Support for Intel's LASS
Support for Intel's LASS
Posted Jan 13, 2023 16:52 UTC (Fri) by corbet (editor, #1)In reply to: Support for Intel's LASS by mb
Parent article: Support for Intel's LASS
For testing applications, you could try booting with vsyscall=none and see if they still work. There's probably a better way but I don't know it offhand.
LASS is system-wide, so it can't be controlled on a per-process basis, at least in the posted implementation.
Posted Jan 13, 2023 17:07 UTC (Fri)
by mb (subscriber, #50428)
[Link]
Posted Jan 13, 2023 17:46 UTC (Fri)
by dullfire (guest, #111432)
[Link] (4 responses)
However I bet you could trap those specific faults (I would imaging LASS would look like a page fault to the kernel? I haven't read it's docs, but it has to raise some sort of exception), and if they point at the vsyscall address, just jump the corresponding vDSO address.
Of course it would be slow, but old apps would still work.
Alternately you might be able to get userfaultfd to be able to do something about this (though the kernel would have to forward the LASS fault correctly). I haven't had call to look into userfaultfd to know for sure though.
Posted Jan 13, 2023 17:55 UTC (Fri)
by dezgeg (subscriber, #92243)
[Link] (3 responses)
Posted Jan 13, 2023 18:09 UTC (Fri)
by hansendc (subscriber, #7363)
[Link] (2 responses)
LASS produces general protection faults (#GP). Unfortunately, #GP's don't set CR2 and the CPU doesn't give great information about why the fault occurred. It's quite possible to go fetch the instruction that faulted, decode it, and figure out that it was accessing the vsyscall page. The kernel does exactly that for some #GP's. But, it's kinda icky, and is best avoided.
But, if someone *REALLY* cares deeply, please do speak up.
Posted Jan 13, 2023 21:59 UTC (Fri)
by pbonzini (subscriber, #60935)
[Link] (1 responses)
Such an RIP would only be reachable with a call or jmp instruction, and if it was a call then the return address would already be on the stack. All you'd have to do would be invoke the system call, replace RIP with a word popped off the stack and go back to userspace.
Not that it's a good idea. :)
Posted Jan 17, 2023 16:31 UTC (Tue)
by luto (guest, #39314)
[Link]
Intel has an unfortunate history of designing CPUs that validate RIP when setting RIP instead of when using RIP. This results in rather unfortunate bugs^Woutcomes when doing creative things like putting a SYSCALL instruction at the very top of the lower half of the address space. The SYSCALL works fine and sets RCX (the saved pointer to the subsequent instruction) to RIP+2, which is noncanonical. This is fine (from a very narrowly focused perspective) because RCX isn’t RIP. A subsequent SYSRET will try to set RIP to the saved value and fault. This is fine because it’s how the CPU works (which is an excuse for almost anything), but it’s barely documented. The fault will cause an exception frame to be written to the user RSP, because that’s how SYSRET works (see above about excuses). The result is privilege escalation.
AMD generally seems more sensible in this regard.
Support for Intel's LASS
I'll try that.
Support for Intel's LASS
Support for Intel's LASS
Support for Intel's LASS
Support for Intel's LASS
Support for Intel's LASS