From: Andrea Arcangeli <andrea@suse.de>
To: Linus Torvalds <torvalds@transmeta.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
Christoph Hellwig <hch@infradead.org>,
Leif Sawyer <lsawyer@gci.com>,
Kernel Mailing List <linux-kernel@vger.kernel.org>,
Marcelo Tosatti <marcelo@conectiva.com.br>
Subject: Re: FW: i386 Linux kernel DoS
Date: Fri, 15 Nov 2002 03:13:08 +0100 [thread overview]
Message-ID: <20021115021308.GV31697@dualathlon.random> (raw)
In-Reply-To: <Pine.LNX.4.44.0211141112480.4989-100000@penguin.transmeta.com>
On Thu, Nov 14, 2002 at 11:17:47AM -0800, Linus Torvalds wrote:
>
> On Thu, 14 Nov 2002, Andrea Arcangeli wrote:
> >
> > actually TF should cleared implicitly in the do_debug or it could get
> > the single step trap before you can clear TF explicitly in the entry.S.
>
> But that's fine. Getting a single step trap in the kernel is not a
> problem: the trap will clear TF/NT on the "recursive" kernel entry, and on
> the recursive "iret" nothing bad will happen.
>
> Remember: what is on the _stack_ doesn't matter. The only thing that
yes.
> matters is what is actually in the EFLAGS register itself.
>
> > but it's certainly zerocost to clear it explicitly there too just to
> > remeber it's one of the bits not cleared implicitly in hardware when
> > entering via lcall. However in 2.5 it seems the clear_TF in do_debug is
> > still missing.
>
> No, do_debug() already does
>
> /* Mask out spurious TF errors due to lazy TF clearing */
> if (condition & DR_STEP) {
> if ((regs->xcs & 3) == 0)
> goto clear_TF;
>
> which will make sure that we only get _one_ of these spurious (and
> harmless) TF traps if somebody tries to mess with us.
>
> So that is correct (and your patch is _not_ correct - it's not right
> checking what the EIP value is, since it doesn't matter. In fact, I think
> you could quite validly have "big" EIP values in user space by just
> creating interesting code segments).
actually I just had to workaround that code for kgdb, and yes, vsyscalls
would run above PAGE_OFFSET too. OTOH now I don't see anymore the point
of the patch that I posted that is included in 2.4.20rc1, I wrongly
assumed that setting the TF would not guarantee DR_STEP to be set in
db6 (there would be no other reason for such patch) but according to the
manual this isn't the case, so 2.5 is correct and 2.4.20rc1 is overkill
and so I'll backout that patch too, that will avoid the ugly workaround
with kgdb too (that basically disabled such check on the eip as soon as
kgdb was started). If anybody can see a problem in backing out from 2.4
the patch I was suggesting for 2.5 please let me know. Thanks.
Andrea
next prev parent reply other threads:[~2002-11-15 2:06 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-12 23:28 FW: i386 Linux kernel DoS Leif Sawyer
2002-11-12 23:31 ` Christoph Hellwig
2002-11-13 0:10 ` Alan Cox
2002-11-13 23:38 ` Jirka Kosina
2002-11-13 23:58 ` Chris Wright
2002-11-14 9:08 ` Helge Hafting
2002-11-14 3:05 ` Andrea Arcangeli
2002-11-14 4:10 ` Andrea Arcangeli
2002-11-14 18:12 ` Linus Torvalds
2002-11-14 19:00 ` Andrea Arcangeli
2002-11-14 19:17 ` Linus Torvalds
2002-11-15 2:13 ` Andrea Arcangeli [this message]
2002-11-14 20:06 ` Petr Vandrovec
2002-11-16 19:33 ` Krzysiek Taraszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021115021308.GV31697@dualathlon.random \
--to=andrea@suse.de \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lsawyer@gci.com \
--cc=marcelo@conectiva.com.br \
--cc=torvalds@transmeta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox