| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <551C6098.9030705@redhat.com>
Date: Wed, 01 Apr 2015 23:18:16 +0200
From: Denys Vlasenko <dvlasenk@...hat.com>
To: Andy Lutomirski <luto@...nel.org>, Ingo Molnar <mingo@...nel.org>,
x86@...nel.org, linux-kernel@...r.kernel.org
CC: Borislav Petkov <bp@...e.de>
Subject: Re: [PATCH urgent] x86, asm: Disable opportunistic SYSRET if regs->flags
has TF set
On 04/01/2015 09:25 PM, Andy Lutomirski wrote:
> Fix it by using IRET to restore TF. Since it's late, I'm keeping
> this minimal and keeping "testq" instead of switching to "testl".
Changing to "testl" here wins nothing. Since r11 is used,
REX prefix will be encoded anyway.
>
> - testq $X86_EFLAGS_RF,%r11 /* sysret can't restore RF */
> + /*
> + * SYSRET can't restore RF. SYSRET can restore TF, but unlike IRET,
> + * restoring TF results in a trap from userspace immediately after
> + * SYSRET.
> This would cause an infinite loop whenever #DB happens
> + * with register state that satisfies the opportunistic SYSRET
> + * conditions.
> + */
I propose to just show an example of the affected code:
> This can cause an infinite loop. Example:
> * asm volatile("movq $1f,%rcx\n\t"
> * "pushfq\n\t"
> * "popq %r11\n\t"
> * "nop\n\t"
> * "1:");
> * The above example would get stuck at "1:".
> */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists