lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <tip-ac461122c88a10b7d775de2f56467f097c9e627a@git.kernel.org> Date: Wed, 27 Dec 2017 15:06:24 -0800 From: tip-bot for Linus Torvalds <tipbot@...or.com> To: linux-tip-commits@...r.kernel.org Cc: rostedt@...dmis.org, bp@...en8.de, brgerst@...il.com, torvalds@...ux-foundation.org, luto@...nel.org, linux-kernel@...r.kernel.org, hpa@...or.com, jpoimboe@...hat.com, mingo@...nel.org, achirvasub@...il.com, dvlasenk@...hat.com, tglx@...utronix.de, peterz@...radead.org Subject: [tip:x86/urgent] x86-32: Fix kexec with stack canary (CONFIG_CC_STACKPROTECTOR) Commit-ID: ac461122c88a10b7d775de2f56467f097c9e627a Gitweb: https://git.kernel.org/tip/ac461122c88a10b7d775de2f56467f097c9e627a Author: Linus Torvalds <torvalds@...ux-foundation.org> AuthorDate: Wed, 27 Dec 2017 11:48:50 -0800 Committer: Thomas Gleixner <tglx@...utronix.de> CommitDate: Wed, 27 Dec 2017 20:59:41 +0100 x86-32: Fix kexec with stack canary (CONFIG_CC_STACKPROTECTOR) Commit e802a51ede91 ("x86/idt: Consolidate IDT invalidation") cleaned up and unified the IDT invalidation that existed in a couple of places. It changed no actual real code. Despite not changing any actual real code, it _did_ change code generation: by implementing the common idt_invalidate() function in archx86/kernel/idt.c, it made the use of the function in arch/x86/kernel/machine_kexec_32.c be a real function call rather than an (accidental) inlining of the function. That, in turn, exposed two issues: - in load_segments(), we had incorrectly reset all the segment registers, which then made the stack canary load (which gcc does using offset of %gs) cause a trap. Instead of %gs pointing to the stack canary, it will be the normal zero-based kernel segment, and the stack canary load will take a page fault at address 0x14. - to make this even harder to debug, we had invalidated the GDT just before calling idt_invalidate(), which meant that the fault happened with an invalid GDT, which in turn causes a triple fault and immediate reboot. Fix this by (a) not reloading the special segments in load_segments(). We currently don't do any percpu accesses (which would require %fs on x86-32) in this area, but there's no reason to think that we might not want to do them, and like %gs, it's pointless to break it. (b) doing idt_invalidate() before invalidating the GDT, to keep things at least _slightly_ more debuggable for a bit longer. Without a IDT, traps will not work. Without a GDT, traps also will not work, but neither will any segment loads etc. So in a very real sense, the GDT is even more core than the IDT. Fixes: e802a51ede91 ("x86/idt: Consolidate IDT invalidation") Reported-and-tested-by: Alexandru Chirvasitu <achirvasub@...il.com> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org> Signed-off-by: Thomas Gleixner <tglx@...utronix.de> Cc: Denys Vlasenko <dvlasenk@...hat.com> Cc: Peter Zijlstra <peterz@...radead.org> Cc: Brian Gerst <brgerst@...il.com> Cc: Steven Rostedt <rostedt@...dmis.org> Cc: Borislav Petkov <bp@...en8.de> Cc: Andy Lutomirski <luto@...nel.org> Cc: Josh Poimboeuf <jpoimboe@...hat.com> Cc: stable@...r.kernel.org Link: https://lkml.kernel.org/r/alpine.LFD.2.21.1712271143180.8572@i7.lan --- arch/x86/kernel/machine_kexec_32.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c index 00bc751..edfede7 100644 --- a/arch/x86/kernel/machine_kexec_32.c +++ b/arch/x86/kernel/machine_kexec_32.c @@ -48,8 +48,6 @@ static void load_segments(void) "\tmovl $"STR(__KERNEL_DS)",%%eax\n" "\tmovl %%eax,%%ds\n" "\tmovl %%eax,%%es\n" - "\tmovl %%eax,%%fs\n" - "\tmovl %%eax,%%gs\n" "\tmovl %%eax,%%ss\n" : : : "eax", "memory"); #undef STR @@ -232,8 +230,8 @@ void machine_kexec(struct kimage *image) * The gdt & idt are now invalid. * If you want to load them you must set up your own idt & gdt. */ - set_gdt(phys_to_virt(0), 0); idt_invalidate(phys_to_virt(0)); + set_gdt(phys_to_virt(0), 0); /* now call it */ image->start = relocate_kernel_ptr((unsigned long)image->head,
Powered by blists - more mailing lists