Kernel: Eliminate possible KASLR leak by disabling CR4.FSGSBASE

The RDGSBASE userspace instruction allows programs to read the contents of the gs segment register which contains a kernel pointer to the base of the current Processor struct. Since we don't use this instruction in Serenity at the moment, we can simply disable it for now to ensure we don't break KASLR. Support can later be restored once proper swapping of the contents of gs is done on userspace/kernel boundaries.
Author: https://github.com/IdanHo Commit: https://github.com/SerenityOS/serenity/commit/1950e79d48 Pull-request: https://github.com/SerenityOS/serenity/pull/14353 Reviewed-by: https://github.com/bgianfo ✅
2024-11-26 09:30:24 +00:00 · 2022-06-22 00:03:10 +03:00 · 2022-06-22 00:03:10 +03:00 · 1950e79d48 · 2024-07-17 11:29:41 +09:00
commit 1950e79d48
parent 2df56f840f
1 changed files with 6 additions and 0 deletions
--- a/Kernel/Arch/x86/common/Processor.cpp
+++ b/Kernel/Arch/x86/common/Processor.cpp
@ -593,6 +593,12 @@ UNMAP_AFTER_INIT void Processor::cpu_setup()
    constexpr u64 rflags_mask = 0x257fd5u;
    MSR sfmask_msr(MSR_SFMASK);
    sfmask_msr.set(rflags_mask);
+
+    if (has_feature(CPUFeature::FSGSBASE)) {
+        // Turn off CR4.FSGSBASE to ensure the current Processor base kernel address is not leaked via
+        // the RDGSBASE instruction until we implement proper GS swapping at the userspace/kernel boundaries
+        write_cr4(read_cr4() & ~0x10000);
+    }
 #endif

    // Query OS-enabled CPUID features again, and set the flags if needed.