Anonymous user
CPU Bugs: Difference between revisions
→PUSH selector: Added mitigation for the PUSH selector bug.
| [unchecked revision] | [unchecked revision] |
(→SS selector: Added mitigation section to the SS selector bug) |
(→PUSH selector: Added mitigation for the PUSH selector bug.) |
||
Line 47:
=== PUSH selector ===
On Intel CPUs, when running in 32-bit protected mode, the push will only modify the low 16bit of stack and write there the selector. The high 16 bits remains unmodified. AMD CPUs do not do this. It may have some security impact, that some of stack is not initialized.
Note: This applies to every time a selector is pushed to the stack. So both a PUSH instruction and an implicit push following an interrupt of some sort are affected.
==== Mitigation ====
When reading a selector value off the stack, always mask out the bits you are interested in. Very often, the important information is just the RPL of the selector (which already contains the information, whether the selector is kernel or user space), or the TI bit. The actual table index is rarely needed. Doing this also hardens all parts of the kernel that read selectors against modifications of the GDT later on.
=== Nesting of NMI interrupt ===
| |||