From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Anvin <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
the arch/x86 maintainers <x86@kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] de-asmify the x86-64 system call slowpath
Date: Mon, 27 Jan 2014 07:42:09 +0000 [thread overview]
Message-ID: <20140127074208.GB10323@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CA+55aFzCtJ5gfw__3A=zkjJdv9Ag2CAmtHG5MnrRnCZYqz7EQA@mail.gmail.com>
On Sun, Jan 26, 2014 at 08:32:09PM -0800, Linus Torvalds wrote:
> On Sun, Jan 26, 2014 at 4:22 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > Umm... Can't uprobe_notify_resume() modify regs as well?
>
> Probably.
>
> .. and on the other hand, we should actually be able to use 'sysret'
> for signal handling on x86-64, because while sysret destroys %rcx and
> doesn't allow for returning to odd modes, for calling a signal handler
> I don't think we really care..
I'm afraid we might:
* When user can change the frames always force IRET. That is because
* it deals with uncanonical addresses better. SYSRET has trouble
* with them due to bugs in both AMD and Intel CPUs.
IIRC, that was about SYSRET with something unpleasant left in RCX, which
comes from regs->ip, which is set to sa_handler by __setup_rt_frame().
And we do not normalize or validate that - not in __setup_rt_frame() and
not at sigaction(2) time. Something about GPF triggered and buggering
attacker-chosen memory area? I don't remember details, but IIRC the
conclusion had been "just don't go there"...
Note that we can manipulate regs->ip and regs->sp, regardless of validation
at sigaction(2) or __setup_rt_frame() - just have the sucker ptraced, send
it a signal and it'll stop on delivery. Then tracer can use ptrace to modify
registers and issue PTRACE_CONT with zero signal. Voila - regs->[is]p
set to arbitrary values, no signal handlers triggered...
next prev parent reply other threads:[~2014-01-27 7:42 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-26 22:28 [RFC] de-asmify the x86-64 system call slowpath Linus Torvalds
2014-01-27 0:22 ` Al Viro
2014-01-27 4:32 ` Linus Torvalds
2014-01-27 4:48 ` H. Peter Anvin
2014-01-27 7:42 ` Al Viro [this message]
2014-01-27 22:06 ` Andy Lutomirski
2014-01-27 22:17 ` Linus Torvalds
2014-01-27 22:32 ` Al Viro
2014-01-27 22:43 ` Linus Torvalds
2014-01-27 22:46 ` Andy Lutomirski
2014-01-28 0:22 ` H. Peter Anvin
2014-01-28 0:44 ` Andy Lutomirski
2014-01-27 23:07 ` Al Viro
2014-01-27 10:27 ` Peter Zijlstra
2014-01-27 11:36 ` Al Viro
2014-01-27 17:39 ` Oleg Nesterov
2014-01-28 1:18 ` Al Viro
2014-01-28 16:38 ` Oleg Nesterov
2014-01-28 16:48 ` Al Viro
2014-01-28 17:19 ` Oleg Nesterov
2014-02-06 0:32 ` Linus Torvalds
2014-02-06 0:55 ` Kirill A. Shutemov
2014-02-06 2:32 ` Linus Torvalds
2014-02-06 4:33 ` Linus Torvalds
2014-02-06 21:29 ` Linus Torvalds
2014-02-06 22:24 ` Kirill A. Shutemov
2014-02-07 1:31 ` Linus Torvalds
2014-02-07 15:42 ` [RFC, PATCH] mm: map few pages around fault address if they are in page cache Kirill A. Shutemov
2014-02-07 17:32 ` Andi Kleen
2014-02-07 17:56 ` Kirill A. Shutemov
2014-02-07 18:11 ` Andi Kleen
2014-02-06 5:42 ` [RFC] de-asmify the x86-64 system call slowpath Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140127074208.GB10323@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.