lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 22 Aug 2008 13:45:29 -0400
From:	Mathieu Desnoyers <mathieu.desnoyers@...ymtl.ca>
To:	"H. Peter Anvin" <hpa@...or.com>
Cc:	"Luiz Fernando N. Capitulino" <lcapitulino@...driva.com.br>,
	Ingo Molnar <mingo@...e.hu>, linux-kernel@...r.kernel.org
Subject: Re: 2.6.{26.2,27-rc} oops on virtualbox

* H. Peter Anvin (hpa@...or.com) wrote:
> Was looking at the code stream, and noticed this:
>
> Code: c0 0f 84 0b 01 00 00 b8 d0 bf 41 c0 c7 05 6c c0 41 c0 ff ff ff ff e8 
> 7f 82 21 00 e8 1a 03 02 00 8b 45 b0 50 9d 0f 1f 84 00 00 00 <00> 00 8b 45 
> bc 83 c4 60 5b 5e 5f 5d c3 66 90 a1 6c c0 41 c0 e8
>
> Code: c0 0f 84 0b 01 00 00 b8 d0 bf 41 c0 c7 05 6c c0 41 c0 ff ff ff ff e8 
> 7f 82 21 00 e8 1a 03 02 00 8b 45 b0 50 9d 0f 1f 84 00 00 00 <00> 00 8b 45 
> bc 83 c4 60 5b 5e 5f 5d c3 66 90 a1 6c c0 41 c0 e8
>
> The EIP is in the *MIDDLE* of a NOPL instruction:
>
> C012FC46  C00F84            ror byte [edi],0x84
> C012FC49  0B01              or eax,[ecx]
> C012FC4B  0000              add [eax],al
> C012FC4D  B8D0BF41C0        mov eax,0xc041bfd0
> C012FC52  C7056CC041C0FFFF  mov dword [dword 0xc041c06c],0xffffffff
>          -FFFF
> C012FC5C  E87F822100        call dword 0xc0347ee0
> C012FC61  E81A030200        call dword 0xc014ff80
> C012FC66  8B45B0            mov eax,[ebp-0x50]
> C012FC69  50                push eax
> C012FC6A  9D                popfd
> C012FC6B  0F1F840000000000  nop dword [eax+eax+0x0]
> C012FC73  8B45BC            mov eax,[ebp-0x44]
> C012FC76  83C460            add esp,byte +0x60
> C012FC79  5B                pop ebx
> C012FC7A  5E                pop esi
> C012FC7B  5F                pop edi
> C012FC7C  5D                pop ebp
> C012FC7D  C3                ret
> C012FC7E  6690              xchg ax,ax
> C012FC80  A16CC041C0        mov eax,[0xc041c06c]
>
> There are two possibilities: VirtualBox mis-executes (not merely traps, 
> which is what tip:master looks for) the NOPL instruction, or something is 
> jumping into the middle of the sequence that is then replaced by the NOPL.
>
> So, Luiz: the DEBUG_INFO version of vmlinux would be helpful.  It would 
> also help to know the exact version of VirtualBox you're running, what 
> source you got it from, and what your host system looks like.
>
> 	-hpa

The patch which turns on this bug this this important change to the
apply paravirt : it disables interrupts _near_ the code patching,
_within_ the loop. Before, interrupts were disabled outside of the loop.
It needs to disable interrupts within the loop to be able to use vmap in
text_poke().

So I bet VirtualBox has a race in the way it handles interrupt
disabling.

Mathieu

-- 
Mathieu Desnoyers
OpenPGP key fingerprint: 8CD5 52C3 8E3C 4140 715F  BA06 3F25 A8FE 3BAE 9A68
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ