From: Zachary Amsden <zach@vmware.com>
To: Stas Sergeev <stsp@aknet.ru>
Cc: Linux kernel <linux-kernel@vger.kernel.org>
Subject: Re: + espfix-code-cleanup.patch added to -mm tree
Date: Wed, 02 Aug 2006 11:30:08 -0700 [thread overview]
Message-ID: <44D0EF30.7030701@vmware.com> (raw)
In-Reply-To: <44D0DCF5.8050906@aknet.ru>
Stas Sergeev wrote:
> Hi,
>
> Zachary Amsden wrote:
>> You need to get a #GP or #NP on the faulting iret. Several ways to
>> do that -
> I do that much simpler - I provoke a SIGSEGV and in a signal handler
> I put the wrong value to scp->cs or scp->ss, and that makes iret to
> fault.
Ok, that's a new trick ;)
>
>> iret faults, but doesn't pop the user return frame.
> But does it push the kernel frame after it or not?
> If not - I don't understand how we go to a fixup.
> If yes - I don't understand how the user's frame gets
> accessed later, as it is above the kernel's frame.
Yes. The iret faults, the fault pushes a new kernel frame - and the
fault handler's iret returns, removing the kernel frame. So the kernel
frame is gone by the time the fixup runs.
>
>>> safe limit is regs->esp + THREAD_SIZE*2... Well, may just I not do
>>> that please? :)
>>> For what, btw? There are no such a things for __KERNEL_DS or
>>> anything, so
>>> I just don't see the necessity.
>> It helps track down any bugs that could leak through otherwise and
>> corrupt random memory.
> I think regs->esp + THREAD_SIZE*2 is already very permissive,
> and I'd like to avoid messing with granularity. So unless you
> really insist, I'll better not do that. :)
It's really hard to catch bugs that could otherwise happen when a
non-zero based stack gets used (for example, C code which uses %ebp with
-fomit-frame-pointer). Setting the limit to THREAD_SIZE should
guarantee that the non-zero based stack never is used to access anything
but the stack and current thread.
Zach
next prev parent reply other threads:[~2006-08-02 18:30 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200607300016.k6U0GYu4023664@shell0.pdx.osdl.net>
2006-07-30 10:57 ` [patch] espfix code cleanup more Stas Sergeev
[not found] ` <44CE766D.6000705@vmware.com>
2006-08-01 12:21 ` + espfix-code-cleanup.patch added to -mm tree Stas Sergeev
2006-08-01 13:38 ` Jan Beulich
2006-08-01 14:37 ` Stas Sergeev
2006-08-01 14:43 ` Jan Beulich
2006-08-01 15:09 ` Stas Sergeev
2006-08-01 21:01 ` Zachary Amsden
2006-08-02 17:12 ` Stas Sergeev
2006-08-02 18:30 ` Zachary Amsden [this message]
2006-08-02 19:12 ` Stas Sergeev
2006-08-01 2:24 Chuck Ebbert
2006-08-01 12:39 ` Stas Sergeev
-- strict thread matches above, loose matches on Subject: below --
2006-08-02 19:14 Chuck Ebbert
2006-08-02 19:31 ` Stas Sergeev
2006-08-12 2:27 Chuck Ebbert
2006-08-12 10:35 ` Stas Sergeev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44D0EF30.7030701@vmware.com \
--to=zach@vmware.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stsp@aknet.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox