From: Arjan van de Ven <arjanv@redhat.com>
To: Andrea Arcangeli <andrea@suse.de>
Cc: linux-kernel@vger.kernel.org
Subject: Re: SSE related security hole
Date: Thu, 18 Apr 2002 10:10:33 +0100 [thread overview]
Message-ID: <3CBE8D89.AA3950DB@redhat.com> (raw)
In-Reply-To: <20020417194249.B23438@redhat.com> <20020418072615.I14322@dualathlon.random>
Andrea Arcangeli wrote:
>
> On Wed, Apr 17, 2002 at 07:42:49PM -0400, Doug Ledford wrote:
> > --- i387.c.save Wed Apr 17 19:22:47 2002
> > +++ i387.c Wed Apr 17 19:28:27 2002
> > @@ -33,8 +33,26 @@
> > void init_fpu(void)
> > {
> > __asm__("fninit");
> > - if ( cpu_has_xmm )
> > + if ( cpu_has_mmx )
> > + asm volatile("xorq %%mm0, %%mm0;
> > + xorq %%mm1, %%mm1;
> > + xorq %%mm2, %%mm2;
> > + xorq %%mm3, %%mm3;
> > + xorq %%mm4, %%mm4;
> > + xorq %%mm5, %%mm5;
> > + xorq %%mm6, %%mm6;
> > + xorq %%mm7, %%mm7");
>
> This mean the mmx isn't really backwards compatible and that's
> potentially a problem for all the legacy x86 multiuser operative
> systems. That's an hardware design bug, not a software problem. In
> short running a 2.[02] kernel on a MMX capable CPU isn't secure, the
> same potentially applies to windows NT and other unix, no matter of SSE.
>
> I verified with this simple proggy:
>
> main()
> {
> long long x = 2;
> long long z = 3;
>
> asm volatile("movq %0, %%mm0":: "m" (x));
> asm volatile("fninit");
> asm volatile("movq %%mm0, %0": "=m" (z):);
>
> printf("%d\n", z);
> }
>
> it prints 2 here, while it should print zero or at least random to be
> backwards compatible.
>
> SSE was a completly different issue, that is a software bug. SSE is
> disabled by non aware OS, and so if we enable it we also must take care
> of clearing it at the first math fault.
>
> > + if ( cpu_has_xmm ) {
> > + asm volatile("xorps %%xmm0, %%xmm0;
> > + xorps %%xmm1, %%xmm1;
> > + xorps %%xmm2, %%xmm2;
> > + xorps %%xmm3, %%xmm3;
> > + xorps %%xmm4, %%xmm4;
> > + xorps %%xmm5, %%xmm5;
> > + xorps %%xmm6, %%xmm6;
> > + xorps %%xmm7, %%xmm7");
>
> The patch has a couple of problems. xorq doesn't exists. Since there are
> no params you should also drop one %. Also I think we need an emms after
> the mmx operations to remain binary compatible with the x86 ABI.
>
> How does this look?
>
> --- 2.4.19pre7aa1/arch/i386/kernel/i387.c.~1~ Thu Apr 18 05:23:12 2002
> +++ 2.4.19pre7aa1/arch/i386/kernel/i387.c Thu Apr 18 07:20:26 2002
> @@ -33,8 +33,28 @@
> void init_fpu(void)
> {
> __asm__("fninit");
> - if ( cpu_has_xmm )
> + if (cpu_has_mmx) {
> + asm volatile("pxor %mm0, %mm0\n\t"
> + "movq %mm0, %mm1\n\t"
> + "movq %mm0, %mm2\n\t"
> + "movq %mm0, %mm3\n\t"
> + "movq %mm0, %mm4\n\t"
> + "movq %mm0, %mm5\n\t"
> + "movq %mm0, %mm6\n\t"
> + "movq %mm0, %mm7\n\t"
> + "emms\n");
> + }
> + if ( cpu_has_xmm ) {
> + asm volatile("xorps %xmm0, %xmm0\n\t"
> + "xorps %xmm1, %xmm1\n\t"
> + "xorps %xmm2, %xmm2\n\t"
> + "xorps %xmm3, %xmm3\n\t"
> + "xorps %xmm4, %xmm4\n\t"
> + "xorps %xmm5, %xmm5\n\t"
> + "xorps %xmm6, %xmm6\n\t"
> + "xorps %xmm7, %xmm7\n");
> load_mxcsr(0x1f80);
> + }
>
> current->used_math = 1;
> }
Looks good; I just did the same thing ;)
next prev parent reply other threads:[~2002-04-18 9:10 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-04-17 23:42 SSE related security hole Doug Ledford
2002-04-18 5:26 ` Andrea Arcangeli
2002-04-18 9:10 ` Arjan van de Ven [this message]
2002-04-18 11:18 ` Alan Cox
2002-04-18 11:14 ` Andi Kleen
2002-04-18 11:53 ` Alan Cox
2002-04-18 11:46 ` Andi Kleen
2002-04-18 11:55 ` Andi Kleen
2002-04-18 13:44 ` Doug Ledford
2002-04-18 19:20 ` Pavel Machek
2002-04-18 19:32 ` Doug Ledford
2002-04-21 19:54 ` Pavel Machek
2002-04-18 8:22 ` Andi Kleen
2002-04-18 14:02 ` [OT: nostalgia] " Matthias Andree
-- strict thread matches above, loose matches on Subject: below --
2002-04-22 22:24 Saxena, Sunil
[not found] <20020418183639.20946.qmail@science.horizon.com.suse.lists.linux.kernel>
[not found] ` <a9ncgs$2s2$1@cesium.transmeta.com.suse.lists.linux.kernel>
2002-04-19 14:06 ` Andi Kleen
2002-04-19 18:00 ` Doug Ledford
2002-04-19 21:04 ` Andrea Arcangeli
2002-04-19 21:35 ` H. Peter Anvin
2002-04-19 21:42 ` Andi Kleen
2002-04-20 3:23 ` Andrea Arcangeli
2002-04-19 22:18 ` Jan Hubicka
[not found] <200204182320.53095.nahshon@actcom.co.il>
2002-04-19 11:22 ` Alan Cox
2002-04-18 18:36 linux
2002-04-18 18:53 ` Richard B. Johnson
2002-04-21 19:52 ` Pavel Machek
2002-04-21 22:11 ` David Wagner
2002-04-18 21:06 ` H. Peter Anvin
2002-04-17 14:51 Jan Hubicka
2002-04-17 15:23 ` Jan Hubicka
2002-04-18 14:57 ` Denis Vlasenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3CBE8D89.AA3950DB@redhat.com \
--to=arjanv@redhat.com \
--cc=andrea@suse.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox