Re: [PATCH] [RFC] x86: work around MPX Erratum

[Andy Lutomirski]

On Tue, May 3, 2016 at 2:43 PM, Dave Hansen <dave.hansen@xxxxxxxxx> wrote:
> On 05/03/2016 02:31 PM, Andy Lutomirski wrote:
>> Having actually read the erratum: how can this affect Linux at all
>> under any scenario where user code hasn't already completely
>> compromised the kernel?
>>
>> I.e. why do we care about this erratum?
>
> First of all, with SMEP, it doesn't affect us.  At all.
>
> Without SMEP, there would have to be a page accessible to userspace that
> the kernel executes instructions from.  The only thing that I can think
> of that's normally user-accessible and not _controlled_ by userspace is
> the VDSO.  But the kernel never actually executes from it, so it doesn't
> matter here.
>
> I've heard reports of (but no actual cases in the wild of) folks
> remapping kernel text to be user-accessible so that userspace can
> execute it, or of having the kernel jump into user-provided libraries.
> Those are both obviously bonkers and would only be done with out-of-tree
> gunk, but even if somebody did that, they would be safe from the
> erratum, with this workaround.
>
>

I'm not convinced this is worth adding any code for, though.  If
someone adds out of tree crap that does this and manually turns off
SMEP, I think they should get to keep both pieces.  Frankly, I think
I'd *prefer* if the kernel crashed when calling user addresses like
that just to discourage it.

-- 
Andy Lutomirski
AMA Capital Management, LLC