| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150402181011.GB8503@gmail.com> Date: Thu, 2 Apr 2015 20:10:11 +0200 From: Ingo Molnar <mingo@...nel.org> To: Denys Vlasenko <dvlasenk@...hat.com> Cc: Andy Lutomirski <luto@...capital.net>, Borislav Petkov <bp@...en8.de>, x86@...nel.org, linux-kernel@...r.kernel.org, Linus Torvalds <torvalds@...ux-foundation.org> Subject: Re: [PATCH] x86/asm/entry/64: better check for canonical address * Denys Vlasenko <dvlasenk@...hat.com> wrote: > On 03/26/2015 01:42 PM, Denys Vlasenko wrote: > > This change makes the check exact (no more false positives > > on kernel addresses). > > > > It isn't really important to be fully correct here - > > almost all addresses we'll ever see will be userspace ones, > > but OTOH it looks to be cheap enough: > > the new code uses two more ALU ops but preserves %rcx, > > allowing to not reload it from pt_regs->cx again. > > On disassembly level, the changes are: > > > > cmp %rcx,0x80(%rsp) -> mov 0x80(%rsp),%r11; cmp %rcx,%r11 > > shr $0x2f,%rcx -> shl $0x10,%rcx; sar $0x10,%rcx; cmp %rcx,%r11 > > mov 0x58(%rsp),%rcx -> (eliminated) > > > > > .ifne __VIRTUAL_MASK_SHIFT - 47 > > .error "virtual address width changed -- sysret checks need update" > > .endif > > - shr $__VIRTUAL_MASK_SHIFT, %rcx > > - jnz opportunistic_sysret_failed > > + /* Change top 16 bits to be a sign-extension of the rest */ > > + shl $(64 - (__VIRTUAL_MASK_SHIFT+1)), %rcx > > + sar $(64 - (__VIRTUAL_MASK_SHIFT+1)), %rcx > > + /* If this changed %rcx, it was not canonical */ > > + cmpq %rcx, %r11 > > + jne opportunistic_sysret_failed > > > Another thing we can do here is to just canonicalize the address. > IOW: same code as above but without last two insns. > > The difference would be that if userspace gives us bogus, > noncanonical return address, we would return to a different address > instead of SIGSEGV. So in general it's better to be proactive with such things and generate an error as early as possible, making it easier to debug user-space bugs. > There is no security implications in doing this as far as I can see, > and no sane program uses noncanonical addresses. > Apart from not having any legitimate need to do so, it's also quite > complicated to achieve. > > So it should not break any real-world cases. It would make user-space debugging harder though, so it's a quality of implmentation issue. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists