Bug #12718
closedLDT overlap with TSS reintroduced in 12608
100%
Description
Andy F spotted an issue with the #12608 wad: It adjusts the layout of the TSS and LDT on cpu0 back to its previously (before KPTI) broken state.
Old (fixed by KPTI):
-#define DEBUG_INFO_VA (KERNEL_TEXT - MMU_PAGESIZE) -#define GDT_VA (DEBUG_INFO_VA - MMU_PAGESIZE) -#define IDT_VA (GDT_VA - MMU_PAGESIZE) -#define LDT_VA (IDT_VA - (16 * MMU_PAGESIZE)) -#define KTSS_VA (LDT_VA - MMU_PAGESIZE) -#define DFTSS_VA (KTSS_VA - MMU_PAGESIZE) -#define MISC_VA_BASE (DFTSS_VA) -#define MISC_VA_SIZE (KERNEL_TEXT - MISC_VA_BASE)
New (broken by #12608, and previously busted before KPTI testing):
+#define DEBUG_INFO_VA (KERNEL_TEXT - MMU_PAGESIZE) +#define GDT_VA (DEBUG_INFO_VA - MMU_PAGESIZE) +#define IDT_VA (GDT_VA - MMU_PAGESIZE) +#define LDT_VA (IDT_VA - (16 * MMU_PAGESIZE)) +#define KTSS_VA (IDT_VA - MMU_PAGESIZE) +#define DFTSS_VA (KTSS_VA - MMU_PAGESIZE) +#define MISC_VA_BASE (DFTSS_VA) +#define MISC_VA_SIZE (KERNEL_TEXT - MISC_VA_BASE)
Critically:
-#define KTSS_VA (LDT_VA - MMU_PAGESIZE) +#define KTSS_VA (IDT_VA - MMU_PAGESIZE)
Given how long this problem had existed prior to the KPTI-related testing which uncovered it, it's clear that normal workloads do not run afoul of it. Only workloads which manipulate the LDT all the way out to that final 16th page, where it now erroneously overlaps with the KTSS, will have problems. Using the i386/ldt
from os-tests is an easy way of exercising the problem. On a kernel with the bug, the machine reboots immediately upon executing it. (Presumably due to a triple-fault in the KTSS)
The fix is simple: Restore proper positioning of KTSS_VA so it does not overlap with the end of the LDT. Re-running i386/ldt
on a BE with the fix results in no such reboot.
Related issues
Updated by Andy Fiddaman about 2 years ago
- Related to Feature #12608: want memory arena for vmm applications added
Updated by Electric Monk about 2 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
git commit 4c7b9a81057545d490dd52cf823de529d8137a5b
commit 4c7b9a81057545d490dd52cf823de529d8137a5b Author: Patrick Mooney <pmooney@pfmooney.com> Date: 2020-05-10T22:24:53.000Z 12718 LDT overlap with TSS reintroduced in 12608 Reviewed by: John Levon <john.levon@joyent.com> Reviewed by: Andy Fiddaman <omnios@citrus-it.co.uk> Approved by: Robert Mustacchi <rm@fingolfin.org>