From: John Reiser <jreiser@BitWagon.com>
To: Chuck Ebbert <cebbert@redhat.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>, Andi Kleen <ak@suse.de>,
Ingo Molnar <mingo@elte.hu>,
Arjan van de Ven <arjan@infradead.org>,
Paul Mundt <lethal@linux-sh.org>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org
Subject: Re: + fully-honor-vdso_enabled.patch added to -mm tree
Date: Fri, 02 Mar 2007 15:33:45 -0800 [thread overview]
Message-ID: <45E8B459.8030001@BitWagon.com> (raw)
In-Reply-To: <45E8A300.9020001@redhat.com>
Chuck Ebbert wrote:
> John Reiser wrote:
>
>>The value of ->sysenter_return is interpreted in user space by the
>>sysexit instruction; nobody else cares what the value is. The kernel
>>is not required to provide a good value when vdso_enabled is zero,
>>because the kernel has not told the process that sysenter is valid
>>(by setting AT_SYSINFO.)
>
>
> Doesn't matter because a malicious user can still execute sysenter.
> We do have to deal with that somehow, so we have to put something
> safe in there.
All values are safe as far as the kernel is concerned. The sysexit
instruction is the only consumer of the value. The sysexit instruction
interprets the value as a _user_ virtual address, and jumps to it,
in _user_ mode. If user code does not like jumping to a random address
when vdso_enabled is zero, then user code should not use sysenter
when vdso_enabled is zero. But execution of kernel code is not
affected in any way regardless of the value.
I'd be happy to set ->sysenter_return to 0 (or any other suggested value)
when vdso_enabled is 0, but this would be a politeness only. There is
no added security risk to the kernel by leaving it unset.
>>Correct. Changing vdso_enabled from 0 to non-zero must be prepared
>>to lose this race if it is not prevented. Ordinarily it won't matter
>>because the administrator will perform such changes at a "quiet" time.
>>
>
>
> We have to deal with all the possibilities here, too.
Documentation is one method of dealing with it.
--
John Reiser, jreiser@BitWagon.com
prev parent reply other threads:[~2007-03-02 23:34 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-01 17:52 + fully-honor-vdso_enabled.patch added to -mm tree Oleg Nesterov
2007-03-02 3:48 ` Paul Mundt
2007-03-02 19:32 ` Oleg Nesterov
2007-03-02 21:19 ` John Reiser
2007-03-03 17:38 ` Oleg Nesterov
2007-03-02 21:06 ` John Reiser
2007-03-02 22:18 ` Oleg Nesterov
2007-03-05 10:12 ` Paul Mundt
2007-03-05 10:54 ` Oleg Nesterov
2007-03-05 10:56 ` Paul Mundt
2007-03-02 22:19 ` Chuck Ebbert
2007-03-02 23:11 ` Oleg Nesterov
2007-03-02 23:33 ` John Reiser [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45E8B459.8030001@BitWagon.com \
--to=jreiser@bitwagon.com \
--cc=ak@suse.de \
--cc=akpm@linux-foundation.org \
--cc=arjan@infradead.org \
--cc=cebbert@redhat.com \
--cc=lethal@linux-sh.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@tv-sign.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox