| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20140224174051.GE9987@twins.programming.kicks-ass.net> Date: Mon, 24 Feb 2014 18:40:51 +0100 From: Peter Zijlstra <peterz@...radead.org> To: Vince Weaver <vincent.weaver@...ne.edu> Cc: "H. Peter Anvin" <hpa@...or.com>, Linux Kernel <linux-kernel@...r.kernel.org>, Ingo Molnar <mingo@...hat.com>, "H.J. Lu" <hjl.tools@...il.com>, Steven Rostedt <rostedt@...dmis.org> Subject: Re: perf_fuzzer compiled for x32 causes reboot On Mon, Feb 24, 2014 at 12:32:39PM -0500, Vince Weaver wrote: > I do note that > perf_callchain_user(); > > Does > fp = (void __user *)regs->bp; > > ... > > bytes = copy_from_user_nmi(&frame, fp, sizeof(frame)); > > > And in my particular executable RBP has nothing to do with a frame > pointer, but is instead being used as a general purpose register. > > Am I missing something here? Though in that case I'm not sure why this > wouldn't be easier to trigger. Ah, in case the frame doesn't actually exist we would expect to fault and get the fixup treatment, returning a short copy (the return value being bytes _NOT_ copied). When that happens; if (bytes != 0) break; At which point we'll terminate the stack frame iteration. This is where we rely on being able to take a fault from NMI context, the fault iret will re-enable NMIs, necessitating all the magic Steve did. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists