From: Andi Kleen <andi@firstfloor.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: mingo@elte.hu, linux-kernel@vger.kernel.org, jkosina@suse.cz,
zdenek.kabelac@gmail.com
Subject: Re: [PATCH REPOST^3] Run IST traps from user mode preemptive on process stack
Date: Tue, 06 May 2008 15:03:37 +0200 [thread overview]
Message-ID: <87skwvbn4m.fsf@basil.nowhere.org> (raw)
In-Reply-To: <alpine.LFD.1.10.0805061305460.3318@apollo.tec.linutronix.de> (Thomas Gleixner's message of "Tue, 6 May 2008 14:31:41 +0200 (CEST)")
Thomas Gleixner <tglx@linutronix.de> writes:
> On Fri, 2 May 2008, Andi Kleen wrote:
>> [Fixes a bug originally introduced in 2.6.23 I think. Reposted many times
>> so far, but still not applied. Please apply.]
>
> The print_vma_addr() bug was introduced by commit 03252919 (by you) in
> the 2.6.25 merge window and we fixed it before 25-rc2 via commit e8bff74a.
Well it was worked around, not properly fixed. This patch fixes it properly.
The problem of the original workaround is that it wouldn't print the vma
now in many cases because it couldn't take the semaphore.
The workaround was right back then because it was shortly before
the release, but it was always a ward that needed fixing properly.
I believe it was a good idea anyways because there were always
some possible problems with not being able to sleep in these
exception handlers.
>
> This introduces two security bugs in one go:
>
> 1.) The IST stack pointer is elevated unconditionaly and with your
> change we can now schedule away in the handler.
Yes, but that's fine.
> this same CPU triggers the same trap and elevates it again.
That's not possible generally. None of these interrupts can
nest in a normal kernel.
Do you refer to the DEBUG_STACK ist add/dec? That is not needed
for anything in tree to my knowledge.
> 2.) The IST stack pointer is unbalanced in the other direction as well:
> it is incremented on CPUn then the handler is scheduled away and migrated
> to CPUm. After return from the handler the IST stacks of both CPUs are
> corrupted. Exploitable by unprivileged user-space code as well.
The IST is restored again after the handler. You're right that strictly
wouldn't be needed and could be avoided, but i don't think it's exploitable
in any ways.
Regarding user controlled pt_regs: I think you're forgetting that
x86-64 doesn't have vm86 mode and that we can always trust pt_regs
segment indexes. On i386 you would be right, but not here.
-Andi
next prev parent reply other threads:[~2008-05-06 13:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-02 9:19 [PATCH REPOST^3] Run IST traps from user mode preemptive on process stack Andi Kleen
2008-05-06 12:31 ` Thomas Gleixner
2008-05-06 13:03 ` Andi Kleen [this message]
2008-05-06 14:34 ` Ingo Molnar
2008-05-06 14:39 ` Ingo Molnar
2008-05-06 14:41 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87skwvbn4m.fsf@basil.nowhere.org \
--to=andi@firstfloor.org \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=tglx@linutronix.de \
--cc=zdenek.kabelac@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox