All of lore.kernel.org
 help / color / mirror / Atom feed
From: "H. Peter Anvin" <hpa@zytor.com>
To: halfdog <me@halfdog.net>, Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	x86@kernel.org, linux-kernel@vger.kernel.org,
	Ben Hutchings <ben@decadent.org.uk>,
	Borislav Petkov <bp@alien8.de>
Subject: Re: Sanitize CPU-state when switching tasks (was sanitize CPU-state when switching from virtual-8086 mode to other task)
Date: Wed, 08 Jan 2014 09:42:40 -0800	[thread overview]
Message-ID: <52CD8E10.3010204@zytor.com> (raw)
In-Reply-To: <52CD022E.9040107@halfdog.net>

Adding Borislav.

Boris, do you happen to know of any erratum on AMD E-350 which may be
in play here?

	-hpa


On 01/07/2014 11:45 PM, halfdog wrote:
> Update to the issue:
> 
> * Although first observed with virtual-8086 mode, the bug is not 
> specific to virtual-8086 mode, it can be triggered with normal x86 
> userspace code also, even with better reproducibility.
> 
> * Ben Hutchings looked at the Debian bug report [1], he failed to 
> reproduce on his hardware, so it might be specific to some CPU
> models (currently my AMD E-350 is only machine known to be
> affected).
> 
> * When deactivating mmap_min_addr, the NULL-dereferences during 
> task-switch is exploitable, works both on native hardware and
> within VirtualBox. See [2] for POC to gain root privileges.
> 
> * It seems, that when changing the FPU control word with "fstcw"
> just before exit of the process, then another process could suffer
> when doing __do_switch, probably related to the xsave instruction
> and a x86 processor bug workaround, see "noxsave" switch [3]:
> [BUGS=X86] Disables x86 extended register state save and restore
> using xsave. The kernel will fallback to enabling legacy
> floating-point and sse state.
> 
> hd
> 
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733551 [2] 
> http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/
>
> 
[3] https://www.kernel.org/doc/Documentation/kernel-parameters.txt
> 
> 


  reply	other threads:[~2014-01-08 17:43 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-12-28 22:02 Sanitize CPU-state when switching from virtual-8086 mode to other task halfdog
2013-12-29  2:37 ` H. Peter Anvin
2013-12-29 20:44   ` halfdog
2013-12-30  1:18     ` H. Peter Anvin
2013-12-30 15:52       ` halfdog
2013-12-31 18:42         ` H. Peter Anvin
2013-12-31 19:21           ` Konrad Rzeszutek Wilk
2013-12-31 22:40             ` H. Peter Anvin
2014-01-03 23:07               ` Sanitize FPU-state when switching tasks (was sanitize CPU-state when switching from virtual-8086 mode to other task) halfdog
2014-01-08  7:45               ` Sanitize CPU-state " halfdog
2014-01-08 17:42                 ` H. Peter Anvin [this message]
2014-01-08 19:36                   ` Borislav Petkov
2014-01-08 21:28                     ` halfdog
2014-01-08 22:39                       ` H. Peter Anvin
2014-01-09 22:58                         ` Borislav Petkov
2014-01-10  0:42                           ` Linus Torvalds
2014-01-10  2:13                             ` H. Peter Anvin
2014-01-10 10:06                               ` Borislav Petkov
2014-01-10 11:16                                 ` Linus Torvalds
2014-01-10 11:34                                   ` Borislav Petkov
2014-01-10 16:11                                   ` H. Peter Anvin
2014-01-12  3:22                             ` [tip:x86/urgent] x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround tip-bot for Linus Torvalds
2014-01-09 22:50                       ` Sanitize CPU-state when switching tasks (was sanitize CPU-state when switching from virtual-8086 mode to other task) halfdog
2014-01-09 23:02                         ` Borislav Petkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52CD8E10.3010204@zytor.com \
    --to=hpa@zytor.com \
    --cc=ben@decadent.org.uk \
    --cc=bp@alien8.de \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=me@halfdog.net \
    --cc=mingo@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.