lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.DEB.2.11.1410222323500.5308@nanos>
Date:	Wed, 22 Oct 2014 23:36:01 +0200 (CEST)
From:	Thomas Gleixner <tglx@...utronix.de>
To:	Eric Paris <eparis@...hat.com>
cc:	Paulo Zanoni <przanoni@...il.com>,
	Richard Guy Briggs <rgb@...hat.com>,
	Ingo Molnar <mingo@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	linux-audit@...hat.com,
	Intel Graphics Development <intel-gfx@...ts.freedesktop.org>,
	Daniel Vetter <daniel@...ll.ch>
Subject: Re: Regression: audit: x86: drop arch from __audit_syscall_entry()
 interface

On Wed, 22 Oct 2014, Eric Paris wrote:

> That's really serious.  Looking now.

Indeed its serious. And it's even more serious as this masterpiece of
assembly wreckage was pulled in via your tree w/o having an acked-by
one of the x86 maintainers.

> On Wed, 2014-10-22 at 16:08 -0200, Paulo Zanoni wrote:
> > commit b4f0d3755c5e9cc86292d5fd78261903b4f23d4a
> > Author: Richard Guy Briggs
> > Date:   Tue Mar 4 10:38:06 2014 -0500
> >     audit: x86: drop arch from __audit_syscall_entry() interface
> > 
> > According to our QA, their i386 machine doesn't boot anymore. I tried
> > to write my own revert for the patch, asked QA to test, and they
> > confirmed it "solves" the problem.

diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index 0d0c9d4ab6d5..f9e3fabc8716 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -449,12 +449,11 @@ sysenter_audit:
 	jnz syscall_trace_entry
 	addl $4,%esp
 	CFI_ADJUST_CFA_OFFSET -4
-	/* %esi already in 8(%esp)	   6th arg: 4th syscall arg */
-	/* %edx already in 4(%esp)	   5th arg: 3rd syscall arg */
-	/* %ecx already in 0(%esp)	   4th arg: 2nd syscall arg */
-	movl %ebx,%ecx			/* 3rd arg: 1st syscall arg */
-	movl %eax,%edx			/* 2nd arg: syscall number */
-	movl $AUDIT_ARCH_I386,%eax	/* 1st arg: audit arch */
+	movl %esi,4(%esp)		/* 5th arg: 4th syscall arg */
+	movl %edx,(%esp)		/* 4th arg: 3rd syscall arg */

Bilndly overwriting the stack which holds the syscall arguments is
really a brilliant way to ensure security.

Thanks,

	tglx


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ