lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171205181456.akycirziiuhb7crw@pd.tnic>
Date:   Tue, 5 Dec 2017 19:14:56 +0100
From:   Borislav Petkov <bp@...e.de>
To:     Peter Zijlstra <peterz@...radead.org>,
        Thomas Gleixner <tglx@...utronix.de>
Cc:     qiaowei.ren@...el.com, luto@...nel.org, adam.buchbinder@...il.com,
        mst@...hat.com, mhiramat@...nel.org, dave.hansen@...ux.intel.com,
        mingo@...nel.org, linux-kernel@...r.kernel.org,
        colin.king@...onical.com, jslaby@...e.cz, pbonzini@...hat.com,
        cmetcalf@...lanox.com, akpm@...ux-foundation.org, vbabka@...e.cz,
        acme@...hat.com, brgerst@...il.com, shuah@...nel.org,
        paul.gortmaker@...driver.com, lstoakes@...il.com, hpa@...or.com,
        thgarnie@...gle.com, keescook@...omium.org,
        adrian.hunter@...el.com, ricardo.neri-calderon@...ux.intel.com,
        ray.huang@....com, dvyukov@...gle.com, ravi.v.shankar@...el.com,
        slaoub@...il.com, tglx@...utronix.de, corbet@....net,
        linux-tip-commits@...r.kernel.org
Subject: Re: [tip:x86/mpx] x86/insn-eval: Add utility function to get segment
 descriptor

On Tue, Dec 05, 2017 at 06:48:44PM +0100, Peter Zijlstra wrote:
> This is broken right? You unlock and then return @desc, which afaict can
> at that point get freed by free_ldt_struct().
> 
> Something like the below ought to cure; although its not entirely
> pretty either.

Right.

Or, instead of introducing all the locking, we could also not do
anything because all that code runs inside fixup_umip_exception() so the
desc will be valid there.

But, if other code is going to use those functions - and I believe
that's the idea - otherwise they wouldn't be in arch/x86/lib/ - we
should convert all those functions to return directly the desc field
which is requested by the respective caller.

I.e., get_desc() will be called by a wrapper which returns desc base or
desc limit or whatever...

In the case where desc has been freed, it should return error, of
course.

How doed that sound?

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ