| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Dec 2017 13:55:24 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Andy Lutomirski' <luto@...capital.net>,
Thomas Gleixner <tglx@...utronix.de>
CC: Ingo Molnar <mingo@...nel.org>, Andy Lutomirski <luto@...nel.org>,
Borislav Petkov <bp@...en8.de>, X86 ML <x86@...nel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Brian Gerst <brgerst@...il.com>,
Kees Cook <keescook@...omium.org>,
Peter Zijlstra <peterz@...radead.org>
Subject: RE: [PATCH] LDT improvements
From: Andy Lutomirski
> Sent: 08 December 2017 13:20
...
> >> - It would also be a cleaner approach all around, and would avoid the fixmap
> >> complications and the scheduler muckery.
> >
> > The error code of such an access is always 0x03. So I added a special
> > handler, which checks whether the address is in the LDT map range and
> > verifies that the access bit in the descriptor is 0. If that's the case it
> > sets it and returns. If not, the thing dies. That works.
>
> What if you are in kernel mode and try to return to a context with SS or CS pointing to a non-accessed
> segment?
> Or what if you try to schedule to a context with fs or, worse, gs pointing to such a segment?
Well, the cpu will fault in kernel on the 'pop %xs' or 'iret' instruction.
These all (probably) happen on the kernel stack with the usergs loaded.
So the fault handler has to look at the opcodes and/or %pc value, sort
out the stack (etc) and then generate SIGSEGV.
I'm not sure the kernel needs to know why the segment selector is invalid.
David
Powered by blists - more mailing lists