lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <502EAB4D.90807@halfdog.net>
Date:	Fri, 17 Aug 2012 20:36:29 +0000
From:	halfdog <me@...fdog.net>
To:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Software interrupt 0x8 guest crash from userspace: virtualbox emulation
 or guest kernel bug?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have observed a strange guest kernel crash in virtualbox and are
currently trying to understand it. Since I have no real 32-bit Intel
platform any more, I cannot verify that this crash would happen on
native 32bit also, so perhaps someone could check that. I have also
collected information about the crash [1], but currently fail to
understand why this is happening.

In short: Calling "int 0x8" in i386 guest on amd64 host crashes the
guest. It seems, that "int 0x8" is handled by task gate, that fails to
initialize "gs" correctly. The crash can be reproduced using [2], the
same program does not crash the host. Due to lack of test platforms it
is not clear, if that only affects virtual box guests.

Questions:
* Does this idt entry seem sane or could it be really broken? Code says
./arch/x86/kernel/traps.c:      set_intr_gate_ist(8, &double_fault,
DOUBLEFAULT_STACK);
which seems consistent with observed idt setup. I'm not sure about
privilege levels, is it possible to invoke this interrupt also on
native systems and cause same behavior?
* If broken, what is idt on native i386 system (not guest) on real
32-bit CPU? Could someone with such system send me: grep "idt_table"
in System.map, "gdb --core /proc/kcore" and "x/64x [address of
idt_table]" (see also [1])?
* If broken, why? Same outcome on native i386 platform?
* If not broken on native: why this interaction with virtualbox?

hd

[1]
http://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/
[2]
http://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/RtcInt.c

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlAuqz8ACgkQxFmThv7tq+6CzwCginL/PMRVIKxRV4YRXtRIRF+O
tO4An2KcZs5caaoTFu+UGJQLtFOrmKpS
=9P33
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ