Re: what's papered over by set_fs(USER_DS) in amd64 signal delivery?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ingo Molnar <mingo@elte.hu>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Brian Gerst <brgerst@gmail.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	tglx@linutronix.de, mingo@redhat.com,
	linux-kernel@vger.kernel.org
Subject: Re: what's papered over by set_fs(USER_DS) in amd64 signal delivery?
Date: Sun, 26 Sep 2010 11:13:06 +0200	[thread overview]
Message-ID: <20100926091306.GA3857@elte.hu> (raw)
In-Reply-To: <20100925052054.GU19804@ZenIV.linux.org.uk>

* Al Viro <viro@ZenIV.linux.org.uk> wrote:

> [...]  IOW, that set_fs() seems to have been useless from the day 1, 
> unless I'm missing something really subtle, like e.g. some processes 
> deliberately running (in 2.0) with %fs set to something with lower 
> limit, with signal handlers allowed to switch back to normal for 
> duration.  And even that would've been broken, since there wouldn't be 
> a matching set_fs() in sigreturn()...

I dont recall us ever having done anything particularly 'clever' with 
in-kernel set_fs()/restore_fs(). Beyond fork/clone it was always 
supposed to be set/restored in a balanced manner. We sometimes leaked it 
unintentionally, and those were security holes.

( Cleverness with security primitives was in fact always actively
  discouraged, even in the early days, as cleverness has the uncanny
  tendency to bit-rot and then has the tendency to slow-convert to a
  security hole by stealth. We always wanted obvious, boringly dumb,
  fail-safe primitives, which can take a few years of bitrot robustly. )

Thanks,

	Ingo

     prev parent reply	other threads:[~2010-09-26  9:13 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-09-24 15:52 what's papered over by set_fs(USER_DS) in amd64 signal delivery? Al Viro
2010-09-24 16:07 ` Linus Torvalds
2010-09-24 16:57   ` Al Viro
2010-09-25  2:25     ` Brian Gerst
2010-09-25  2:48       ` Al Viro
2010-09-25  3:51         ` Brian Gerst
2010-09-25  5:20           ` Al Viro
2010-09-25  9:54             ` Brian Gerst
2010-09-26  9:13             ` Ingo Molnar [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100926091306.GA3857@elte.hu \
    --to=mingo@elte.hu \
    --cc=brgerst@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.