On Fri, Nov 07, 2014 at 03:58:18PM -0800, Andy Lutomirski wrote:
> + /*
> + * Try to use SYSRET instead of IRET if we're returning to
> + * a completely clean 64-bit userspace context.
> + */
> + movq (RCX-R11)(%rsp), %rcx
> + cmpq %rcx,(RIP-R11)(%rsp) /* RCX == RIP */
> + jne opportunistic_sysret_failed
> +
> + /*
> + * On Intel CPUs, sysret with non-canonical RCX/RIP will #GP
> + * in kernel space. This essentially lets the user take over
> + * the kernel, since userspace controls RSP. It's not worth
> + * testing for canonicalness exactly -- this check detects any
> + * of the 17 high bits set, which is true for non-canonical
> + * or kernel addresses. (This will pessimize vsyscall=native.
> + * Big deal.)
> + */
> + shr $47, %rcx
> + jnz opportunistic_sysret_failed
> +
> + cmpq $__USER_CS,(CS-R11)(%rsp) /* CS must match SYSRET */
> + jne opportunistic_sysret_failed
> +
> + movq (R11-R11)(%rsp), %r11
> + cmpq %r11,(EFLAGS-R11)(%rsp) /* R11 == RFLAGS */
> + jne opportunistic_sysret_failed
> +
> + testq $X86_EFLAGS_RF,%r11 /* sysret can't restore RF */
> + jnz opportunistic_sysret_failed
> +
> + /* nothing to check for RSP */
> +
> + cmpq $__USER_DS,(SS-R11)(%rsp) /* SS must match SYSRET */
> + jne opportunistic_sysret_failed
Btw, Denys' R11->ARGOFFSET fix makes sense here too - using ARGOFFSET
instead of R11 would make this here clearer.
--
Regards/Gruss,
Boris.
Sent from a fat crate under my desk. Formatting is fine.
--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
