| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrXBYyPVww_0nE1A5JLZFebvWZSx9gsqrres=+dEtuRmsQ@mail.gmail.com> Date: Mon, 7 Sep 2015 14:56:16 -0700 From: Andy Lutomirski <luto@...capital.net> To: "Maciej W. Rozycki" <macro@...ux-mips.org> Cc: Paolo Bonzini <pbonzini@...hat.com>, Ingo Molnar <mingo@...nel.org>, Borislav Petkov <bp@...en8.de>, Peter Zijlstra <peterz@...radead.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Willy Tarreau <w@....eu>, Steven Rostedt <rostedt@...dmis.org>, X86 ML <x86@...nel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Thomas Gleixner <tglx@...utronix.de>, Brian Gerst <brgerst@...il.com> Subject: Re: Dealing with the NMI mess On Mon, Sep 7, 2015 at 12:30 PM, Maciej W. Rozycki <macro@...ux-mips.org> wrote: > On Mon, 7 Sep 2015, Andy Lutomirski wrote: > >> > These are all implementation-specific details, including the INT1 >> > instruction, which is why I am not at all surprised that they are omitted >> > from architecture manuals. >> >> That bit is BS, though. The INT1 instruction, executed in user mode >> (CPL3) with no hardware debugger attached, will enter the kernel >> through a gate at vector 1, *even if that gate has DPL == 0*. >> >> If there's an instruction that bypasses hardware protection >> mechanisms, then Intel should document it rather than relying on OS >> writers to know enough folklore to get it right. >> >> Heck, SDM Volume 3 6.12.1.1 says "The processor checks the DPL of the >> interrupt or trap gate only if an exception or interrupt is generated >> with an INT n, INT 3, or INTO instruction." It does not say "the >> processor does not check the DPL of the interrupt or trap gate if the >> exception or interrupt is generated with the undocumented ICEBP >> instruction." > > It does not have to be mentioned, because it's implied by how the #DB > exception is propagated: regardless of its origin it never checks the DPL. > And user-mode software may well use POPF at any time to set the TF bit in > the flags register to the same effect, so the OS needs to be prepared for > a #DB exception it hasn't scheduled itself anyway. Not really. int $1 checks DPL. Setting TF results in saved TF set and the corresponding bit in DR6 set as well. Triggering a #DB using the debug registers requires active OS help. So operating systems need to handle a #DB without no indicated cause without spewing warnings or crashing, and there is no indication whatsoever in the SDM or APM that this is the case. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists