From: "H. Peter Anvin" <hpa@zytor.com>
To: Roland McGrath <roland@redhat.com>
Cc: Andi Kleen <andi@firstfloor.org>,
Suresh Siddha <suresh.b.siddha@intel.com>,
Mikael Pettersson <mikpe@it.uu.se>,
mingo@elte.hu, tglx@linutronix.de, torvalds@linux-foundation.org,
akpm@linux-foundation.org, drepper@redhat.com,
Hongjiu.lu@intel.com, linux-kernel@vger.kernel.org,
arjan@linux.intel.com, rmk+lkml@arm.linux.org.uk, dan@debian.org,
asit.k.mallick@intel.com
Subject: Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions
Date: Wed, 21 May 2008 17:05:47 -0700 [thread overview]
Message-ID: <4834B8DB.6030504@zytor.com> (raw)
In-Reply-To: <20080520201044.ED62B26FA1C@magilla.localdomain>
Roland McGrath wrote:
>> I don't think there is one. We never copy fxsave completely out of the
>> kernel. x86-64 does FXSAVE directly in/out user space, but the
>> only leak is what there was before.
>
> ptrace/user_regset copies out and in the whole fxsave block from the ptrace
> caller. (Only the mxcsr word is constrained after copy-in.)
I see two problems with that:
1. potential information leak out of the kernel if the memory area isn't
zeroed before the first FXSAVE - I haven't verified if so is the case.
This would be a (potentially very serious) security hole.
2. Hidden state in the kernel - this means user space can set
nonarchitectural state in the kernel. There are a few risks with that:
a. Malware might use it to hide state.
b. The possibility of using the stability or lack thereof of this
state to extract information about kernel internals and/or
provide a covert channel in the presence of hardware changes.
c. It is not certain that future architectures will not have
off-limit fields here, like the equivalent of MXCSR. This is
somewhat of a tricky judgement, of course, but it seems safer
to me if we would explicitly list the modifiable fields.
Thoughts?
-hpa
next prev parent reply other threads:[~2008-05-22 0:10 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-13 1:10 [RFC] x86: xsave/xrstor support, ucontext_t extensions Suresh Siddha
2008-05-16 13:26 ` Mikael Pettersson
2008-05-18 1:34 ` Suresh Siddha
2008-05-19 14:52 ` Mikael Pettersson
2008-05-19 15:04 ` Andi Kleen
2008-05-19 16:29 ` H. Peter Anvin
2008-05-19 16:57 ` Suresh Siddha
2008-05-19 17:45 ` H. Peter Anvin
2008-05-20 1:57 ` Suresh Siddha
2008-05-20 8:58 ` Mikael Pettersson
2008-05-20 10:01 ` Andi Kleen
2008-05-20 13:19 ` Mikael Pettersson
2008-05-20 14:58 ` H. Peter Anvin
2008-05-20 15:20 ` Mikael Pettersson
2008-05-20 17:53 ` Suresh Siddha
2008-05-20 17:59 ` H. Peter Anvin
2008-05-22 0:28 ` H. Peter Anvin
2008-05-22 0:53 ` Roland McGrath
2008-05-22 1:38 ` H. Peter Anvin
2008-05-22 6:40 ` Roland McGrath
2008-05-22 7:18 ` H. Peter Anvin
2008-05-22 8:49 ` Mikael Pettersson
2008-05-22 8:57 ` Mikael Pettersson
2008-05-22 20:56 ` Suresh Siddha
2008-05-22 21:02 ` H. Peter Anvin
2008-05-22 21:29 ` Suresh Siddha
2008-05-22 21:34 ` H. Peter Anvin
2008-05-22 22:22 ` Mikael Pettersson
2008-05-23 1:48 ` Suresh Siddha
2008-05-23 2:12 ` Roland McGrath
2008-05-23 2:49 ` H. Peter Anvin
2008-05-23 18:09 ` Suresh Siddha
2008-06-06 0:28 ` x86: xsave/xrstor support; " H. Peter Anvin
2008-06-06 20:14 ` Suresh Siddha
2008-06-06 23:03 ` H. Peter Anvin
2008-05-23 2:45 ` [RFC] x86: xsave/xrstor support, " H. Peter Anvin
2008-05-23 11:46 ` Mikael Pettersson
2008-05-23 12:11 ` Andi Kleen
2008-05-22 21:32 ` Chris Wright
2008-05-22 22:15 ` Mikael Pettersson
2008-05-22 22:29 ` Chris Wright
2008-05-23 0:32 ` H. Peter Anvin
2008-05-23 0:44 ` Chris Wright
2008-05-22 22:36 ` Mikael Pettersson
2008-05-23 0:33 ` H. Peter Anvin
2008-05-23 0:42 ` Suresh Siddha
2008-05-23 1:33 ` Roland McGrath
2008-05-23 16:57 ` H. Peter Anvin
2008-05-23 17:50 ` Suresh Siddha
2008-05-23 2:27 ` H. Peter Anvin
2008-05-20 17:57 ` H. Peter Anvin
2008-05-20 14:55 ` H. Peter Anvin
2008-05-20 15:03 ` Andi Kleen
2008-05-20 20:10 ` Roland McGrath
2008-05-22 0:05 ` H. Peter Anvin [this message]
2008-05-22 0:47 ` Roland McGrath
2008-05-22 8:14 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4834B8DB.6030504@zytor.com \
--to=hpa@zytor.com \
--cc=Hongjiu.lu@intel.com \
--cc=akpm@linux-foundation.org \
--cc=andi@firstfloor.org \
--cc=arjan@linux.intel.com \
--cc=asit.k.mallick@intel.com \
--cc=dan@debian.org \
--cc=drepper@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mikpe@it.uu.se \
--cc=mingo@elte.hu \
--cc=rmk+lkml@arm.linux.org.uk \
--cc=roland@redhat.com \
--cc=suresh.b.siddha@intel.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.