lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 27 Jul 2016 17:20:59 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	mpatocka@...hat.com
Cc:	sparclinux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] sparc: round fault_address down to a page boundary

From: Mikulas Patocka <mpatocka@...hat.com>
Date: Fri, 8 Jul 2016 19:02:46 -0400 (EDT)

> This patch fixes the bug by rounding fault_address down to a page
> boundary.

Great analysis, but we need to modify the fix a little bit.

First of all, every use of ->fault_address potentially has this
problem.  So we should fix all such cases.

But this leads us to discover what the true root problem is in the
first place.  And this is that on CPUs where we use the TLB_TAG_ACCESS
register to get the fault address we end up with the context ID in the
lower 13 bits of the value.

Other methods of sourcing the value provide the proper full address
without any extraneous bits set (%tpc and hypervisor provided fault
addresses).

So the proper fix is to mask out the context ID bits when we read
the TLB_TAG_ACCESS with intent to store that value in the
current_thread_info()->fault_address member.

All of this is also why this bug doesn't show up on Niagara based
systems.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ