Project

General

Profile

Bug #12718

LDT overlap with TSS reintroduced in 12608

Added by Patrick Mooney 2 months ago. Updated 2 months ago.

Status:
Closed
Priority:
High
Category:
kernel
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Andy F spotted an issue with the #12608 wad: It adjusts the layout of the TSS and LDT on cpu0 back to its previously (before KPTI) broken state.

Old (fixed by KPTI):

-#define        DEBUG_INFO_VA   (KERNEL_TEXT - MMU_PAGESIZE)
-#define        GDT_VA          (DEBUG_INFO_VA - MMU_PAGESIZE)
-#define        IDT_VA          (GDT_VA - MMU_PAGESIZE)
-#define        LDT_VA          (IDT_VA - (16 * MMU_PAGESIZE))
-#define        KTSS_VA         (LDT_VA - MMU_PAGESIZE)
-#define        DFTSS_VA        (KTSS_VA - MMU_PAGESIZE)
-#define        MISC_VA_BASE    (DFTSS_VA)
-#define        MISC_VA_SIZE    (KERNEL_TEXT - MISC_VA_BASE)

New (broken by #12608, and previously busted before KPTI testing):

+#define        DEBUG_INFO_VA   (KERNEL_TEXT - MMU_PAGESIZE)
+#define        GDT_VA          (DEBUG_INFO_VA - MMU_PAGESIZE)
+#define        IDT_VA          (GDT_VA - MMU_PAGESIZE)
+#define        LDT_VA          (IDT_VA - (16 * MMU_PAGESIZE))
+#define        KTSS_VA         (IDT_VA - MMU_PAGESIZE)
+#define        DFTSS_VA        (KTSS_VA - MMU_PAGESIZE)
+#define        MISC_VA_BASE    (DFTSS_VA)
+#define        MISC_VA_SIZE    (KERNEL_TEXT - MISC_VA_BASE)

Critically:

-#define        KTSS_VA         (LDT_VA - MMU_PAGESIZE)

+#define        KTSS_VA         (IDT_VA - MMU_PAGESIZE)

Given how long this problem had existed prior to the KPTI-related testing which uncovered it, it's clear that normal workloads do not run afoul of it. Only workloads which manipulate the LDT all the way out to that final 16th page, where it now erroneously overlaps with the KTSS, will have problems. Using the i386/ldt from os-tests is an easy way of exercising the problem. On a kernel with the bug, the machine reboots immediately upon executing it. (Presumably due to a triple-fault in the KTSS)

The fix is simple: Restore proper positioning of KTSS_VA so it does not overlap with the end of the LDT. Re-running i386/ldt on a BE with the fix results in no such reboot.


Related issues

Related to illumos gate - Feature #12608: want memory arena for vmm applicationsClosed

Actions

History

#1

Updated by Patrick Mooney 2 months ago

  • Description updated (diff)
#2

Updated by Andy Fiddaman 2 months ago

  • Related to Feature #12608: want memory arena for vmm applications added
#3

Updated by Electric Monk 2 months ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 4c7b9a81057545d490dd52cf823de529d8137a5b

commit  4c7b9a81057545d490dd52cf823de529d8137a5b
Author: Patrick Mooney <pmooney@pfmooney.com>
Date:   2020-05-10T22:24:53.000Z

    12718 LDT overlap with TSS reintroduced in 12608
    Reviewed by: John Levon <john.levon@joyent.com>
    Reviewed by: Andy Fiddaman <omnios@citrus-it.co.uk>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Also available in: Atom PDF