From: Andrea Arcangeli <andrea@suse.de>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Christoph Hellwig <hch@infradead.org>,
Leif Sawyer <lsawyer@gci.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@transmeta.com>,
Marcelo Tosatti <marcelo@conectiva.com.br>
Subject: Re: FW: i386 Linux kernel DoS
Date: Thu, 14 Nov 2002 04:05:41 +0100 [thread overview]
Message-ID: <20021114030541.GU31697@dualathlon.random> (raw)
In-Reply-To: <1037146219.10083.15.camel@irongate.swansea.linux.org.uk>
On Wed, Nov 13, 2002 at 12:10:19AM +0000, Alan Cox wrote:
> On Tue, 2002-11-12 at 23:31, Christoph Hellwig wrote:
> > On Tue, Nov 12, 2002 at 02:28:55PM -0900, Leif Sawyer wrote:
> > > This was posted on bugtraq today...
> >
> > A real segfaulting program? wow :)
>
> Looks like the TF handling bug which was fixed a while ago
Program received signal SIGSEGV, Segmentation fault.
0xc01097d9 in restore_all ()
(gdb) bt
#0 0xc01097d9 in restore_all ()
#1 0xbfffe4b7 in ?? ()
c01097d9: cf iret
it's the NT not the TF. iret is called with NT set and the cpu
follows the back link which is zero (we never use hardware task
switching and nt is artificially set so it would lead to kernel
malfunction anyways).
the TF was fixed a while ago as you said and that's fine now.
we just can't allow userspace to set NT or iret will crash at ret from
userspace, furthmore there's no useful thing the userspace can do with
the NT flag.
here the fix, it applies to all 2.4 and 2.5:
--- 2.4.20rc1aa2/arch/i386/kernel/ptrace.c.~1~ Fri Aug 9 14:52:06 2002
+++ 2.4.20rc1aa2/arch/i386/kernel/ptrace.c Thu Nov 14 03:56:00 2002
@@ -28,7 +28,7 @@
/* determines which flags the user has access to. */
/* 1 = access 0 = no access */
-#define FLAG_MASK 0x00044dd5
+#define FLAG_MASK 0x00040dd5
/* set's the trap flag. */
#define TRAP_FLAG 0x100
Andrea
next prev parent reply other threads:[~2002-11-14 2:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-12 23:28 FW: i386 Linux kernel DoS Leif Sawyer
2002-11-12 23:31 ` Christoph Hellwig
2002-11-13 0:10 ` Alan Cox
2002-11-13 23:38 ` Jirka Kosina
2002-11-13 23:58 ` Chris Wright
2002-11-14 9:08 ` Helge Hafting
2002-11-14 3:05 ` Andrea Arcangeli [this message]
2002-11-14 4:10 ` Andrea Arcangeli
2002-11-14 18:12 ` Linus Torvalds
2002-11-14 19:00 ` Andrea Arcangeli
2002-11-14 19:17 ` Linus Torvalds
2002-11-15 2:13 ` Andrea Arcangeli
2002-11-14 20:06 ` Petr Vandrovec
2002-11-16 19:33 ` Krzysiek Taraszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021114030541.GU31697@dualathlon.random \
--to=andrea@suse.de \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lsawyer@gci.com \
--cc=marcelo@conectiva.com.br \
--cc=torvalds@transmeta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox