From: Al Viro <viro@ZenIV.linux.org.uk>
To: Andrew Lutomirski <luto@mit.edu>
Cc: Richard Weinberger <richard@nod.at>,
user-mode-linux-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFC] weird crap with vdso on uml/i386
Date: Sun, 21 Aug 2011 07:34:43 +0100 [thread overview]
Message-ID: <20110821063443.GH2203@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CAObL_7H8E1fde-d_Kfjrg2mQ5PdAp9X=fVRTqXJKzzYmQ1vAQQ@mail.gmail.com>
On Sat, Aug 20, 2011 at 05:40:03PM -0400, Andrew Lutomirski wrote:
> will cause iret (if iret happens) to restore the original rbp in rcx
> (why? -- it seems okay if syscall is hit in __kernel_vsyscall but not
> if something else does the syscall). I don't see what saves rbp to
> the stack frame.
Far more interesting question is how the hell does that thing manage to
work in face of syscall restarts? As the matter of fact, how does it
(and sysenter-based variant) play with ptrace() *and* restarts?
Suppose we have a traced process. foo6() is called and the thing it
stopped before the sys_foo6() is reached kernel-side. The sixth argument
is on stack, ebp is set to user esp. SYSENTER happens, we read the
6th argument from userland stack and put it along with the rest into
pt_regs. tracer examines the arguments, modifies them (including the last
one) and lets the tracee run free - e.g. detaches from the tracee.
What should happen if we happen to get a signal that would restart that
sucker? Granted, it's not going to happen with mmap() - it doesn't, AFAICS,
do anything of that kind. However, I wouldn't bet a dime on other 6-argument
syscalls not stepping on that. sendto() and recvfrom(), in particular...
OK, we return to userland. The sixth argument is placed into %ebp. Linus'
"pig and proud of that" trick works and we end up slapping userland
%esp into %ebp and hitting SYSENTER again. Only one problem, though -
the sixth argument on user stack is completely unaffected by what tracer
had done. Unlike the rest of arguments, that *are* changed.
We could deal with that in case of SYSENTER if we e.g. replaced that
jmp .Lenter_kernel
with
jmp .Lrestart
and added
.Lrestart:
movl %ebp, (%esp)
jmp .Lenter_kernel
but in case of SYSCALL it seems to be even messier... Comments?
... and there I thought that last year session of asm glue sniffing couldn't
be topped by anything more unpleasant ;-/
next prev parent reply other threads:[~2011-08-21 6:34 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-18 18:58 Subject: [PATCH 00/91] pending uml patches Al Viro
2011-08-18 19:12 ` Richard Weinberger
2011-08-18 19:19 ` Al Viro
2011-08-19 4:31 ` Al Viro
2011-08-19 8:51 ` Richard Weinberger
2011-08-20 1:18 ` [RFC] weird crap with vdso on uml/i386 Al Viro
2011-08-20 15:22 ` Richard Weinberger
2011-08-20 20:14 ` Al Viro
2011-08-20 20:55 ` Richard Weinberger
2011-08-20 21:26 ` Andrew Lutomirski
2011-08-20 21:38 ` Richard Weinberger
2011-08-20 21:40 ` Andrew Lutomirski
2011-08-21 6:34 ` Al Viro [this message]
2011-08-21 8:42 ` SYSCALL, ptrace and syscall restart breakages (Re: [RFC] weird crap with vdso on uml/i386) Al Viro
2011-08-21 11:24 ` Andrew Lutomirski
2011-08-21 13:37 ` Andrew Lutomirski
2011-08-21 14:51 ` Al Viro
2011-08-21 14:43 ` Al Viro
2011-08-21 16:41 ` Al Viro
2011-08-22 0:44 ` Andrew Lutomirski
2011-08-22 1:09 ` Linus Torvalds
2011-08-22 1:19 ` Al Viro
2011-08-22 1:19 ` H. Peter Anvin
2011-08-22 21:25 ` [tip:x86/urgent] x86-32, vdso: On system call restart after SYSENTER, use int $0x80 tip-bot for H. Peter Anvin
2011-08-23 23:40 ` tip-bot for H. Peter Anvin
2011-08-22 1:16 ` SYSCALL, ptrace and syscall restart breakages (Re: [RFC] weird crap with vdso on uml/i386) Al Viro
2011-08-22 1:41 ` Linus Torvalds
2011-08-22 1:48 ` H. Peter Anvin
2011-08-22 2:01 ` Andrew Lutomirski
2011-08-22 2:07 ` Al Viro
2011-08-22 2:26 ` Andrew Lutomirski
2011-08-22 2:34 ` H. Peter Anvin
2011-08-22 4:05 ` H. Peter Anvin
2011-08-22 9:53 ` [uml-devel] " Ingo Molnar
2011-08-22 13:34 ` Andrew Lutomirski
2011-08-22 14:40 ` Borislav Petkov
2011-08-22 15:13 ` Al Viro
2011-08-22 20:05 ` Linus Torvalds
2011-08-22 20:11 ` H. Peter Anvin
2011-08-22 21:52 ` Andrew Lutomirski
2011-08-22 22:04 ` H. Peter Anvin
2011-08-22 23:27 ` Linus Torvalds
2011-08-22 23:46 ` H. Peter Anvin
2011-08-23 0:03 ` Al Viro
2011-08-23 0:07 ` Al Viro
2011-08-23 0:07 ` H. Peter Anvin
2011-08-23 0:22 ` Linus Torvalds
2011-08-23 1:01 ` Al Viro
2011-08-23 1:13 ` Al Viro
2011-08-23 1:59 ` Linus Torvalds
2011-08-23 2:59 ` Al Viro
2011-08-23 2:17 ` Al Viro
2011-08-23 6:15 ` Al Viro
2011-08-23 14:26 ` Borislav Petkov
2011-08-23 16:30 ` Al Viro
2011-08-23 16:03 ` Linus Torvalds
2011-08-23 16:11 ` Andrew Lutomirski
2011-08-23 16:20 ` Linus Torvalds
2011-08-23 17:33 ` Al Viro
2011-08-23 18:04 ` Al Viro
2011-08-24 12:44 ` [PATCH] x86, asm: Document some of the syscall asm glue Borislav Petkov
2011-08-23 16:22 ` [uml-devel] SYSCALL, ptrace and syscall restart breakages (Re: [RFC] weird crap with vdso on uml/i386) Borislav Petkov
2011-08-23 16:29 ` Linus Torvalds
2011-08-23 16:53 ` Al Viro
2011-08-23 16:58 ` Richard Weinberger
2011-08-23 17:07 ` Al Viro
2011-08-23 17:29 ` Richard Weinberger
2011-08-25 0:05 ` Richard Weinberger
2011-08-23 19:15 ` H. Peter Anvin
2011-08-23 20:56 ` Borislav Petkov
2011-08-23 21:06 ` H. Peter Anvin
2011-08-23 21:10 ` Borislav Petkov
2011-08-23 23:04 ` H. Peter Anvin
2011-08-24 21:10 ` H. Peter Anvin
2011-08-23 16:48 ` Al Viro
2011-08-23 17:33 ` Linus Torvalds
2011-08-23 21:08 ` H. Peter Anvin
2011-08-23 21:20 ` Linus Torvalds
2011-08-23 23:04 ` H. Peter Anvin
2011-08-23 19:18 ` H. Peter Anvin
2011-08-23 19:24 ` Linus Torvalds
2011-08-23 19:26 ` H. Peter Anvin
2011-08-23 19:41 ` Al Viro
2011-08-23 19:43 ` Linus Torvalds
2011-08-23 21:17 ` Al Viro
[not found] ` <CAObL_7FG8eFTZ4djKH0T8tbRf2h6+iOm=OXr8194nvzc+w+a9A@mail.gmail.com>
2011-08-23 1:18 ` H. Peter Anvin
2011-08-22 4:07 ` Al Viro
2011-08-22 4:11 ` H. Peter Anvin
2011-08-22 4:26 ` Al Viro
2011-08-22 5:03 ` H. Peter Anvin
2011-08-23 5:10 ` Andrew Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110821063443.GH2203@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@mit.edu \
--cc=richard@nod.at \
--cc=torvalds@linux-foundation.org \
--cc=user-mode-linux-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox