lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 12 Nov 2009 06:27:54 +0100
From:	Willy Tarreau <w@....eu>
To:	Matt Thrailkill <matt.thrailkill@...il.com>
Cc:	"H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...e.hu>,
	Pavel Machek <pavel@....cz>, Avi Kivity <avi@...hat.com>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	Matteo Croce <technoboy85@...il.com>,
	Sven-Haegar Koch <haegar@...net.de>,
	linux-kernel@...r.kernel.org
Subject: Re: i686 quirk for AMD Geode

On Wed, Nov 11, 2009 at 06:23:14PM -0800, Matt Thrailkill wrote:
> On Wed, Nov 11, 2009 at 1:32 AM, Willy Tarreau <w@....eu> wrote:
> > All I can say is that executing a NOP results in no state change in
> > the processor except the instruction pointer which points to the
> > next instruction after execution. Since a NOP changes nothing, it
> > cannot be used alone to provide any privilege, access to data or
> > any such thing. Since it does not perform any jump, it cannot either
> > be used to take back control of the execution flow. And it is certain
> > that the next instruction after it will be executed, so if the NOP
> > crosses a page boundary and completes on a non-executable one, the
> > next instruction will trigger the PF.
> >
> > So I can't see how a NOP can be used to circumvent any protection.
> 
> So a nop(l) sled won't be a problem, right?

Right. However we just noticed that with the KVM emulator, you
can make it loop for a long time if you feed it with prefixes
only. For instance, write a function which does zillions of 0x66
(data size prefix) then return (0xC3) : 66 66 66 ... 66 C3.

This is typically the sort of things we must be very careful about
in emulators, because we don't want users to steal large amounts
of system CPU time doing nothing.

Regards,
Willy

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ