From: jamie@shareable.org (Jamie Lokier)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] ARM: Add SWP/SWPB emulation for ARMv7 processors (v2)
Date: Mon, 4 Jan 2010 19:34:00 +0000 [thread overview]
Message-ID: <20100104193400.GB13537@shareable.org> (raw)
In-Reply-To: <F74D5D79E8EA1244A97ECCA56C4D01DB771E2EDD86@BUNGLE.Emea.Arm.com>
Leif Lindholm wrote:
> > From: Russell King - ARM Linux [mailto:linux at arm.linux.org.uk]
> > Sent: 19 December 2009 17:29
>
> > > I wonder if there could be an exploit with Leif's current
> > > implementation. The LDREX/STREX pair to uncached or device memory may
> > > never complete. This way a user SWP to something like the frame
> > > buffer would lock the kernel.
> >
> > That means we shouldn't consider applying it until that has been
> > investigated.
>
> What if I modify the patch such that a failed STREX causes the emulation to
> return success without readjusting the PC? This would result in the SWP
> instruction being executed again upon returning to the application - removing
> the potential kernel lockup.
There is no need to return to userspace, as you know that userspace
will immediately retry the instruction, or respond to a signal.
So you can loop, as long as you:
1. Allow other tasks to run by calling cond_resched().
2. Break out of the loop if signal_pending().
I think that's sufficient but I hope someone will double check because
I'm a little rusty.
If someone executes SWP on uncached or device memory and it's not an
intentional DOS (e.g. worked with older ARMs), they won't expect the
instruction to loop at that point. Faulting would be better.
Is it feasible to detect when this has happened and send a SIGBUS
signal instead of looping?
-- Jamie
next prev parent reply other threads:[~2010-01-04 19:34 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-18 18:04 [PATCH] ARM: Add SWP/SWPB emulation for ARMv7 processors (v2) Leif Lindholm
2009-12-18 18:20 ` Russell King - ARM Linux
2009-12-18 19:48 ` Jamie Lokier
2009-12-18 20:01 ` Russell King - ARM Linux
2009-12-18 19:54 ` Jamie Lokier
2009-12-18 20:03 ` Russell King - ARM Linux
2009-12-19 17:18 ` Catalin Marinas
2009-12-19 17:28 ` Russell King - ARM Linux
2010-01-04 18:18 ` Leif Lindholm
2010-01-04 19:34 ` Jamie Lokier [this message]
2010-01-05 18:09 ` Leif Lindholm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100104193400.GB13537@shareable.org \
--to=jamie@shareable.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.