lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 16 Feb 2009 09:56:08 +0100
From:	Borislav Petkov <petkovbb@...glemail.com>
To:	Sergei Shtylyov <sshtylyov@...mvista.com>
Cc:	Bartlomiej Zolnierkiewicz <bzolnier@...il.com>,
	linux-ide@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 5/6] ide: remove ide_execute_pkt_cmd()

>
>  Didn't quite get that statement.
>  Well, this example wasn't very convincing...

Oh, I'm really getting tired of this!

Here's your final example:

A stack variable caching the flags check. REMEMBER, no write accesses to
it!:

<ide-cd.c>
int ide_cd_read_toc(ide_drive_t *drive, struct request_sense *sense)
{
        int stat, ntracks, i;
        struct cdrom_info *info = drive->driver_data;
        struct cdrom_device_info *cdi = &info->devinfo;
        struct atapi_toc *toc = info->toc;
        struct {
                struct atapi_toc_header hdr;
                struct atapi_toc_entry  ent;
        } ms_tmp;
        long last_written;
        unsigned long sectors_per_frame = SECTORS_PER_FRAME;
        u8 tmp = drive->atapi_flags & IDE_AFLAG_TOCTRACKS_AS_BCD;
</ide-cd.c>

later you access the _same_ variable in an if-check:

<ide-cd.c>
        if (tmp) {
                toc->hdr.first_track = bcd2bin(toc->hdr.first_track);
                toc->hdr.last_track  = bcd2bin(toc->hdr.last_track);
        }
</ide-cd.c>


Resulting assembly snippets:

<ide-cd.s>
.LCFI166:
        .loc 1 1202 0
        movl    %edx, -52(%ebp) # sense, sense
        .loc 1 1213 0
        movl    500(%edi), %ecx # <variable>.atapi_flags,
        .loc 1 1204 0
        movl    24(%eax), %eax  # <variable>.driver_data,
.LVL399:
        movl    %eax, -40(%ebp) #, info
.LVL400:
        .loc 1 1206 0
        movl    16(%eax), %esi  # <variable>.toc, toc
.LVL401:
        .loc 1 1212 0
        movl    $4, -20(%ebp)   #, sectors_per_frame
.LVL402:
        .loc 1 1213 0
        movl    %ecx, -48(%ebp) #, D.31862
</ide-cd.s>

you see here the ->atapi_flags, dereferenced above, being saved on the
stack. Here's the asm for the check later:

<ide-cd.s>
.LVL415:
        jne     .L283   #,
        .loc 1 1256 0
        movb    -48(%ebp), %al  # D.31862,
.LVL416:
        andb    $16, %al        #,
        movb    %al, -33(%ebp)  #, tmp
.LVL417:
        je      .L287   #,
        .loc 1 1257 0
</ide-cd.s>

So, the ->atapi_flags is moved into 8bit %al from the stack! Then the
$16 is the IDE_AFLAG_TOCTRACKS_AS_BCD, so the binary & against the
->atapi_flags is done actually here. Then the tmp variable is SAVED ON
THE STACK at -33(%ebp) and it is dereferenced AGAIN in the next check:

.LVL426:
        jne     .L283   #,
        .loc 1 1297 0
        cmpb    $0, -33(%ebp)   # tmp
        je      .L290   #


If you still don't see it, go play with your own assembler and do some
code staring on your own which doesn't involve me!

-- 
Regards/Gruss,
    Boris.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ