From: Petr Vandrovec <vandrove@vc.cvut.cz>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Leif Sawyer <lsawyer@gci.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: FW: i386 Linux kernel DoS (clarification)
Date: Wed, 13 Nov 2002 22:13:18 +0100 [thread overview]
Message-ID: <20021113211318.GA1962@vana> (raw)
In-Reply-To: <1037221814.12445.126.camel@irongate.swansea.linux.org.uk>
On Wed, Nov 13, 2002 at 09:10:14PM +0000, Alan Cox wrote:
> On Wed, 2002-11-13 at 20:36, Petr Vandrovec wrote:
> > 2.5.47-current-bk, run as mere user: Kernel panic: Attempted to kill init!
> > Next time I'll trust you.
>
> It does the lcall
> The lcall takes an exception
> The exception (TF) has NT set
> iret returns via the task linkage
>
> I think just clearing the NT bit in both lcall path _and_ in the TF
> exception handler does the trick.
This fixes it for me. I'll have to look at ia32 manual at home, why I
must do pushl %eax & popfl, as NT should be already cleared by
do_debug(). I probably miss something obvious, but I do not think that
adding these three instructions into lcall7/27 fastpath is acceptable.
Without pushl %eax & popfl it behaved much better than originally:
modprobe started, said that personality-1 does not exist, and then
system killed init (instead of killing init immediately).
Best regards,
Petr Vandrovec
vandrove@vc.cvut.cz
diff -urN linux-2.5.47.dist/arch/i386/kernel/entry.S linux-2.5.47/arch/i386/kernel/entry.S
--- linux-2.5.47.dist/arch/i386/kernel/entry.S 2002-11-11 12:26:04.000000000 +0100
+++ linux-2.5.47/arch/i386/kernel/entry.S 2002-11-13 22:02:17.000000000 +0100
@@ -131,6 +131,9 @@
movl EIP(%esp), %eax # due to call gates, this is eflags, not eip..
movl CS(%esp), %edx # this is eip..
movl EFLAGS(%esp), %ecx # and this is cs..
+ andl $~NT_MASK, %eax
+ pushl %eax
+ popfl
movl %eax,EFLAGS(%esp) #
movl %edx,EIP(%esp) # Now we move them to their "normal" places
movl %ecx,CS(%esp) #
@@ -153,6 +156,9 @@
movl EIP(%esp), %eax # due to call gates, this is eflags, not eip..
movl CS(%esp), %edx # this is eip..
movl EFLAGS(%esp), %ecx # and this is cs..
+ andl $~NT_MASK, %eax
+ pushl %eax
+ popfl
movl %eax,EFLAGS(%esp) #
movl %edx,EIP(%esp) # Now we move them to their "normal" places
movl %ecx,CS(%esp) #
diff -urN linux-2.5.47.dist/arch/i386/kernel/traps.c linux-2.5.47/arch/i386/kernel/traps.c
--- linux-2.5.47.dist/arch/i386/kernel/traps.c 2002-11-11 12:26:02.000000000 +0100
+++ linux-2.5.47/arch/i386/kernel/traps.c 2002-11-13 21:54:26.000000000 +0100
@@ -636,7 +636,7 @@
return;
clear_TF:
- regs->eflags &= ~TF_MASK;
+ regs->eflags &= ~(TF_MASK|NT_MASK);
return;
}
next prev parent reply other threads:[~2002-11-13 21:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-13 20:36 FW: i386 Linux kernel DoS (clarification) Petr Vandrovec
2002-11-13 21:10 ` Alan Cox
2002-11-13 21:13 ` Petr Vandrovec [this message]
2002-11-13 21:47 ` Alan Cox
-- strict thread matches above, loose matches on Subject: below --
2002-11-13 21:18 Petr Vandrovec
2002-11-13 21:48 ` Alan Cox
2002-11-13 21:51 ` Petr Vandrovec
2002-11-14 3:41 ` Andrea Arcangeli
2002-11-13 20:23 Leif Sawyer
2002-11-13 21:36 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021113211318.GA1962@vana \
--to=vandrove@vc.cvut.cz \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=lsawyer@gci.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox