lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Sep 2010 23:51:11 -0400 From: Brian Gerst <brgerst@...il.com> To: Al Viro <viro@...iv.linux.org.uk> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, tglx@...utronix.de, mingo@...hat.com, linux-kernel@...r.kernel.org Subject: Re: what's papered over by set_fs(USER_DS) in amd64 signal delivery? On Fri, Sep 24, 2010 at 10:48 PM, Al Viro <viro@...iv.linux.org.uk> wrote: > On Fri, Sep 24, 2010 at 10:25:15PM -0400, Brian Gerst wrote: >> > + ?? ?? ?? ?? ?? ?? ?? __asm__("mov %w0,%%fs ; mov %w0,%%gs":"=r" (seg) :"0" (seg)); >> > + ?? ?? ?? ?? ?? ?? ?? set_fs(seg); >> > + ?? ?? ?? ?? ?? ?? ?? regs->xds = seg; >> > + ?? ?? ?? ?? ?? ?? ?? regs->xes = seg; >> > + ?? ?? ?? ?? ?? ?? ?? regs->xss = seg; >> > + ?? ?? ?? ?? ?? ?? ?? regs->xcs = USER_CS; >> > in 2.1.2. ??And that's when we had >> > ?? ?? ?? ??* fs and gs evicted from pt_regs >> > ?? ?? ?? ??* fs and gs not saved restored on kernel entry/exit >> > ?? ?? ?? ??* just introduced set_fs() to start with (that went in 2.1.0) >> > >> > A bit before my time, so I'm not sure what's been going on there... >> >> I believe it can be safely removed. Looking through the history, the >> corresponding set_fs() calls were removed from 32-bit by commit >> b93b6ca3. This is just an artifact from ancient i386 code where >> set_fs (which is grossly misnamed now) really did set the %fs >> register. > > Not quite. If you look at the tree where it has shown up (2.1.2), you'll see > that > a) by that time it _wasn't_ an assignment to %fs > b) the same patch that has introduced that call there does direct > assignment to %fs right next to that set_fs(). See that __asm__ above? > > Again, I agree that it almost certainly can be dropped. I really wonder > about the history, though. It predates git and bk by far (late 1996). > Linus, do you have any recollection regarding that stuff? > In the beginning, the i386 kernel used a non-flat segmented memory layout. USER_[CD]S were 3GB segments at base 0, and KERNEL_[CD]S were 1GB segments at base 3GB. This meant that the kernel could not access userspace addresses without using a fs segment override (%fs was saved in pt_regs, reloaded with USER_DS on kernel entry, and restored on kernel exit). You had to reload %fs with KERNEL_DS for the *_user functions to address the kernel segment. v2.1.2 introduced the modern flat memory layout with 4GB segments at base 0. %fs no longer was used for userspace access, so it wasn't saved in pt_regs or touched in any way until a task switch. Instead of the hardware enforcing the limit, the check was moved to software. Originally the signal handler had to set regs->xfs = USER_DS so that the signal handler had a known state when it ran. That had nothing to do with the kernel's userspace access mechanism. It was converted to do both the immediate reloading of the %fs register (since it was no longer saved in pt_regs and wouldn't get restored on kernel exit), and to a new set_fs(USER_DS) call which meant something completely different. That is the origin of the code we are trying to remove now. -- Brian Gerst -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists