26 May
2020
26 May
'20
7:57 a.m.
On Tue, May 26, 2020 at 08:56:18AM +0200, Greg KH wrote:
On Mon, May 25, 2020 at 10:28:48PM -0700, Andi Kleen wrote:
From: Andi Kleen ak@linux.intel.com
Since there seem to be kernel modules floating around that set FSGSBASE incorrectly, prevent this in the CR4 pinning. Currently CR4 pinning just checks that bits are set, this also checks that the FSGSBASE bit is not set, and if it is clears it again.
So we are trying to "protect" ourselves from broken out-of-tree kernel modules now? Why stop with this type of check, why not just forbid them entirely if we don't trust them? :)
Oh, I have a bunch of patches pending for that :-)
It will basically decode the module text and refuse to load the module for most CPL0 instruction.