| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Aug 2016 08:47:07 -0700 From: Vineet Gupta <Vineet.Gupta1@...opsys.com> To: Alexey Brodkin <Alexey.Brodkin@...opsys.com>, "liavr@...lanox.com" <liavr@...lanox.com> CC: "noamca@...lanox.com" <noamca@...lanox.com>, "linux-snps-arc@...ts.infradead.org" <linux-snps-arc@...ts.infradead.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "eladkan@...lanox.com" <eladkan@...lanox.com> Subject: Re: [PATCH] ARC: Change ld.as instruction to regular ld. On 08/16/2016 06:15 AM, Alexey Brodkin wrote: > Hi Liav, > > On Tue, 2016-08-16 at 10:55 +0300, Liav Rehana wrote: >> From: Liav Rehana <liavr@...lanox.com> >> >> The instruction ld.as takes as operands a base address and an offset, >> and doesn't access the sum of these two, but the sum of the base >> address and a shifted version of the offset. >> This isn't what we want in that case, since it causes a bug during >> the push and pop of r25, since his actual offset is given during >> resume_user_mode_begin. >> Thus, the use of ld solves this problem. >> >> Signed-off-by: Liav Rehana <liavr@...lanox.com> >> --- > > Very nice catch! > > But IMHO description could be improved a little bit. > Probably something like that: > --------------------->8--------------------- > "PT_user_r25" is offset in bytes within pt_regs structure. > > In its turn what "ld.as r1, [r2, x]" really does is > r1 <- load_from(r2 + (x << data_size)) = load_from(r2 + x*4). > > But the code in question is supposed to load_from(r2 + x). > > This leads to obvious stack corruption. > --------------------->8--------------------- Right - this is much better. A good changelog also needs to explain the context of problem. How does below sound ... --------> User mode callee regs are explicitly collected before signal delivery or breakpoint trap. r25 is special for kernel as it serves as task pointer, so user mode value is clobbered very early. It is saved in pt_regs where generally only scratch (caller saved) res are saved. The code to access the corresponding pt_regs location had a subtle bug as it was using load/store with scaling of offset, whereas the offset was already byte wise correct. So fix this by replacing LD.AS with a standard LD
Powered by blists - more mailing lists