| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 May 2016 15:51:37 -0700 (PDT) From: David Miller <davem@...emloft.net> To: nix@...eri.org.uk Cc: linux-kernel@...r.kernel.org, sparclinux@...r.kernel.org, fweimer@...hat.com Subject: Re: [4.1.x -- 4.6.x and probably HEAD] Reproducible unprivileged panic/TLB BUG on sparc via a stack-protected rt_sigaction() ka_restorer, courtesy of the glibc testsuite From: Nick Alcock <nix@...eri.org.uk> Date: Fri, 27 May 2016 22:44:56 +0100 > Good move. Segfaulting the process is fine! :) Any process that does > this sort of thing is clearly either terminally buggy, written by an > idiot who doesn't know what he's doing (i.e. my original patch) or > malicious. These all deserve SEGVs. > > (I still don't understand why this leads to spurious TLB faults, though. > Filling the userland CPU registers with garbage is bad, but should still > be reasonably harmless to the kernel, surely?) I'm trying to figure out the same thing myself. Even the unaligned stack pointer should be gracefully handled by the kernel, so I think it has to be some other element of the register state restore sequence. The one area that deserves auditing is %tstate. This is a privileged register which we treat partially as non-privileged. Specifically we allow the user to modify the condition codes and the %asi register which is encoded into here. But I just went over that a few times. We are really careful to mask and only change those specific fields. I'll keep plugging away at this and also play with your patches to reproduce the bug.
Powered by blists - more mailing lists