From: Andrea Arcangeli <andrea@suse.de>
To: Doug Ledford <dledford@redhat.com>,
jh@suse.cz, linux-kernel@vger.kernel.org, jakub@redhat.com,
aj@suse.de, ak@suse.de, pavel@atrey.karlin.mff.cuni.cz
Subject: Re: SSE related security hole
Date: Thu, 18 Apr 2002 07:26:15 +0200 [thread overview]
Message-ID: <20020418072615.I14322@dualathlon.random> (raw)
In-Reply-To: <20020417194249.B23438@redhat.com>
On Wed, Apr 17, 2002 at 07:42:49PM -0400, Doug Ledford wrote:
> --- i387.c.save Wed Apr 17 19:22:47 2002
> +++ i387.c Wed Apr 17 19:28:27 2002
> @@ -33,8 +33,26 @@
> void init_fpu(void)
> {
> __asm__("fninit");
> - if ( cpu_has_xmm )
> + if ( cpu_has_mmx )
> + asm volatile("xorq %%mm0, %%mm0;
> + xorq %%mm1, %%mm1;
> + xorq %%mm2, %%mm2;
> + xorq %%mm3, %%mm3;
> + xorq %%mm4, %%mm4;
> + xorq %%mm5, %%mm5;
> + xorq %%mm6, %%mm6;
> + xorq %%mm7, %%mm7");
This mean the mmx isn't really backwards compatible and that's
potentially a problem for all the legacy x86 multiuser operative
systems. That's an hardware design bug, not a software problem. In
short running a 2.[02] kernel on a MMX capable CPU isn't secure, the
same potentially applies to windows NT and other unix, no matter of SSE.
I verified with this simple proggy:
main()
{
long long x = 2;
long long z = 3;
asm volatile("movq %0, %%mm0":: "m" (x));
asm volatile("fninit");
asm volatile("movq %%mm0, %0": "=m" (z):);
printf("%d\n", z);
}
it prints 2 here, while it should print zero or at least random to be
backwards compatible.
SSE was a completly different issue, that is a software bug. SSE is
disabled by non aware OS, and so if we enable it we also must take care
of clearing it at the first math fault.
> + if ( cpu_has_xmm ) {
> + asm volatile("xorps %%xmm0, %%xmm0;
> + xorps %%xmm1, %%xmm1;
> + xorps %%xmm2, %%xmm2;
> + xorps %%xmm3, %%xmm3;
> + xorps %%xmm4, %%xmm4;
> + xorps %%xmm5, %%xmm5;
> + xorps %%xmm6, %%xmm6;
> + xorps %%xmm7, %%xmm7");
The patch has a couple of problems. xorq doesn't exists. Since there are
no params you should also drop one %. Also I think we need an emms after
the mmx operations to remain binary compatible with the x86 ABI.
How does this look?
--- 2.4.19pre7aa1/arch/i386/kernel/i387.c.~1~ Thu Apr 18 05:23:12 2002
+++ 2.4.19pre7aa1/arch/i386/kernel/i387.c Thu Apr 18 07:20:26 2002
@@ -33,8 +33,28 @@
void init_fpu(void)
{
__asm__("fninit");
- if ( cpu_has_xmm )
+ if (cpu_has_mmx) {
+ asm volatile("pxor %mm0, %mm0\n\t"
+ "movq %mm0, %mm1\n\t"
+ "movq %mm0, %mm2\n\t"
+ "movq %mm0, %mm3\n\t"
+ "movq %mm0, %mm4\n\t"
+ "movq %mm0, %mm5\n\t"
+ "movq %mm0, %mm6\n\t"
+ "movq %mm0, %mm7\n\t"
+ "emms\n");
+ }
+ if ( cpu_has_xmm ) {
+ asm volatile("xorps %xmm0, %xmm0\n\t"
+ "xorps %xmm1, %xmm1\n\t"
+ "xorps %xmm2, %xmm2\n\t"
+ "xorps %xmm3, %xmm3\n\t"
+ "xorps %xmm4, %xmm4\n\t"
+ "xorps %xmm5, %xmm5\n\t"
+ "xorps %xmm6, %xmm6\n\t"
+ "xorps %xmm7, %xmm7\n");
load_mxcsr(0x1f80);
+ }
current->used_math = 1;
}
Andrea
next prev parent reply other threads:[~2002-04-18 8:23 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-04-17 23:42 SSE related security hole Doug Ledford
2002-04-18 5:26 ` Andrea Arcangeli [this message]
2002-04-18 9:10 ` Arjan van de Ven
2002-04-18 11:18 ` Alan Cox
2002-04-18 11:14 ` Andi Kleen
2002-04-18 11:53 ` Alan Cox
2002-04-18 11:46 ` Andi Kleen
2002-04-18 11:55 ` Andi Kleen
2002-04-18 13:44 ` Doug Ledford
2002-04-18 19:20 ` Pavel Machek
2002-04-18 19:32 ` Doug Ledford
2002-04-21 19:54 ` Pavel Machek
2002-04-18 8:22 ` Andi Kleen
2002-04-18 14:02 ` [OT: nostalgia] " Matthias Andree
-- strict thread matches above, loose matches on Subject: below --
2002-04-22 22:24 Saxena, Sunil
[not found] <20020418183639.20946.qmail@science.horizon.com.suse.lists.linux.kernel>
[not found] ` <a9ncgs$2s2$1@cesium.transmeta.com.suse.lists.linux.kernel>
2002-04-19 14:06 ` Andi Kleen
2002-04-19 18:00 ` Doug Ledford
2002-04-19 21:04 ` Andrea Arcangeli
2002-04-19 21:35 ` H. Peter Anvin
2002-04-19 21:42 ` Andi Kleen
2002-04-20 3:23 ` Andrea Arcangeli
2002-04-19 22:18 ` Jan Hubicka
[not found] <200204182320.53095.nahshon@actcom.co.il>
2002-04-19 11:22 ` Alan Cox
2002-04-18 18:36 linux
2002-04-18 18:53 ` Richard B. Johnson
2002-04-21 19:52 ` Pavel Machek
2002-04-21 22:11 ` David Wagner
2002-04-18 21:06 ` H. Peter Anvin
2002-04-17 14:51 Jan Hubicka
2002-04-17 15:23 ` Jan Hubicka
2002-04-18 14:57 ` Denis Vlasenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020418072615.I14322@dualathlon.random \
--to=andrea@suse.de \
--cc=aj@suse.de \
--cc=ak@suse.de \
--cc=dledford@redhat.com \
--cc=jakub@redhat.com \
--cc=jh@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=pavel@atrey.karlin.mff.cuni.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox