On Tue, Nov 21, 2017 at 2:09 PM, Dave Hansen
<dave.han...@linux.intel.com> wrote:
> On 11/20/2017 12:12 PM, Thomas Gleixner wrote:
>>> + */
>>> + native_get_shadow_pgd(pgdp)->pgd = pgd.pgd;
>>> + /*
>>> + * For the copy of the pgd that the kernel
>>> + * uses, make it unusable to userspace. This
>>> + * ensures if we get out to userspace with the
>>> + * wrong CR3 value, userspace will crash
>>> + * instead of running.
>>> + */
>>> + pgd.pgd |= _PAGE_NX;
>>> + }
>>> + } else if (!pgd.pgd) {
>>> + /*
>>> + * We are clearing the PGD and can not check _PAGE_USER
>>> + * in the zero'd PGD.
>>
>> Just the argument cannot be checked because it's clearing the entry. The
>> pgd entry itself is not yet modified, so it could be checked.
>
> So, I guess we could enforce that only PGDs with _PAGE_USER set can ever
> be cleared. That has a nice symmetry to it because we set the shadow
> when we see _PAGE_USER and we would then clear the shadow when we see
> _PAGE_USER.
Is this code path ever hit in any case other than tearing down an LDT?
I'm tempted to suggest that KAISER just disable the MODIFY_LDT config
option for now...
