lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171205212933.amf4pkpzgrjpdssw@pd.tnic>
Date:   Tue, 5 Dec 2017 22:29:33 +0100
From:   Borislav Petkov <bp@...e.de>
To:     Peter Zijlstra <peterz@...radead.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        ricardo.neri-calderon@...ux.intel.com
Cc:     luto@...nel.org, adam.buchbinder@...il.com, mst@...hat.com,
        mhiramat@...nel.org, dave.hansen@...ux.intel.com, mingo@...nel.org,
        linux-kernel@...r.kernel.org, colin.king@...onical.com,
        jslaby@...e.cz, pbonzini@...hat.com, cmetcalf@...lanox.com,
        akpm@...ux-foundation.org, vbabka@...e.cz, acme@...hat.com,
        brgerst@...il.com, shuah@...nel.org, paul.gortmaker@...driver.com,
        lstoakes@...il.com, hpa@...or.com, thgarnie@...gle.com,
        keescook@...omium.org, adrian.hunter@...el.com, ray.huang@....com,
        dvyukov@...gle.com, ravi.v.shankar@...el.com, slaoub@...il.com,
        corbet@....net, linux-tip-commits@...r.kernel.org
Subject: Re: [tip:x86/mpx] x86/insn-eval: Add utility function to get segment
 descriptor

On Tue, Dec 05, 2017 at 07:38:45PM +0100, Peter Zijlstra wrote:
> Sorry what? So either this code is broken because it has IRQs enabled,
> or its broken because its trying to acquire a mutex with IRQs disabled.
> Which is it?

Well, lemme try to sum up what Peter, Thomas and I discussed on IRC:

The problem is that there's no guarantee userspace won't change the LDT
from under us while the UMIP code runs in the insn decoder.

So, we need a way to be able to query the desc fields the insn decoder
needs *and* when the LDT changes through the syscall, to detect that
case and handle it gracefully in the decoder.

So Thomas' idea is to keep a mm->context.ldt_seq sequence number which
gets incremented (and wraps around) everytime a LDT changes.

That sequence number, i.e., cookie, gets handed down into the decoder
and it uses it during desc lookup. If the sequence number changes, the
decoder and the UMIP code must abort the emulation.

The lookup code needs to do that with IRQs disabled, of course, to
protect itself from IPIs which could change the LDT.

I *think* this is the gist of what we talked about, tglx, please correct
me if I missed something.

So, Ricardo, please take a look at fixing that as otherwise the UMIP
code would choke and possibly rely on wrong data. If there are any
questions, don't hesitate to ask.

Thanks.

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
-- 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ