| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Jan 2018 15:43:08 -0800
From: Andy Lutomirski <luto@...capital.net>
To: Thomas Gleixner <tglx@...utronix.de>
Cc: Andy Lutomirski <luto@...nel.org>,
Lars Wendler <wendler.lars@....de>,
LKML <linux-kernel@...r.kernel.org>, X86 ML <x86@...nel.org>,
Borislav Betkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Peter Zijlstra <peterz@...radead.org>,
Greg KH <gregkh@...uxfoundation.org>,
Laura Abbott <labbott@...hat.com>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Juergen Gross <jgross@...e.com>
Subject: Re: CONFIG_PAGE_TABLE_ISOLATION=y on x86_64 causes gcc to segfault when building x86_32 binaries
> On Jan 3, 2018, at 2:22 PM, Thomas Gleixner <tglx@...utronix.de> wrote:
>
>> On Wed, 3 Jan 2018, Andy Lutomirski wrote:
>>
>>> On Wed, Jan 3, 2018 at 10:52 AM, Thomas Gleixner <tglx@...utronix.de> wrote:
>>>> On Wed, 3 Jan 2018, Thomas Gleixner wrote:
>>>>
>>>>> On Wed, 3 Jan 2018, Lars Wendler wrote:
>>>>> Am Wed, 3 Jan 2018 13:05:38 +0100 (CET)
>>>>> schrieb Thomas Gleixner <tglx@...utronix.de>:
>>>>>> Also can you please try Linus v4.15-rc6 with PTI enabled so we can see
>>>>>> whether that's a backport issue or a general one?
>>>>>
>>>>> Same problem with 4.15-rc6. So I suppose that means it's a general
>>>>> issue.
>>>>
>>>> Just a shot in the dark as I just decoded another issue on a AMD CPU. Can
>>>> you please try the patch below?
>>>
>>> Ok. Found the real issue. This is a problem on AMD boxen.
>>>
>>> Fix below.
>>>
>>> Can Xen folks please have a look at that as well?
>>>
>>> Thanks,
>>>
>>> tglx
>>>
>>> 8<-------------------
>>>
>>> arch/x86/entry/entry_64_compat.S | 13 ++++++-------
>>> 1 file changed, 6 insertions(+), 7 deletions(-)
>>>
>>> --- a/arch/x86/entry/entry_64_compat.S
>>> +++ b/arch/x86/entry/entry_64_compat.S
>>> @@ -190,8 +190,13 @@ ENTRY(entry_SYSCALL_compat)
>>> /* Interrupts are off on entry. */
>>> swapgs
>>>
>>> - /* Stash user ESP and switch to the kernel stack. */
>>> + /* Stash user ESP */
>>> movl %esp, %r8d
>>> +
>>> + /* Use %rsp as scratch reg. User ESP is stashed in r8 */
>>> + SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp
>>> +
>>> + /* Switch to the kernel stack */
>>> movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
>>>
>>> /* Construct struct pt_regs on stack */
>>> @@ -220,12 +225,6 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram
>>> pushq $0 /* pt_regs->r15 = 0 */
>>>
>>> /*
>>> - * We just saved %rdi so it is safe to clobber. It is not
>>> - * preserved during the C calls inside TRACE_IRQS_OFF anyway.
>>> - */
>>> - SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
>>> -
>>> - /*
>>> * User mode is traced as though IRQs are on, and SYSENTER
>>> * turned them off.
>>> */
>>
>> What's the issue that this is fixing?
>
>>> movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
>
> before switching CR3 is obviously broken ...
>
>
Duh.
This is what happens when we have five hundred versions of the patches and we change how it all works half way through. And the 0day bot doesn't test the AMD path.
>
Powered by blists - more mailing lists