OS-7090: GDT limit reset to 0xffff

Resolution

Fixed: A fix for this issue is checked into the tree and tested.
(Resolution Date: 2018-07-30T10:12:50.488Z)

Fix Versions

2018-08-02 XCannon (Release Date: 2018-08-02)

Related Links

Description

I ran a test program that attempted to deference a bunch of different segment selectors. Somewhat to my surprise, loading a selector of 0t4096 led to hitting "unexpected erratum 100" as per OS-6906.

It looks like the problem is due to running bhyve VMs. Let's read Intel vol 3 27.5.2, discussing VM exit behaviour:

The base addresses for GDTR and IDTR are loaded from the GDTR base-address field and the IDTR base-address field, respectively. If the processor supports the Intel 64 architecture and the processor supports N < 64 linear-address bits, each of bits 63:N of each base address is set to the value of bit N–1 of that base address. The GDTR and IDTR limits are each set to FFFFH.

And indeed, it looks like the GDT limit value is indeed 64Kb. So userspace will happily attempt to dereference past the end of the GDT page (in the debug_info as it happens). Due to KPTI, we'll fault as that page isn't mapped. Previously we could silently set the accessed bit, at least theoretically, which wouldn't be good.

We need to explicitly re-load the GDT on the way out of the VM. This also applies to KVM, which lacks the corresponding change given in

https://github.com/torvalds/linux/commit/3444d7da1839b851eefedd372978d8a982316c36

We need similar fixes for both bhyve and KVM. Unclear on IDT right now.

Comments

Comment by John Levon
Created at 2018-07-26T12:16:16.228Z
Updated at 2018-07-26T12:22:46.326Z
I tested this by confirming that the GDTR limit value is now correct when running bhyve or KVM guests in ::sysregs
It was tested in concert with OS-7064 - see there for more testing notes

Comment by Jira Bot
Created at 2018-07-30T08:54:16.651Z
illumos-joyent commit 1d0338f3f33eec2ed45ec5a6cae30c399a3ef769 (branch master, by John Levon)

OS-7090 GDT limit reset to 0xffff
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>


Comment by Jira Bot
Created at 2018-07-30T08:55:42.091Z
illumos-kvm commit 657e3ab2d1aefe7cab92349b884c616b517bf200 (branch master, by John Levon)

OS-7090 GDT limit reset to 0xffff
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>