lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4834B8DB.6030504@zytor.com>
Date:	Wed, 21 May 2008 17:05:47 -0700
From:	"H. Peter Anvin" <hpa@...or.com>
To:	Roland McGrath <roland@...hat.com>
CC:	Andi Kleen <andi@...stfloor.org>,
	Suresh Siddha <suresh.b.siddha@...el.com>,
	Mikael Pettersson <mikpe@...uu.se>, mingo@...e.hu,
	tglx@...utronix.de, torvalds@...ux-foundation.org,
	akpm@...ux-foundation.org, drepper@...hat.com,
	Hongjiu.lu@...el.com, linux-kernel@...r.kernel.org,
	arjan@...ux.intel.com, rmk+lkml@....linux.org.uk, dan@...ian.org,
	asit.k.mallick@...el.com
Subject: Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions

Roland McGrath wrote:
>> I don't think there is one. We never copy fxsave completely out of the
>> kernel. x86-64 does FXSAVE directly in/out user space, but the
>> only leak is what there was before.
> 
> ptrace/user_regset copies out and in the whole fxsave block from the ptrace
> caller.  (Only the mxcsr word is constrained after copy-in.)

I see two problems with that:

1. potential information leak out of the kernel if the memory area isn't 
zeroed before the first FXSAVE - I haven't verified if so is the case. 
This would be a (potentially very serious) security hole.

2. Hidden state in the kernel - this means user space can set 
nonarchitectural state in the kernel.  There are a few risks with that:

    a. Malware might use it to hide state.
    b. The possibility of using the stability or lack thereof of this
       state to extract information about kernel internals and/or
       provide a covert channel in the presence of hardware changes.
    c. It is not certain that future architectures will not have
       off-limit fields here, like the equivalent of MXCSR.  This is
       somewhat of a tricky judgement, of course, but it seems safer
       to me if we would explicitly list the modifiable fields.

Thoughts?

	-hpa

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ