From 1950e79d484a4bb7a629aca7add1b0d4896b1ea4 Mon Sep 17 00:00:00 2001 From: Idan Horowitz Date: Wed, 22 Jun 2022 00:03:10 +0300 Subject: [PATCH] Kernel: Eliminate possible KASLR leak by disabling CR4.FSGSBASE The RDGSBASE userspace instruction allows programs to read the contents of the gs segment register which contains a kernel pointer to the base of the current Processor struct. Since we don't use this instruction in Serenity at the moment, we can simply disable it for now to ensure we don't break KASLR. Support can later be restored once proper swapping of the contents of gs is done on userspace/kernel boundaries. --- Kernel/Arch/x86/common/Processor.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Kernel/Arch/x86/common/Processor.cpp b/Kernel/Arch/x86/common/Processor.cpp index 69cd84a663..a34e489ea8 100644 --- a/Kernel/Arch/x86/common/Processor.cpp +++ b/Kernel/Arch/x86/common/Processor.cpp @@ -593,6 +593,12 @@ UNMAP_AFTER_INIT void Processor::cpu_setup() constexpr u64 rflags_mask = 0x257fd5u; MSR sfmask_msr(MSR_SFMASK); sfmask_msr.set(rflags_mask); + + if (has_feature(CPUFeature::FSGSBASE)) { + // Turn off CR4.FSGSBASE to ensure the current Processor base kernel address is not leaked via + // the RDGSBASE instruction until we implement proper GS swapping at the userspace/kernel boundaries + write_cr4(read_cr4() & ~0x10000); + } #endif // Query OS-enabled CPUID features again, and set the flags if needed.