Re: [PATCH v1] x86: Pin cr4 FSGSBASE
From: Greg KH
Date: Tue May 26 2020 - 02:56:23 EST
On Mon, May 25, 2020 at 10:28:48PM -0700, Andi Kleen wrote:
> From: Andi Kleen <ak@xxxxxxxxxxxxxxx>
>
> Since there seem to be kernel modules floating around that set
> FSGSBASE incorrectly, prevent this in the CR4 pinning. Currently
> CR4 pinning just checks that bits are set, this also checks
> that the FSGSBASE bit is not set, and if it is clears it again.
So we are trying to "protect" ourselves from broken out-of-tree kernel
modules now? Why stop with this type of check, why not just forbid them
entirely if we don't trust them? :)
> Note this patch will need to be undone when the full FSGSBASE
> patches are merged. But it's a reasonable solution for v5.2+
> stable at least. Sadly the older kernels don't have the necessary
> infrastructure for this (although a simpler version of this
> could be added there too)
>
> Cc: stable@xxxxxxxxxxxxxxx # v5.2+
> Signed-off-by: Andi Kleen <ak@xxxxxxxxxxxxxxx>
> ---
> arch/x86/kernel/cpu/common.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index bed0cb83fe24..1f5b7871ae9a 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -385,6 +385,11 @@ void native_write_cr4(unsigned long val)
> /* Warn after we've set the missing bits. */
> WARN_ONCE(bits_missing, "CR4 bits went missing: %lx!?\n",
> bits_missing);
> + if (val & X86_CR4_FSGSBASE) {
> + WARN_ONCE(1, "CR4 unexpectedly set FSGSBASE!?\n");
Like this will actually be noticed by anyone who calls this? What is a
user supposed to do about this?
What about those systems that panic-on-warn?
> + val &= ~X86_CR4_FSGSBASE;
So you just prevented them from setting this, thereby fixing up their
broken code that will never be fixed because you did this? Why do this?
thanks,
greg k-h