ECX: 080480ea EDX: 00000000
ESI: 00000000 EDI: 00000000 EBP: bff53c1c ESP: bff53c0c
DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0008
CR0: 8005003b CR2: 00000000 CR3: 33af5900 CR4: 000006f0
Stack:
00000000 00000000 00000000 00000000 00000000 00000001 bff54df4 00000000
bff54dfe bff54e0c bff54e18 bff54e31 bff54e3c bff54e4c bff54e6e bff54e81
bff54e94 bff54e9e bff54eb2 bff54efe bff54f07 bff54f18 bff54f20 bff54f2b
Call Trace:
Code: Bad EIP value.
EIP: [<00000000>] 0x0 SS:ESP 0008:bff53c0c
CR2: 0000000000000000
---[ end trace fa036c454007a131 ]---
PANIC: double fault, gdt at f7bb7000 [255 bytes]
double fault, tss at f7bbe9c0
eip = c104afc3, esp = bff539dc
eax = 00000000, ebx = f453f680, ecx = ffffffff, edx = f453f680
esi = ffffffff, edi = f453f680
Nice.
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/