Re: [RFC] x86/mm/KASLR: Remap GDTs at fixed location

From: Ingo Molnar
Date: Tue Jan 10 2017 - 05:27:44 EST



* Thomas Garnier <thgarnie@xxxxxxxxxx> wrote:

> Coming back on that after a bit more testing. The LTR instruction
> check if the busy bit is already set, if already set then it will just
> issue a #GP given a bad selector:
>
> [ 0.000000] general protection fault: 0040 [#1] SMP
> ...
> [ 0.000000] RIP: 0010:native_load_tr_desc+0x9/0x10
> ...
> [ 0.000000] Call Trace:
> [ 0.000000] cpu_init+0x2d0/0x3c0
> [ 0.000000] trap_init+0x2a2/0x312
> [ 0.000000] start_kernel+0x1fb/0x43b
> [ 0.000000] ? set_init_arg+0x55/0x55
> [ 0.000000] ? early_idt_handler_array+0x120/0x120
> [ 0.000000] x86_64_start_reservations+0x2a/0x2c
> [ 0.000000] x86_64_start_kernel+0x13d/0x14c
> [ 0.000000] start_cpu+0x14/0x14
>
> I assume that's in this part of the pseudo-code:
>
> if(!IsWithinDescriptorTableLimit(Source.Offset) || Source.Type !=
> TypeGlobal) Exception(GP(SegmentSelector));
> SegmentDescriptor = ReadSegmentDescriptor();
> if(!IsForAnAvailableTSS(SegmentDescriptor))
> Exception(GP(SegmentSelector)); <---- That's where I got the GP
> TSSSegmentDescriptor.Busy = 1;
> <------------------------------------------------------------------
> That's the pagefault I get otherwise
> //Locked read-modify-write operation on the entire descriptor when
> setting busy flag
> TaskRegister.SegmentSelector = Source;
> TaskRegister.SegmentDescriptor.TSSSegmentDescriptor;
>
> I assume the best option would be to make the remap read-write for the
> LTR instruction. What do you think?

So if LTR does not modify the GDT if the busy bit is already set, why don't we set
the busy bit in the descriptor (via the linear mapping rw alias).

Then the remapped GDT can stay read-only all the time and LTR won't fault.

Am I missing something here?

Thanks,

Ingo