lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 18 May 2007 10:32:50 +0200
From:	Philipp Kohlbecher <pk031698@...-greifswald.de>
To:	"H. Peter Anvin" <hpa@...or.com>
CC:	Dave Jones <davej@...emonkey.org.uk>,
	Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org,
	linux-assembly@...r.kernel.org
Subject: Re: [PATCH 2.6.21.1] i386: save registers before intra-privilege
 syscall

H. Peter Anvin wrote:
> Philipp Kohlbecher wrote:
>> (This may be superfluous, but I don't think it hurts and it might
>> prevent future errors.)
> 
> ... and it may *cause* future errors by making it harder to find bugs, too.
> 
> In other words, your patch doesn't actually fix anything, it *masks*
> potential bugs which would also be triggered by interrupts in kernel
> mode.  This is bad.

I am not sure these potential bugs would also be triggered by interrupts
in kernel mode. After all, kernel_execve is a special case: It is the
only case (AFAIK) where a software interrupt is generated while in
kernel mode (intra-privilege interrupt), but (if all goes right) the
iret "returns" to user mode (inter-privilege return).

This iret will pop the ss and esp registers off the stack, so
start_thread (include/asm-i386/processor.h:444) needs to put the correct
values in these stack positions, which it does.

Now, my point is that, when start_thread gets called at the end of a
successful kernel_execve, these stack positions cannot contain what they
are supposed to contain and no space is allocated on the stack for these
register values, so that something else gets overwritten.

It would seem cleaner to handle this special case differently by making
sure that the stack is set up the way it would be for an inter-privilege
interrupt.

- Phil Kohlbecher
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ