Show Your Support: This site is primarily supported by advertisements. Ads are what have allowed this site to be maintained on a daily basis for the past 18+ years. We do our best to ensure only clean, relevant ads are shown, when any nasty ads are detected, we work to remove them ASAP. If you would like to view the site without ads while still supporting our work, please consider our ad-free Phoronix Premium.
Linux Patches Look To Restrict Modules From Poking Certain Registers, Using Select Instructions
Originally written last April and now queued as part of his own branch, longtime kernel developer Peter Zijlstra has patches placing new restrictions on kernel modules.
One change is to disallow some CPL0 instructions. What started out with the desire to disallow modules from poking the global descriptor table (GDT) or returning to user-space, further precautions are error out if a module tries to alter the register state or messing with the FS/GS base.
An additional patch is detecting CRn and DRn manipulation. That work is to disallow kernel modules writing to control CRN / XCRn and debug DRn registers. Using the proper accessors is desired rather than poking those control/debug registers directly.
For now these patches are part of Zijlstra's x86/module code but we'll see if they go mainline soon enough in trying to enforce clean kernel module behavior.