From: Zachary Amsden <zach@vmware.com>
To: Stas Sergeev <stsp@aknet.ru>
Cc: Linux kernel <linux-kernel@vger.kernel.org>
Subject: Re: + espfix-code-cleanup.patch added to -mm tree
Date: Wed, 02 Aug 2006 11:30:08 -0700 [thread overview]
Message-ID: <44D0EF30.7030701@vmware.com> (raw)
In-Reply-To: <44D0DCF5.8050906@aknet.ru>
Stas Sergeev wrote:
> Hi,
>
> Zachary Amsden wrote:
>> You need to get a #GP or #NP on the faulting iret. Several ways to
>> do that -
> I do that much simpler - I provoke a SIGSEGV and in a signal handler
> I put the wrong value to scp->cs or scp->ss, and that makes iret to
> fault.
Ok, that's a new trick ;)
>
>> iret faults, but doesn't pop the user return frame.
> But does it push the kernel frame after it or not?
> If not - I don't understand how we go to a fixup.
> If yes - I don't understand how the user's frame gets
> accessed later, as it is above the kernel's frame.
Yes. The iret faults, the fault pushes a new kernel frame - and the
fault handler's iret returns, removing the kernel frame. So the kernel
frame is gone by the time the fixup runs.
>
>>> safe limit is regs->esp + THREAD_SIZE*2... Well, may just I not do
>>> that please? :)
>>> For what, btw? There are no such a things for __KERNEL_DS or
>>> anything, so
>>> I just don't see the necessity.
>> It helps track down any bugs that could leak through otherwise and
>> corrupt random memory.
> I think regs->esp + THREAD_SIZE*2 is already very permissive,
> and I'd like to avoid messing with granularity. So unless you
> really insist, I'll better not do that. :)
It's really hard to catch bugs that could otherwise happen when a
non-zero based stack gets used (for example, C code which uses %ebp with
-fomit-frame-pointer). Setting the limit to THREAD_SIZE should
guarantee that the non-zero based stack never is used to access anything
but the stack and current thread.
Zach
next prev parent reply other threads:[~2006-08-02 18:30 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200607300016.k6U0GYu4023664@shell0.pdx.osdl.net>
2006-07-30 10:57 ` [patch] espfix code cleanup more Stas Sergeev
[not found] ` <44CE766D.6000705@vmware.com>
2006-08-01 12:21 ` + espfix-code-cleanup.patch added to -mm tree Stas Sergeev
2006-08-01 13:38 ` Jan Beulich
2006-08-01 14:37 ` Stas Sergeev
2006-08-01 14:43 ` Jan Beulich
2006-08-01 15:09 ` Stas Sergeev
2006-08-01 21:01 ` Zachary Amsden
2006-08-02 17:12 ` Stas Sergeev
2006-08-02 18:30 ` Zachary Amsden [this message]
2006-08-02 19:12 ` Stas Sergeev
2006-08-01 2:24 Chuck Ebbert
2006-08-01 12:39 ` Stas Sergeev
-- strict thread matches above, loose matches on Subject: below --
2006-08-02 19:14 Chuck Ebbert
2006-08-02 19:31 ` Stas Sergeev
2006-08-12 2:27 Chuck Ebbert
2006-08-12 10:35 ` Stas Sergeev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44D0EF30.7030701@vmware.com \
--to=zach@vmware.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stsp@aknet.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.