lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrVkTtt5H9-0_mODcGyaLTusBfANkoANo+wKB4JAwjxU2g@mail.gmail.com>
Date:	Mon, 10 Mar 2014 10:52:58 -0700
From:	Andy Lutomirski <luto@...capital.net>
To:	"H. Peter Anvin" <hpa@...ux.intel.com>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Stefani Seibold <stefani@...bold.net>,
	Andreas Brief <Andreas.Brief@...de-schwarz.com>,
	Martin Runge <Martin.Runge@...de-schwarz.com>
Subject: Re: [x86, vdso] BUG: unable to handle kernel paging request at d34bd000

On Mon, Mar 10, 2014 at 10:48 AM, H. Peter Anvin <hpa@...ux.intel.com> wrote:
> On 03/10/2014 10:46 AM, Andy Lutomirski wrote:
>>>
>>> Yes, we'd have to switch the vdso to using syscall access.  Doing that
>>> from inside a system call is... "interesting".
>>
>> It's a little less interesting if it just involves changing a vma.
>> It's still tricky, though -- would each struct mm have its own struct
>> file for the vvar page?  Can this be done with some
>> vm_operations_struct magic?  There are possible races, too, though --
>> another thread could access the thing concurrently with a syscall.
>>
>
> Hint: where is your RIP?  Where is the RIP of other processes?
>

Whoa there, I'm not suggesting anything nearly that crazy :)

I'm suggesting changing out the vvar page *for that process*, which is
not executable.  The actual vdso code already supports this -- from
userspace's point of view it's the same thing as 'echo acpi_pm >
/sys/devices/system/clocksource/clocksource0/current_clocksource',
except that if the actual clocksource is HPET, the hpet page will be
switched out (presumably with a zero page) while being read.

Other processes are totally irrelevant, unless they share the same
struct mm.  (This is why the vvar page can't be in the fixmap for this
to work.)

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ