diff options
| author | Andy Lutomirski <[email protected]> | 2015-07-15 10:29:38 -0700 |
|---|---|---|
| committer | Ingo Molnar <[email protected]> | 2015-07-17 12:50:12 +0200 |
| commit | 810bc075f78ff2c221536eb3008eac6a492dba2d (patch) | |
| tree | d558081a62bb49f80e733c755201fe8cbc4cfe39 /lib/timerqueue.c | |
| parent | a27507ca2d796cfa8d907de31ad730359c8a6d06 (diff) | |
x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection
We have a tricky bug in the nested NMI code: if we see RSP
pointing to the NMI stack on NMI entry from kernel mode, we
assume that we are executing a nested NMI.
This isn't quite true. A malicious userspace program can point
RSP at the NMI stack, issue SYSCALL, and arrange for an NMI to
happen while RSP is still pointing at the NMI stack.
Fix it with a sneaky trick. Set DF in the region of code that
the RSP check is intended to detect. IRET will clear DF
atomically.
( Note: other than paravirt, there's little need for all this
complexity. We could check RIP instead of RSP. )
Signed-off-by: Andy Lutomirski <[email protected]>
Reviewed-by: Steven Rostedt <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Signed-off-by: Ingo Molnar <[email protected]>
Diffstat (limited to 'lib/timerqueue.c')
0 files changed, 0 insertions, 0 deletions